Portal Authentication Modes; Portal Support For Eap - HP 830 Series Configuration Manual
Poe+ unified wired-wlan switch switching engine web-based
Hide thumbs
Also See for HP 830 Series:
- Configuration manual (177 pages) ,
- Command reference manual (136 pages) ,
- Installation manual (58 pages)
Table of Contents
Advertisement
Protocols used for interaction between the client and local portal server
HTTP and HTTPS can be used for communication between an authentication client and an access device
providing the local portal server function. If HTTP is used, there are potential security problems because
HTTP packets are transferred in plain text. If HTTPS is used, secure data transmission is ensured because
HTTPS packets are transferred in cipher text based on SSL.
Portal authentication modes
Portal authentication may work at Layer 2 or Layer 3 of the OSI model.
Layer 2 portal authentication
You can enable Layer 2 portal authentication on an access device's Layer 2 ports that connect
authentication clients, so that only clients whose MAC addresses pass authentication can access the
external network. Only the local portal server provided by the access device supports Layer 2 portal
authentication.
Layer 2 portal authentication allows the authentication server to assign different VLANs according to user
authentication results so that access devices can thereby control user access to resources. After a client
passes authentication, the authentication server can assign an authorized VLAN to allow the user to
access the resources in the VLAN. If a client fails authentication, the authentication server can assign an
Auth-Fail VLAN. Layer 3 portal authentication does not support VLAN assignment.
Layer 3 portal authentication
In Layer 3 authentication mode, portal authentication is enabled on an access device's Layer 3 interfaces
that connect authentication clients. Portal authentication performed on a Layer 3 interface can be direct
authentication or cross-subnet authentication. In direct authentication, no Layer 3 forwarding devices
exist between the authentication client and the access device. In cross-subnet authentication, Layer 3
forwarding devices may exist between the authentication client and the access device.
Direct authentication
•
Before authentication, a user manually configures a public IP address or directly obtains a public
IP address through DHCP, and can access only the portal server and predefined free websites.
After passing authentication, the user can access the network resources.
Cross-subnet authentication
•
Cross-subnet authentication is similar to direct authentication, but it allows Layer 3 forwarding
devices to be present between the authentication client and the access device.
In direct authentication and cross-subnet authentication, the IP address of a client is used for
identification of the client. After a client passes authentication, the access device generates an
access control list (ACL) for the client based on the client's IP address to permit packets from the
client to go through the access port. Because no Layer 3 devices are present between the
authentication clients and the access device in direct authentication, the access device can directly
learn the MAC addresses of the clients, and thus can control the forwarding of packets from clients
in a more granular way by also using the learnt MAC addresses.
Portal support for EAP
Authentication by using the username and password is less secure. Digital certificate authentication is
usually used to ensure higher security.
353
- Quick Links:
- Web Interface
Hide quick links:
Advertisement
Table of Contents
