395
the access port according to the authorized ACL. You must configure the authorized ACLs on the access
device if you specify authorized ACLs on the authentication server. To change the access right of a user,
you can specify a different authorized ACL on the authentication server or change the rules of the
corresponding authorized ACL on the device.
Layer 3 portal authentication process
Direct authentication and cross-subnet authentication share the same authentication process.
Direct authentication/cross-subnet authentication process (with CHAP/PAP authentication)
Figure 371 Direct authentication/cross-subnet authentication process
The direct authentication/cross-subnet authentication process is as follows:
1. A portal user initiates an authentication request through HTTP. When the HTTP packet arrives at the
access device, the access device allows it to pass if it is destined for the portal server or a
predefined free website, or redirects it to the portal server if it is destined for other websites. The
portal server provides a Web page for the user to enter the username and password.
2. The portal server and the access device exchange Challenge Handshake Authentication Protocol
(CHAP) messages. For Password Authentication Protocol (PAP) authentication, this step is skipped.
3. The portal server assembles the username and password into an authentication request message
and sends it to the access device. Meanwhile, the portal server starts a timer to wait for an
authentication acknowledgment message.
4. The access device and the RADIUS server exchange RADIUS packets to authenticate the user.
5. The access device sends an authentication reply to the portal server.
6. The portal server sends an authentication success message to the authentication client to notify it of
logon success.
7. The portal server sends an authentication reply acknowledgment to the access device.
With extended portal functions, the process includes additional steps:
8. The security policy server exchanges security check information with the authentication client to
check whether the authentication client meets the security requirements.
To Next Page
Loading...
Need help?
General
