Manualshelf

R3166-R3206-HP High-End Firewalls Access Control Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
919293949596979899100
89
mode, a client is uniquely identified by the combination of its IP address and MAC address because the
access device learns the MAC address of the authentication client.
Due to these differences, when the MAC address of an authentication client remains the same but the IP
address changes, a new portal authentication will be triggered in Layer 3 authentication mode but will
not be triggered in non-Layer 3 authentication mode. In non-Layer 3 authentication mode, a new portal
authentication will be triggered only when both the MAC and IP address of the authentication client are
changed.
Portal authentication process
Direct authentication and Layer 3 authentication share the same authentication process. Re-DHCP
authentication has a different process because of the presence of two address allocation procedures.
Direct authentication/Layer 3 authentication process
Figure 68 Direct authentication/Layer 3 authentication process
The direct authentication/Layer 3 authentication process takes the following procedure:
1. An authentication client initiates authentication by sending an HTTP request. When the HTTP
packet arrives at the access device, the access device allows it to pass if it is destined for the portal
server or a predefined free website, or redirects it to the portal server if it is destined for other
websites. The portal server pushes a web authentication page to the user and the user enters the
username and password.
2. The portal server and the access device exchange Challenge Handshake Authentication Protocol
(CHAP) messages. For Password Authentication Protocol (PAP) authentication, this step is skipped.
3. The portal server assembles the username and password into an authentication request message
and sends it to the access device. Meanwhile, the portal server starts a timer to wait for an
authentication acknowledgment message.
4. The access device and the RADIUS server exchange RADIUS packets to authenticate the user.
5. The access device sends an authentication reply to the portal server.
6. The portal server sends an authentication success message to the authentication client to notify it of
logon success.
7. The portal server sends an authentication reply acknowledgment message to the access device.