Table of Contents
Advertisement
websites. After passing authentication, the user can access other network resources. The process of
direct authentication is simpler than that of re-DHCP authentication.
Re-DHCP authentication
Before a user passes authentication, DHCP allocates an IP address (a private IP address) to the
user. The user can access only the portal Web server and predefined authentication-free websites.
After the user passes authentication, DHCP reallocates an IP address (a public IP address) to the
user. The user then can access other network resources. No public IP address is allocated to users
who fail authentication. Re-DHCP authentication saves public IP addresses. For example, an ISP
can allocate public IP addresses to broadband users only when they access networks beyond the
residential community network.
Only the H3C iNode client supports re-DHCP authentication. IPv6 portal authentication does not
support the re-DHCP authentication mode.
Cross-subnet authentication
Cross-subnet authentication is similar to direct authentication, except it allows Layer 3 forwarding
devices to exist between the authentication client and the access device.
In direct authentication, re-DHCP authentication, and cross-subnet authentication, a user's IP
address uniquely identifies the user. After a user passes authentication, the access device generates
an ACL for the user based on the user's IP address to control forwarding of the packets from the user.
Because no Layer 3 forwarding device exists between authentication clients and the access device
in direct authentication and re-DHCP authentication, the access device can learn the user MAC
addresses. The access device can enhance its capability of controlling packet forwarding by using
the learned MAC addresses.
Portal authentication process
Direct authentication and cross-subnet authentication share the same authentication process.
Re-DHCP authentication has a different process as it has two address allocation procedures.
Direct authentication/cross-subnet authentication process (with CHAP/PAP authentication)
Figure 97 Direct authentication/cross-subnet authentication process
Authentication
client
1) Initiate a connection
The direct/cross-subnet authentication process is as follows:
1.
A portal user access the Internet through HTTP or HTTPS, and the HTTP or HTTPS packet
arrives at the access device.
If the packet matches a portal free rule, the access device allows the packet to pass.
Portal
Portal Web
authentication
server
server
2) User information
3) CHAP authentication
4) Authentication request
Timer
7) Notify login
success
Access
device
authentication
6) Authentication reply
8) Authentication reply
acknowledgment
9) Security check
10) Authorization
297
AAA server
policy server
5) RADIUS
Security
Advertisement
Table of Contents
Troubleshooting
