Portal Authentication Technology White Paper

Transcription

1 Portal Authentication Technology White Paper Keywords: Portal, CAMS, security, authentication Abstract: Portal authentication is also called Web authentication. It authenticates users by username and password input on an HTTP page. This document mainly introduces the basic working flow and typical networking applications of portal authentication. Acronyms: Acronym Full spelling AAA ACL BAS CAMS HTTP RADIUS Authentication, Authorization, Accounting Access Control List Broad Access Server Comprehensive Access Management Server Hypertext Transfer Protocol Remote Access Dial in User Service Hangzhou H3C Technologies Co., Ltd. 1/13

2 Table of Contents 1 Overview Background Benefits Portal Implementation Concepts Protocol Framework Authentication Process Direct Authentication Process Re-DHCP Authentication Process Logout Process Initiative Logout Process Forced Logout Process Application Scenarios Application of Layer 2 Portal Authentication Application of Layer 3 Portal Authentication References Hangzhou H3C Technologies Co., Ltd. 2/13

3 1 Overview Portal authentication, as its name implies, helps control access to the Internet. Portal authentication is also called web authentication and a website implementing portal authentication is called a portal website. With portal authentication, an access device forces all users to log into the portal website at first. Every user can access the free services provided on the portal website; but to access the Internet, a user must pass portal authentication on the portal website. 1.1 Background In a traditional networking environment, as long as connected to a LAN device, a user can access the devices and resources on the LAN. In many cases, however, it is required to control user accesses to ensure network security and enhance the operating management of network resources. For instance, a service provider may need to control user access at the access points of some public sites, campuses, and companies, allowing only legitimate users who have paid to access the network using their accounts and passwords. Besides, some companies may need to provide some internal resources to some outside users, and want users to be authenticated first. The current access control methods, such as 802.1x and PPPoE, all need the cooperation of client software, and can control user accesses at the access layer only. Portal authentication is proposed to provide a more flexible access control method. It needs no client to be installed and can provide access control at the access layer as well as the network ingresses. 1.2 Benefits Compared with the 802.1x and PPPoE technologies, portal authentication holds the following advantages: Hangzhou H3C Technologies Co., Ltd. 3/13

4 It authenticates users directly through a Web page, without the cooperation of any client software. It can provide individualized authentication pages at a granularity of VLAN + port + IP address pool. At the same time, a portal website can present advertisements, deliver services, and release information, implementing comprehensive IP service operation. It cares for user management. It supports authentication based on bindings between username and VLAN ID/IP/MAC, and can detect network connectivity between the portal server/bas and the portal clients by sending handshake packets. Re-DHCP portal authentication can implement flexible address allocation and accounting policies, and save public IP addresses. Layer 3 portal authentication can implement user authentication across networks, and control access at the enterprise network egress or the ingress of the key data area. 2 Portal Implementation 2.1 Concepts As shown in Figure 1, a typical portal system consists of four basic components: authentication client (portal client), portal server, broadband access server (BAS), and authentication/authorization/accounting (AAA) server. Figure 1 Portal system components Hangzhou H3C Technologies Co., Ltd. 4/13

5 Portal client: Client system that triggers authentication requests on a portal network. It can be a browser using the Hypertext Transfer Protocol (HTTP). Portal server: Server system that listens to authentication requests from portal clients and exchanges client identity information with the BAS. It provides free portal services and a web-based authentication interface. BAS: Broadband access server, used to redirect HTTP requests to the portal server, and cooperate with the portal server and AAA server to implement authentication/authorization/accounting for users. AAA server: Authentication/authorization/accounting server, used to cooperate with the BAS to perform authentication/authorization/accounting for users. The above four components interact in the following procedure: (1) When an unauthenticated user enters a website address in the address bar of the IE to access the Internet, an HTTP request is created and sent to the BAS, which redirects the HTTP request to the web authentication homepage of the portal server. (2) On the authentication homepage/authentication dialog box, the user enters and submits the authentication information, which the portal server then transfers to the BAS. (3) Upon receipt of the authentication information, the BAS communicates with the AAA server for authentication and accounting. (4) After successful authentication, the BAS opens a path for the user to access the Internet. 2.2 Protocol Framework The portal protocol consists of two parts, portal access and portal authentication. The following figure illustrates the portal protocol framework: Figure 2 Portal protocol framework Hangzhou H3C Technologies Co., Ltd. 5/13

