394
The Extensible Authentication Protocol (EAP) supports several digital certificate-based authentication
methods, for example, EAP-TLS. Working together with EAP, portal authentication can implement digital
certificate-based user authentication.
Figure 369 Portal support for EAP working flow diagram
As shown in Figure 369, the authentication client and the portal server exchange EAP authentication
packets. The portal server and the access device exchange portal authentication packets that carry the
EAP-Message attributes. The access device and the RADIUS server exchange RADIUS packets that carry
the EAP-Message attributes. The RADIUS server that supports the EAP server function processes the EAP
packets encapsulated in the EAP-Message attributes, and provides the EAP authentication result. During
the whole EAP authentication process, the access device does not process the packets that carry the
EAP-Message attributes but only transports them between the portal server and the RADIUS server.
Therefore, no additional configuration is needed on the access device.
NOTE:
• This function requires the cooperation of the HP IMC portal server and HP iNode portal client.
• Only Layer 3 portal authentication that uses a remote portal server supports EAP authentication.
Layer 2 portal authentication process
Figure 370 Local Layer-2 portal authentication process
The process of local Layer-2 portal authentication is as follows:
1. The portal authentication client sends an HTTP or HTTPS request. Upon receiving the HTTP request,
the access device redirects it to the listening IP address of the local portal server, which then pushes
a Web authentication page to the authentication client. The user types the username and
password on the Web authentication page. The listening IP address of the local portal server is the
IP address of a Layer 3 interface on the access device that can communicate with the portal client.
Usually, it is a loopback interface's IP address.
2. The access device and the RADIUS server exchange RADIUS packets to authenticate the user.
3. If the user passes RADIUS authentication, the local portal server pushes a logon success page to
the authentication client.
Assignment of authorized ACLs
The device can use ACLs to control user access to network resources and limit user access rights. With
authorized ACLs specified on the authentication server, when a user passes authentication, the
authentication server assigns an authorized ACL for the user, and the device filters traffic from the user on
To Next Page
Loading...
Need help?
General