R3303-HP HSR6800 Routers Security Configuration Guide
128
8. The access device sends an authentication reply to the portal server. This reply carries the
EAP-Success message in the EAP-Message attribute.
9. The portal server notifies the authentication client of the authentication success.
10. The portal server sends an authentication reply acknowledgment to the access device.
The remaining steps are for extended portal authentication. For more information about the steps, see the
portal authentication process with CHAP/PAP authentication.
Portal authentication across VPNs
Use portal authentication across MPLS VPNs in cases where branches belong to different VPNs that are
isolated from each other, and all portal users in the branches need to be authenticated by the server at
the headquarters. As shown in Figure 49, the P
E connecting the authentication clients serves as the NAS.
The NAS is configured with portal authentication and AAA authentication, both of which support
authentication across VPNs. The NAS can transmit a client's portal authentication packets in a VPN
transparently through the MPLS backbone to the servers in another VPN. This feature implements
centralized client authentication across different VPNs while ensuring the separation of packets of the
different VPNs.
Figure 49 Network diagram for portal authentication across VPNs
This feature is not applicable to VPNs with overlapping address spaces.
This feature is not supported when the router is operating in gateway mode.
Portal authentication configured on MCE devices can also support authentication across VPNs. For
information about MCE, see MPLS Configuration Guide.
For information about AAA implementation across VPNs, see "Configuring AAA."
Portal configuration task list
To configure Layer 3 portal authentication:
Task Remarks
Specifying a portal server for Layer 3 portal authentication Required.
Enabling Layer 3 portal authentication Required.
P
MPLS backbone
PE
PE
CE
CE
CE
VPN 1
VPN 2
VPN 3
AAA
server
Portal server
Host
Host
NAS