Portal Authentication Technology White Paper



Similar documents
IPS Attack Protection Configuration Example

H3C SSL VPN RADIUS Authentication Configuration Example

IPS Anti-Virus Configuration Example

NQA Technology White Paper

Web Authentication Application Note

H3C SSL VPN Configuration Examples

SSL VPN Technology White Paper

NetStream (Integrated) Technology White Paper HUAWEI TECHNOLOGIES CO., LTD. Issue 01. Date

802.1X Client Software

Security Technology White Paper

Astaro Security Gateway V8. Remote Access via L2TP over IPSec Configuring ASG and Client

How To - Implement Clientless Single Sign On Authentication with Active Directory

co Sample Configurations for Cisco 7200 Broadband Aggreg

Sophos UTM. Remote Access via PPTP. Configuring UTM and Client

DDoS Protection Technology White Paper

Using IEEE 802.1x to Enhance Network Security

Configuring CSS Remote Access Methods

Table of Contents. 1 Overview 1-1 Introduction 1-1 Product Design 1-1 Appearance 1-2

If you are unable to set up your Linksys Router by using one of the above options, use the steps below to manually configure your router.

Router configuration manual for I3 Micro Vood 322

How To Load Balance On A Libl Card On A S7503E With A Network Switch On A Server On A Network With A Pnet 2.5V2.5 (Vlan) On A Pbnet 2 (Vnet

How To Configure A Kiwi Ip Address On A Gbk (Networking) To Be A Static Ip Address (Network) On A Ip Address From A Ipad (Netware) On An Ipad Or Ipad 2 (

HP Load Balancing Module

Cisco TrustSec How-To Guide: Guest Services

ABB solar inverters. User s manual ABB Remote monitoring portal

Broadband Phone Gateway BPG510 Technical Users Guide

INTEGRATION GUIDE. DIGIPASS Authentication for Cisco ASA 5505

V310 Support Note Version 1.0 November, 2011

pfsense Captive Portal: Part One

HTTP 1.1 Web Server and Client

UIP1868P User Interface Guide

H3C SecPath UTM Series Anti-Spam Configuration Example

If you have questions or find errors in the guide, please, contact us under the following address:

Full Install Setup Guide Actiontec F2250 Gateway

Huawei WLAN Authentication and Encryption

MyPBX Security Configuration Guide

Fireware How To Authentication

Case Study - Configuration between NXC2500 and LDAP Server

HREP Series DVR DDNS Configuration Application Note

Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance

Error and Event Log Messages

How To Configure The Fortigate Cluster Protocol In A Cluster Of Three (Fcfc) On A Microsoft Ipo (For A Powerpoint) On An Ipo 2.5 (For An Ipos 2.2.5)

VLANs. Application Note

Astaro Security Gateway V8. Remote Access via SSL Configuring ASG and Client

4G Business Continuity Solution. 4G WiFi M2M Router NTC-140W

AlliedWare Plus OS How To Use Web-authentication

VPN. Date: 4/15/2004 By: Heena Patel

UTT Technologies offers an effective solution to protect the network against 80 percent of internal attacks:

Remote Authentication and Single Sign-on Support in Tk20

IP SAN Fundamentals: An Introduction to IP SANs and iscsi

VoIPon Tel: +44 (0) Fax: +44 (0)

Cisco Linksys SPA 2102

ReadyNAS Remote White Paper. NETGEAR May 2010

Packet Capture. Document Scope. SonicOS Enhanced Packet Capture

Matrix Technical Support Mailer 167 NAVAN CNX200 PPTP VPN with Windows Client

Understand SIP trunk and registration in DWG gateway Version: 1.0 Dinstar Technologies Co., Ltd. Date:

Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials.

