Portal Authentication Modes - 3Com S7906E Configuration Manual

Security policy server
Server that interacts with portal clients and access devices for security authentication and resource
authorization.
The above five components interact in the following procedure:
1) When an unauthenticated user enters a website address in the address bar of the IE to access the
Internet, an HTTP request is created and sent to the access device, which redirects the HTTP
request to the web authentication homepage of the portal server. For extended portal functions,
authentication clients must run the portal client.
2) On the authentication homepage/authentication dialog box, the user enters and submits the
authentication information, which the portal server then transfers to the access device.
3) Upon receipt of the authentication information, the access device communicates with the
authentication/accounting server for authentication and accounting.
4) After successful authentication, the access device checks whether there is corresponding security
policy for the user. If not, it allows the user to access the Internet. Otherwise, the client, the access
device and the security policy server communicates to perform security authentication of the user,
and the security policy server authorizes the user to access resources depending on the security
authentication result.
Since a portal client uses an IP address as its ID, ensure that there is no Network Address
Translation (NAT) device between the authentication client, access device, portal server, and
authentication/accounting server when deploying portal authentication. This is to avoid
authentication failure due to NAT operations.
Currently, only a RADIUS server can serve as the remote authentication/accounting server in a
portal system.
Currently, security authentication requires the cooperation of the iNode client.

Portal Authentication Modes

Portal authentication supports two modes: non-Layer 3 authentication and Layer 3 authentication.
Non-Layer 3 authentication
Non-Layer 3 authentication falls into two categories: direct authentication and Re-DHCP authentication.
Direct authentication
Before authentication, a user manually configures an IP address or directly obtains a public IP address
through DHCP, and can access only the portal server and predefined free websites. After passing
authentication, the user can access the network resources. The process of direct authentication is
simpler than that of re-DHCP authentication.
Re-DHCP authentication
Before authentication, a user gets a private IP address through DHCP and can access only the portal
server and predefined free websites. After passing authentication, the user is allocated a public IP
address and can access the network resources. No public IP address is allocated to those who fails
1-3