The authentication client sends an EAP Request/Identity message to the portal server to initiate an
EAP authentication process.
The portal server sends a portal authentication request to the access device, and starts a timer to
wait for the portal authentication reply. The portal authentication request contains several
EAP-Message attributes, which are used to encapsulate the EAP packet sent from the
authentication client and carry the certificate information of the client.
After the access device receives the portal authentication request, it constructs a RADIUS
authentication request and sends it to the RADIUS server. The EAP-Message attributes in the
RADIUS authentication request are those carried in the received portal authentication request.
The access device sends a certificate request to the portal server according to the reply received
from the RADIUS server. The certificate request also contains several EAP-Message attributes,
which are used to transfer the certificate information of the RADIUS server. The EAP-Message
attributes in the certificate request are those carried in the RADIUS authentication reply.
After receiving the certificate request, the portal server sends an EAP authentication reply to the
authentication client, carrying the EAP-Message attribute values.
The authentication client sends another EAP request to continue the EAP authentication with the
RADIUS server, during which there may be several portal authentication requests. The subsequent
authentication processes are the same as that initiated by the first EAP request, except that the EAP
request types vary with the EAP authentication phases.
After the authentication client passes the EAP authentication, the RADIUS server sends an
authentication reply to the access device. This reply carries the EAP-Success message in the
The access device sends an authentication reply to the portal server. This reply carries the
EAP-Success message in the EAP-Message attribute.
The portal server notifies the authentication client of the authentication success.
The portal server sends an authentication replay acknowledgment to the access device.
The remaining steps are for extended portal authentication. For more information about the steps, see the
portal authentication process with CHAP/PAP authentication.
Configuring portal authentication
The portal feature provides a solution for user identity authentication and security check. However, the
portal feature cannot implement this solution by itself. RADIUS authentication needs to be configured on
the access device to cooperate with the portal feature to complete user authentication.
The prerequisites for portal authentication configuration are as follows:
The portal-enabled interfaces of the access device are configured with valid IP addresses or have
obtained valid IP addresses through DHCP.
The portal server and the RADIUS server have been installed and configured correctly. Local portal
authentication requires no independent portal server.
The portal client, access device, and servers can reach each other.
With RADIUS authentication, usernames and passwords of the users are configured on the RADIUS
server, and the RADIUS client configuration is performed on the access device. For information
about RADIUS client configuration, see