R3303-HP HSR6800 Routers Security Configuration Guide
126
Re-DHCP authentication process (with CHAP/PAP authentication)
Figure 47 Re-DHCP authentication process
The re-DHCP authentication process is as follows:
Step 1 through step 6 are the same as those in the direct authentication/cross-subnet authentication
process.
7. After receiving the authentication success message, the authentication client obtains a new public
IP address through DHCP and notifies the portal server that it has obtained a public IP address.
8. The portal server notifies the access device that the authentication client has obtained a new public
IP address.
9. Detecting the change of the IP address by examining ARP packets received, the access device
notifies the portal server of the change.
10. The portal server notifies the authentication client of logon success.
11. The portal server sends a user IP address change acknowledgment message to the access device.
With extended portal functions, the process includes additional steps:
12. The security policy server exchanges security check information with the authentication client to
check whether the authentication client meets the security requirements.
13. Based on the security check result, the security policy server authorizes the user to access certain
resources, and sends the authorization information to the access device. The access device then
controls access of the user based on the authorization information.
Authentication/
accounting server
Authentication
client
Portal server
Access device
6) Authentication
succeeds
Security
policy server
12) Security check
13) Authorization
7) The user obtains
a new IP address
8) Discover user IP change
10) Notify login
success
9) Detect user IP change
11) IP change
acknowledgment
Timer
1) Initiate a connection
2) CHAP authentication
3) Authentication request
5) Authentication reply
4) RADIUS
authentication