Web Authentication Process
The authentication page of a web server is also called a portal which provides convenient management functions for carriers through web authentication. Advertisements, community services, and personalized services can be provisioned on a portal, building an industry eco-system for bandwidth carriers, device vendors, and content and service providers.
Concepts
Web authentication, also called portal authentication, is classified as proactive web authentication or mandatory web authentication.
- Proactive web authentication: A user accesses the authentication page of a web server and enters and submits the username and password. After obtaining the username and password, the web server sends them to the BRAS. The BRAS then exchanges messages with the RADIUS server to complete user authentication.
- Mandatory web authentication: A user attempts to access other extranet resources using HTTP and is forcibly redirected to the web authentication page to enter and submit the username and password. After obtaining the username and password, the web server sends them to the BRAS. The BRAS then exchanges messages with the RADIUS server to complete user authentication.
Web Authentication Process
Web authentication is classified as proactive web authentication or mandatory web authentication. The two authentication modes are the same except for how users access the authentication page. The detailed authentication process is as follows:
As shown in Figure 5-2, the user can access only the web authentication page in the web pre-authentication domain. If the user passes the authentication after entering the username and password on the page, the user is switched to the web authentication domain and can access network resources.
As shown in Figure 5-3, the user accesses other extranet resources through HTTP and is forcibly redirected to the web authentication page by the BRAS. The user can access only the web authentication page in the web pre-authentication domain. If the user passes the authentication after entering the username and password on the page, the user is switched to the web authentication domain and can access network resources.
Web Authentication Modes
Depending on the network layer where web authentication is performed, web authentication is classified as Layer 2 authentication or Layer 3 authentication.
Layer 2 authentication: Web authentication is enabled on the BRAS interface that connects to Layer 2 users. Only authenticated users are allowed access to external network resources.
- Layer 3 authentication: Web authentication is enabled on the BRAS interface that connects to Layer 3 users. Web authentication on Layer 3 interfaces can be further classified as direct authentication or inter-Layer 3 authentication. If direct authentication is used, Layer 3 forwarding is not performed between the client and the BRAS. If inter-Layer 3 authentication is used, the client and the BRAS can communicate through Layer 3 forwarding devices.
Direct authentication: If a user obtains an IP address using DHCP or has an IP address configured before authentication, the user can use this IP address to access only the web server address and specified addresses. After the user is authenticated, the user can access network resources.
Inter-Layer 3 authentication: is implemented in basically the same way as direct authentication, except that the client and the BRAS can communicate through Layer 3 forwarding devices.
In both direct authentication and inter-Layer 3 authentication, an IP address uniquely identifies a user. The BRAS delivers ACLs based on users' IP addresses to control packet forwarding of authenticated users on interfaces. If direct authentication is used, users and the BRAS do not communicate through Layer 3 forwarding devices. Therefore, the BRAS interface connecting to users can learn the users' MAC addresses, which allows packet forwarding to be controlled based on a finer granularity.
