F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices Access Control Configuration Guide-6PW100
149
366BAuthentication/accounting server
An authentication/accounting server implements user authentication and accounting through interaction
with the access device.
Only a RADIUS server can serve as the remote authentication/accounting server in a portal system.
367BSecurity policy server
A security policy server interacts with authentication clients and access devices for security check and
resource authorization.
The components of a portal system interact as follows:
1. When an unauthenticated user enters a website address in the browser's address bar to access the
Internet, an HTTP request is created and sent to the access device. The access device then redirects
the HTTP request to the portal server's Web authentication homepage. For extended portal
functions, authentication clients must run the portal client software.
2. On the authentication homepage/authentication dialog box, the user enters and submits the
authentication information, which the portal server then transfers to the access device.
3. Upon receipt of the authentication information, the access device communicates with the
authentication/accounting server for authentication and accounting.
4. After successful authentication, the access device checks whether there is a corresponding security
policy for the user. If not, it allows the user to access the Internet. Otherwise, the client
communicates with the access device and the security policy server for security check. If the client
passes security check, the security policy server authorizes the user to access the Internet
resources.
NOTE:
Portal authentication supports NAT traversal whether it is initiated by a Web client or an HP iNode client.
W
hen the portal authentication client is on a private network, but the portal server is on a public networ
k
and the access device is enabled with NAT, network address translations performed on the access device
do not affect portal authentication. However, in such a case, HP recommends using an interface's public
IP address as the source address of outgoing portal packets.
195BPortal system using the local portal server
The following matrix shows the feature and hardware compatibility:
Hardware Feature com
p
atible
F1000-A-EI/F1000-S-EI Yes
F1000-E No
F5000 No
Firewall module No
U200-A Yes
U200-S Yes
In addition to using a separate device as the portal server, a portal system can also use the local portal
server function of the access device to authenticate Web users directly. In this case, the portal system