Manualshelf

R2511-HP MSR Router Series Security Configuration Guide(V5)

ManualsBrandsHP ManualsNetwork HardwareHP MSR1003-8 AC Router
301302303304305306307308309310
292
The local Layer 2 portal authentication process is as follows:
1. The portal authentication client sends an HTTP request. Upon receiving the HTTP request, the
access device redirects the request to the listening IP address of the local portal server, which then
pushes a Web authentication page to the authentication client. The user types the username and
password on the Web authentication page. The listening IP address of the local portal server is the
IP address of a Layer 3 interface on the access device that can communicate with the portal client.
Usually, it is a loopback interface's IP address.
2. The access device and the RADIUS server exchange RADIUS packets to authenticate the user.
3. If the user passes RADIUS authentication, the local portal server pushes a logon success page to
the authentication client.
ACL assignment
The device can use ACLs to control user access to network resources and limit user access rights. With
authorized ACLs specified on the authentication server, when a user passes authentication, the
authentication server assigns an authorized ACL for the user, and the device filters traffic from the user on
the access port according to the authorized ACL. You must configure the authorized ACLs on the access
device if you specify authorized ACLs on the authentication server. To change the access right of a user,
specify a different authorized ACL on the authentication server or change the rules of the corresponding
authorized ACL on the device.
Layer 3 portal authentication process
Direct authentication and cross-subnet authentication share the same authentication process. Re-DHCP
authentication has a different process because of the presence of two address allocation procedures.
Direct authentication/cross-subnet authentication process (with CHAP/PAP authentication)
Figure 87 Direct authentication/cross-subnet authentication process
The direct authentication/cross-subnet authentication process is as follows:
1. An authentication client initiates authentication by sending an HTTP request. When the HTTP
packet arrives at the access device, the access device allows it to pass if it is destined for the portal
server or a predefined free website, or redirects it to the portal server if it is destined for other
websites. The portal server pushes a Web authentication page to the user and the user enters the
username and password.