No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Portal Authentication

Portal Authentication

Overview

Portal authentication is also called web authentication. Generally, Portal authentication websites are also called Portal websites. When users go online, they must be authenticated on Portal websites. The users can use network resources only after they pass the authentication.

A user can access a known Portal authentication website and enter a user name and password for authentication. This mode is called active authentication. If a user attempts to access other external networks through HTTP, the device forcibly redirects the user to the Portal authentication website for Portal authentication. This mode is called forcible authentication.

System Architecture

A Portal server can be an external Portal server, or a built-in Portal server.

  • Using an external Portal server

As shown in Figure 3-6, typical networking of a Portal authentication system using an external Portal server consists of four entities: client, access device, Portal server, and authentication server.

Figure 3-6  Portal authentication system using an external Portal server
  1. Client: has a browser running HTTP installed.
  2. Access device: includes switches and routers, and provides the following functions:
    • Redirects all HTTP requests from users on authentication subnets to the Portal server before authentication.
    • Interacts with the Portal server and authentication server to implement identity authentication, authorization, and accounting during authentication.
    • Allows the users to access authorized Internet resources after the authentication succeeds.
  3. Portal server: receives authentication requests from clients, provides free Portal services and authentication pages, and exchanges the client authentication information with the access device.
  4. Authentication server: interacts with the access device to implement user authentication, authorization, and accounting.
  • Using a built-in Portal server

The access device with the built-in Portal server implements the Portal server functions. In this scenario, the Portal authentication system only includes three entities: client, access device, and authentication server, as shown in Figure 3-7.

Figure 3-7  Portal authentication system using a built-in Portal server

The built-in Portal server provides Portal authentication, without the need to deploy an extra Portal server.

The device with a built-in Portal server implements basic Portal server functions and only provides web-based login and logout functions for users. It cannot completely replace an independent Portal server or support any extended functions of an external server.

Authentication Modes

Different Portal authentication modes can be used in different networking modes. Portal authentication is classified into Layer 2 authentication and Layer 3 authentication according to the network layer on which it is implemented.

  • Layer 2 authentication

The client and access device are either directly connected or have only Layer 2 devices between them. The device can learn users' MAC addresses and identify the users using their MAC addresses and IP addresses. On a network of this configuration, Layer 2 authentication should be used.

Layer 2 authentication provides a simple authentication process with high security. However, users must be in the same network segment with the access device, which makes the networking inflexible.

Figure 3-8 shows the packet interaction process in Layer 2 authentication.

Figure 3-8  Layer 2 authentication process of the Portal protocol
  1. The user initiates an authentication request through HTTP. The access device allows an HTTP packet destined for the Portal server or an HTTP packet destined for the configured authentication-free network resources to pass. The access device redirects HTTP packets accessing other addresses to the Portal server. The Portal server provides a web page on which the user must enter the user name and password for authentication.
  2. The Portal server exchanges information with the access device to implement Challenge Handshake Authentication Protocol (CHAP) authentication. If Password Authentication Protocol (PAP) authentication is used, the Portal server directly performs step 4 without exchanging information with the access device.
  3. The Portal server sends the user name and password entered by the user to the access device through an authentication request packet.
  4. The access device exchanges authentication packets with the authentication server.
  5. The access device sends an authentication reply packet to the Portal server.
  6. The Portal server sends an authentication success packet to the client, notifying the client that the authentication succeeded.
  7. The Portal server sends an authentication reply ACK packet to the access device.
or an external Portal server, authentication processes of different authentication protocols are different. Figure 3-8 shows the authentication process of the Portal protocol. Figure 3-9 shows the authentication process of the HTTP or HTTPS protocol.
Figure 3-9  Layer 2 authentication process of the HTTP or HTTPS protocol
  1. Before authentication, a pre-connection is established between the client and device.
  2. The client initiates an authentication request using HTTP or HTTPS. The access device allows an HTTP or HTTPS packet destined for the Portal server or an HTTP or HTTPS packet destined for the configured authentication-free network resources to pass through. The access device redirects HTTP or HTTPS packets accessing other addresses to the Portal server. The Portal server provides a web page on which the user must enter the user name and password for authentication, and instructs the client to send a POST authentication request packet to the access device.
  3. The client encapsulates the user name and password into a POST authentication request packet and sends the packet to the access device.
  4. The access device and authentication server exchange authentication packets.
  5. The access device sends an authentication reply packet to the client.
  • Layer 3 authentication

When the device is deployed at the aggregation or core layer, Layer 3 forwarding devices exist between the client and device. In this scenario, the device may not obtain the MAC address of the client. Therefore, the device only uses the IP address to identify the user. On a network of this configuration, Layer 3 authentication should be used.

The Layer 3 authentication process is similar to the Layer 2 authentication process, except that a pre-connection is established between the client and access device in Layer 3 authentication. Networking of the Layer 3 authentication is flexible, which facilitates remote control. However, only an IP address can be used to identify a user, so Layer 3 authentication has low security.

Translation
Download
Updated: 2019-05-20

Document ID: EDOC1100034077

Views: 112535

Downloads: 206

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next