F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices Access Control Configuration Guide-6PW100
150
consists of only three components: authentication client, access device, and authentication/accounting
server, as shown in
657HFigure 123.
Figure 123 Portal system using the local portal server
No security policy server is needed for local portal service, because the portal system using the local
portal server does not support extended portal functions.
The local portal server function of the access device implements only some simple portal server functions.
It only allows users to log on and log off through the Web interface. It cannot take the place of an
independent portal server.
368BProtocols used for interaction between the client and local portal server
HTTP and HTTPS can be used for interaction between an authentication client and an access device
providing the local portal server function. If HTTP is used, there are potential security problems because
HTTP packets are transferred in plain text. If HTTPS is used, secure data transmission is ensured because
HTTPS packets are transferred in cipher text based on SSL.
369BAuthentication page customization support
The local portal server function allows you to customize authentication pages. You can customize
authentication pages by editing the corresponding HTML files and then compress and save the files to the
storage medium of the device. A set of customized authentication pages consists of six authentication
pages: the logon page, the logon success page, the online page, the logoff success page, the logon
failure page, and the system busy page. A local portal server pushes a corresponding authentication
page at each authentication phase. If you do not customize the authentication pages, the local portal
server pushes the default authentication pages. For information about authentication page customization
rules, see "
658HCustomizing authentication pages."
196BPortal authentication modes
Portal authentication may work at Layer 2 or Layer 3 of the OSI model. The firewall supports only Layer
3 portal authentication.
You can enable Layer 3 authentication on an access device's Layer 3 interfaces that connect
authentication clients. Portal authentication performed on a Layer 3 interface can be direct authentication,
re-DHCP authentication, or cross-subnet authentication. In direct authentication and re-DHCP
authentication, no Layer 3 forwarding devices exist between the authentication client and the access
device. In cross-subnet authentication, Layer 3 forwarding devices may exist between the authentication
client and the access device.
• Direct authentication
Before authentication, a user manually configures a public IP address or directly obtains a public
IP address through DHCP, and can access only the portal server and predefined free websites.
After passing authentication, the user can access the network resources. The process of direct
authentication is simpler than that of re-DHCP authentication.
• Re-DHCP authentication