6 Portal access prescribes the protocol interactions between a portal client and the portal server. The main interactions are as follows: (1) The portal client sends its authentication information to the portal server through HTTP. (2) The portal server informs the portal client about the authentication result, success or failure, through an HTTP page. (3) The portal server regularly checks whether the portal client is online by sending handshake packets. Portal authentication prescribes the protocol interactions between the portal server and BAS, and mainly includes the following contents: (1) Portal authentication adopts a non-strict client/server structure, and mostly uses request/response messages for interaction. It also defines a notification message for the interaction between the portal server and BAS. (2) Portal authentication packets are carried on UDP. (3) Through a specified local UDP port, the portal server listens to non-response packets sent from the BAS, and sends all packets to the specified port on the BAS. The BAS uses a specified local UDP port to listen to all packets sent from the portal server, and sends non-response packets to the specified port on the portal server. The destination port number of a response packet is the source port number of the corresponding request packet. 2.3 Authentication Process Portal authentication supports two modes: Layer 2 authentication and Layer 3 authentication. Layer 2 authentication falls into two categories: direct authentication and re-dhcp authentication. 1. Layer 2 authentication In Layer 2 authentication mode, the portal server is directly connected to the BAS, or only Layer 2 devices are allowed between them. Direct authentication Before authentication, a user manually configures a public IP address or directly obtains a public IP address through DHCP, and can access only the portal server and Hangzhou H3C Technologies Co., Ltd. 6/13

7 predefined free websites. After passing authentication, the user can access the Internet using the public IP address. The process of direct authentication is simpler than that of re-dhcp authentication but is not flexible in networking. Re-DHCP authentication Before authentication, a user gets a private IP address through DHCP and can access only the portal server and predefined free websites. After passing authentication, the user is allocated a public IP address and can access the Internet. No public IP address is allocated to those who fails authentication. This mode saves the public IP addresses but still lacks flexibility in networking. 2. Layer 3 authentication Layer 3 portal authentication mode allows Layer 3 forwarding devices to be present between the authentication client and the BAS, and therefore is more flexible in networking than Layer 2 authentication mode. For Layer 3 portal authentication is similar to direct authentication, the following only describes the direct and re-dhcp authentication modes in details Direct Authentication Process 1. Work flow Portal client Portal server BAS RADIUS server 1) Trigger authentication 2) Challenge request 3) Challenge response 4) Authentication request 5) RADIUS authentication 6) Authentication response 7) Authentication result Figure 3 Direct authentication process Hangzhou H3C Technologies Co., Ltd. 7/13

8 2. Authentication procedure The following process takes CHAP authentication as an example. For PAP authentication, steps 2), 3) and 4) can be omitted. (1) The portal client triggers portal authentication by sending an HTTP request. (2) Upon receipt of the request, the portal server first sends a challenge request to the BAS and starts a timer to wait for the response from the BAS. If the portal server receives no response from the BAS before the timer expires, the portal server re-transmits the request to the BAS. If the portal server retransmits the request for the maximum number of times but still receives no response, it informs the portal client that the portal authentication has failed. (3) After the BAS receives the challenge request, it checks the validity of the request and responds to the request if it is valid. (4) Upon receipt of the challenge response, the portal server calculates the CHAP- PASSWORD based on the CHAP algorithm, and then sends an authentication request to the BAS and starts a timer to wait for the response from the BAS. If the portal server receives no response from the BAS before the timer expires, the portal server re-transmits the request to the BAS. If the portal server retransmits the request for the maximum number of times but still receives no response, it informs the portal client that the portal authentication has failed. (5) After the BAS receives the authentication request, it checks the packet validity and, if the packet is valid, processes the request packet. That is, the BAS constructs a RADIUS authentication request based on the authentication mode (CHAP) and sends the RADIUS request to the RADIUS server, and then starts a timer to wait for the response from the RADIUS server. If the BAS receives no response from the RADIUS server before the timer expires, the BAS retransmits the request to the RADIUS server. If the BAS retransmits the request for the maximum number of times but still receives no response, it considers that the authentication fails. (6) The BAS sends an authentication response to the portal server according to the RADIUS authentication result. (7) The portal server informs the portal client of the portal authentication result based on the received authentication response (succeeded or failed). Hangzhou H3C Technologies Co., Ltd. 8/13

