Manualshelf

R3166-R3206-HP High-End Firewalls Access Control Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
919293949596979899100
88
3. Upon receipt of the authentication information, the access firewall communicates with the
authentication/accounting server for authentication and accounting.
4. After successful authentication, the access firewall checks whether there is a corresponding
security policy for the user. If not, it allows the user to access the Internet. Otherwise, the client
communicates with the access firewall and the security policy server for security check. If the client
passes security check, the security policy server authorizes the user to access the Internet
resources.
NOTE:
Because a portal client uses an IP address as its ID, ensure that no Network Address Translation (NAT)
device exists between the authentication client, access device, portal server, and
authentication/accounting server when deploying portal authentication.
Only a RADIUS server can serve as the remote authentication/accounting server in a portal system.
To implement security check, the client must be the HP iNode client.
Portal authentication modes
Portal authentication supports two modes: non-Layer 3 authentication and Layer 3 authentication.
Non-Layer 3 authentication
Non-Layer 3 authentication falls into two categories: direct authentication and Re-DHCP authentication.
Direct authentication
Before authentication, a user manually configures a public IP address or directly obtains a public IP
address through DHCP, and can access only the portal server and predefined free websites. After
passing authentication, the user can access the network resources. The process of direct authentication
is simpler than that of re-DHCP authentication.
Re-DHCP authentication
Before authentication, a user gets a private IP address through DHCP and can access only the portal
server and predefined free websites. After passing authentication, the user is allocated a public IP
address and can access the network resources. No public IP address is allocated to those who fails
authentication. This solves the IP address planning and allocation problem. For example, a service
provider can allocate public IP addresses to broadband users only when they access networks beyond
the residential community network.
Layer 3 authentication
Layer 3 portal authentication is similar to direct authentication. However, in Layer-3 portal authentication
mode, Layer 3 forwarding devices can be present between the authentication client and the access
device.
Differences between Layer 3 and non-Layer 3 authentication modes
Networking mode
Layer 3 portal authentication allows a Layer 3 forwarding device to be present between the
authentication client and the access device, while Non-Layer 3 authentication does not.
User identifier
In Layer 3 authentication mode, a client is uniquely identified by an IP address. This is because the mode
supports Layer 3 forwarding devices between the authentication client and the access device, and the
access device does not learn the MAC address of the authentication client. In non-Layer 3 authentication