137
Cross-subnet authentication
Cross-subnet authentication is similar to direct authentication, except it allows Layer 3 forwarding
devices to exist between the authentication client and the access device.
In direct authentication, re-DHCP authentication, and cross-subnet authentication, a user's IP
address uniquely identifies the user. After a user passes authentication, the access device generates
an ACL for the user based on the user's IP address to control forwarding of the packets from the user.
Because no Layer 3 forwarding device exists between authentication clients and the access device
in direct authentication and re-DHCP authentication, the access device can learn the user MAC
addresses. The access device can enhance its capability of controlling packet forwarding by using
the learned MAC addresses.
Portal support for EAP
Compared with username and password based authentication, digital certificate-based
authentication ensures higher security.
The Extensible Authentication Protocol (EAP) supports several digital certificate-based
authentication methods, for example, EAP-TLS. Working together with EAP, portal authentication
can implement digital certificate-based user authentication.
Figure 46 Portal support for EAP working flow diagram
As shown in
, the authentication client and the portal authentication server exchange EAP
authentication packets. The portal authentication server and the access device exchange portal
authentication packets that carry the EAP-Message attributes. The access device and the RADIUS
server exchange RADIUS packets that carry the EAP-Message attributes. The RADIUS server that
supports the EAP server function processes the EAP packets encapsulated in the EAP-Message
attributes, and provides the EAP authentication result.
The access device does not process but only transports EAP-Message attributes between the portal
authentication server and the RADIUS server. Therefore, the access device requires no additional
configuration to support EAP authentication.
NOTE:
•
To use portal authentication that supports EAP, the portal authentication server and client must
be the HPE IMC portal server and the HPE iNode portal client.
•
Local portal authentication does not support EAP authentication.
Portal authentication process
Direct authentication and cross-subnet authentication share the same authentication process.
Re-DHCP authentication has a different process as it has two address allocation procedures.
Summary of Contents for 10500 series
Page 326: ...312 No duration limit for this SA ...