9 2.3.2 Re-DHCP Authentication Process 1. Work flow Portal client Portal server BAS RADIUS server 1) Trigger authentication 2) Challenge request 3) Challenge response 7) Authentication result 4) Authentication request 6) Authentication response (Authentication succeeds) 5) RADIUS authentication 8) User IP change notification 9) IP change acknowledgement 10) Log out the user 10) Accounting request Figure 4 Re-DHCP authentication process 2. Authentication procedure (1) The portal client triggers an authentication request through HTTP. (2) Upon receipt of the request, the portal server first sends a challenge request to the BAS and starts a timer to wait for the response from the BAS. (3) After the BAS receives the challenge request, it checks the validity of the request and responds to the request if it is valid. (4) The portal server first sends an authentication request to the BAS and starts a timer to wait for the response from the BAS. (5) The BAS and the RADIUS server exchange RADIUS packets to perform RADIUS authentication. (6) The BAS sends an authentication response, which contains a control message, to the portal server based on the RADIUS authentication result and the timer. If the RADIUS authentication succeeds, the control message requires the portal server to inform the portal client to release the obtained IP address and re-apply an IP address. Hangzhou H3C Technologies Co., Ltd. 9/13

10 (7) The portal server sends an authentication result to the portal client. After receiving the message, if the authentication succeeds, the portal client releases the original private IP address and re-applies a new public IP address. (8) The BAS checks the IP address of the portal client through gratuitous ARP packets sent by the portal client. Once an IP address change is detected, the BAS sends a user IP change notification message to the portal server, and starts a timer to wait for the IP change acknowledgement. (9) After receiving the user IP change notification from the BAS and the IP update notification from the portal client, the portal server confirms the address update with the portal client and sends the IP change acknowledgement to the BAS. If the portal server receives the notification message from only one side (BAS or portal client), it considers that the user IP address has not changed. (10) The IP change acknowledgement message carries the IP change result information. If the BAS receives the information of successful IP change, it sends an accounting request to the RADIUS server to get the user online. If the BAS receives the information of failed IP change, the BAS logs out the user forcibly and sends a notification message to the portal server. 2.4 Logout Process A portal client can initiate a logout request. The portal server or BAS can force a user to log out Initiative Logout Process The specific steps are as follows: (1) The portal client initiates an logout request through HTTP. (2) Upon receiving the logout request, the portal server sends the logout request to the BAS and starts a timer to wait for the BAS response. If the portal server receives no response from the BAS before the timer expires, the portal server re-transmits the request to the BAS until it gets a response or the retransmission limit is reached. The retransmission limit can be adjusted as needed. Hangzhou H3C Technologies Co., Ltd. 10/13

11 (3) After the BAS receives the logout request from the portal server, it sends a logout response to the portal server and a stop accounting message to the RADIUS server. Normally, as a user s logout request will surely be granted, the portal server will inform the portal client of logout success immediately after it receives the logout request, rather than waiting for the logout acknowledgement from the BAS Forced Logout Process When an administrator logs out a user through the command line interface, or the BAS detects that a user has gone offline, or an interface or interface card connecting users is removed, the BAS needs to inform the portal server to log out the user forcibly. The specific steps are as follows: (1) The BAS sends a user forced logout message to the portal server to inform the portal server that the portal client has already gone offline. (2) After receiving the notification, the portal server sends an acknowledge to the BAS to confirm the logout, and at the same time, notifies the portal client that the network is disconnected. If the BAS does not receive the acknowledgement from the portal server within a certain period, the BAS re-transmits the notification message to the portal server until it gets the acknowledgement or the retransmission limit is reached. Although the notification progress initiated by the BAS has failed, the portal server will know that the portal client has gone offline in the end and log out the user. This is because of the heartbeat detect mechanism that functions between the portal server and client. Hangzhou H3C Technologies Co., Ltd. 11/13

12 3 Application Scenarios 3.1 Application of Layer 2 Portal Authentication Internet CAMS platform Internal netowork DHCP server BAS Portal client Figure 5 Network diagram for Layer 2 portal authentication Configure portal on the Layer 2 device connecting portal clients to implement authentication and accounting for portal users accessing the internal network. The portal service module needs to be configured on the CAMS platform. Hangzhou H3C Technologies Co., Ltd. 12/13

13 3.2 Application of Layer 3 Portal Authentication Figure 6 Network diagram for Layer 3 portal authentication configuration You can configure portal on the ingress BAS to perform authentication and accounting for users accessing the key service area on the internal network from the external network, and for internal users accessing the Internet. In this case, a Layer 3 switching device can be present between the users and the device with portal configured. 4 References RFC 2865: Remote Authentication Dial In User Service (RADIUS) Copyright 2008 Hangzhou H3C Technologies Co., Ltd. All rights reserved. No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd. The information in this document is subject to change without notice. Hangzhou H3C Technologies Co., Ltd. 13/13