Portal Authentication Process
There are two authentication interaction modes between the Portal server and authentication device:
- CHAP (Challenge Handshake Authentication Protocol) authentication interaction: The user name and password are encrypted to transmit, with high security
- PAP (Password Authentication Protocol) authentication interaction: The user name and password are transmitted with plain text, with low security
To adopt the CHAP authentication interaction, the Portal server will perform inquiry handshake verification. Challenge is generated at random when the authentication device receives the request Challenge packet, the length is 16 bytes, and it is delivered to the Portal server with the Challenge response packet.
The L2 Portal authentication process is the same as the ordinary L3 Portal authentication process. The Portal authentication process of the secondary address assignment has two address assignment processes, so its authentication process is different from the other two authentication modes.
The flow of L2 Portal authentication and ordinary L3 Portal authentication
The flowchart is as follows:
Figure 13-2 CHAP flowchart of L2/ordinary L3 Portal authentication
Figure 13-3 The PAP flowchart of L2/ordinary L3 Portal authentication
The flow of the L2 Portal authentication and ordinary L3 Portal authentication:
- Portal users initiate authentication requests through the HTTP protocol when they need to access the network. When the HTTP packet passes the authentication device, the authenticated device allows the HTTP packet accessing the Portal server or with the set free access address to pass; for the HTTP packet accessing other addresses, the authentication device intercepts and redirects it to the Portal server. The Portal server provides the Web page for users to enter the valid usernames and passwords registered on the authentication server to start an authentication process.
- The Portal server adopts the CHAP authentication interaction to verify the inquiry handshake, and the Portal server requests Challenge from the authentication device. Adopt the PAP authentication interaction to directly perform step (4).
- The authentication device randomly generates Challenge when receiving the request Challenge packet, sends the request Challenge success packet, and delivers Challenge to the Portal server. Adopt the PAP authentication interaction to directly perform step (4).
- The Portal server assembles the user name and password input by the user into a request authentication packet and sends it to the authentication device to request authentication. At the same time, enable the timer to wait for the authentication response.
- Interact the RADIUS protocol packet between the authentication device and RADIUS server.
- The authentication device sends the authentication success packet to the Portal server.
- The Portal server sends the authentication pass packet to the authentication client, informing the user of the authentication success.
- The Portal server sends the authentication success confirm packet to the authentication device.
The Portal authentication flow of the secondary address assignment
The flowchart is as follows:
Figure 13-4 The CHAP flowchart of secondary address assignment Portal authentication
Figure 13-5 The PAP flowchart of secondary address assignment Portal authentication
The Portal authentication flowchart of the secondary address assignment:
- Portal users initiate authentication requests through the HTTP protocol when they need to access the network. When the HTTP packet passes the authentication device, the authenticated device allows the HTTP packet accessing the Portal server or with the set free access address to pass; for the HTTP packet accessing other addresses, the authentication device intercepts and redirects it to the Portal server. The Portal server provides the Web page for users to enter the valid usernames and passwords registered on the authentication server to start an authentication process.
- The Portal server adopts the CHAP authentication interaction to verify the inquiry handshake, and the Portal server requests Challenge from the authentication device. Adopt the PAP authentication interaction to directly perform step (4).
- The authentication device randomly generates Challenge when receiving the request Challenge packet, sends the request Challenge success packet and delivers Challenge to the Portal server. Adopt the PAP authentication interaction to directly perform step (4).
- The Portal server assembles the user name and password input by the user into a request authentication packet and sends it to the authentication device to request authentication. At the same time, enable the timer to wait for the authentication response.
- Interact the RADIUS protocol packet between the authentication device and RADIUS server.
- The authentication device sends the authentication success packet to the Portal server.
- The Portal server sends the authentication pass packet to the authentication client, informing the user of the authentication success.
- After receiving the authentication pass packet, the client gets the new public IP address via DHCP, and inform the Portal server that the user has got the new IP address.
- The authentication device discovers the user IP address change by detecting the DHCP Snooping entry, modifies the user IP address, and sends the user IP address change packet to inform that the Portal server has detected the user IP change.
- The Portal server informs the client of getting online successfully.
- The Portal server sends the user IP address change confirm packet to the authentication device.