VRRP Technology White Paper

BRI to PRI Connection Using Data Over Voice

DEPLOYMENT GUIDE Version 1.2. Deploying F5 with Oracle E-Business Suite 12

Sophos UTM. Remote Access via SSL. Configuring UTM and Client

User Manual. 3CX VOIP client / Soft phone Version 6.0

Optimum Business SIP Trunk Set-up Guide

Computer Networks. Chapter 5 Transport Protocols

Configuring Static and Dynamic NAT Translation

Configuring Network Address Translation (NAT)

Securing Networks with PIX and ASA

HP IMC User Behavior Auditor

ASUS WL-5XX Series Wireless Router Internet Configuration. User s Guide

F5 BIG-IP V9 Local Traffic Management EE Demo Version. ITCertKeys.com

BASIC ANALYSIS OF TCP/IP NETWORKS

JPMorgan Chase Treasury Workstation. Certification Setup Guide Version 2.0

Cisco 7940 How To. (c) Bicom Systems

Sophos Mobile Control Installation guide. Product version: 3

: Interconnecting Cisco Networking Devices Part 1 v2.0 (ICND1)

Chapter 3 Restricting Access From Your Network

Executive Summary and Purpose

AP-GSS3000 TM 512Ch GSM SIM Server

Brocade Certified Layer 4-7 Professional Version: Demo. Page <<1/8>>

S5700-LI-BAT Switch Brochure

7.1. Remote Access Connection

AP-GSS1500 TM 256Ch GSM SIM Server High Performance GSM SIM Server Solution

NetComm V90 VoIP Phone Quick Start Guide Draft Release 0.1

BITS-Pilani Hyderabad Campus CS C461/IS C461/CS F303/ IS F303 (Computer Networks) Laboratory 3

ExamPDF. Higher Quality,Better service!

Starting a Management Session

Network Authentication X Secure the Edge of the Network - Technical White Paper

The Product Description of SmartAX. MT882 ADSL2+ Router

VOIP-211RS/210RS/220RS/440S. SIP VoIP Router. User s Guide

Call Flows for Simple IP Users

DSA-1000 / PRT-1000 Device Server / Thermal Printer

While every effort was made to verify the following information, no warranty of accuracy or usability is expressed or implied.

Firewall Authentication Proxy for FTP and Telnet Sessions

Service Overview & Installation Guide

Internet Access Setup

SonicOS 5.9 / / 6.2 Log Events Reference Guide with Enhanced Logging

AT-S95 Version AT-8000GS Layer 2 Stackable Gigabit Ethernet Switch Software Release Notes

Architecture and Data Flow Overview. BlackBerry Enterprise Service Version: Quick Reference

Transcription:

Portal Authentication Technology White Paper Keywords: Portal, CAMS, security, authentication Abstract: Portal authentication is also called Web authentication. It authenticates users by username and password input on an HTTP page. This document mainly introduces the basic working flow and typical networking applications of portal authentication. Acronyms: Acronym Full spelling AAA ACL BAS CAMS HTTP RADIUS Authentication, Authorization, Accounting Access Control List Broad Access Server Comprehensive Access Management Server Hypertext Transfer Protocol Remote Access Dial in User Service Hangzhou H3C Technologies Co., Ltd. 1/13

Table of Contents 1 Overview... 3 1.1 Background... 3 1.2 Benefits... 3 2 Portal Implementation... 4 2.1 Concepts... 4 2.2 Protocol Framework... 5 2.3 Authentication Process... 6 2.3.1 Direct Authentication Process... 7 2.3.2 Re-DHCP Authentication Process... 9 2.4 Logout Process... 10 2.4.1 Initiative Logout Process... 10 2.4.2 Forced Logout Process... 11 3 Application Scenarios... 12 3.1 Application of Layer 2 Portal Authentication... 12 3.2 Application of Layer 3 Portal Authentication... 13 4 References... 13 Hangzhou H3C Technologies Co., Ltd. 2/13

1 Overview Portal authentication, as its name implies, helps control access to the Internet. Portal authentication is also called web authentication and a website implementing portal authentication is called a portal website. With portal authentication, an access device forces all users to log into the portal website at first. Every user can access the free services provided on the portal website; but to access the Internet, a user must pass portal authentication on the portal website. 1.1 Background In a traditional networking environment, as long as connected to a LAN device, a user can access the devices and resources on the LAN. In many cases, however, it is required to control user accesses to ensure network security and enhance the operating management of network resources. For instance, a service provider may need to control user access at the access points of some public sites, campuses, and companies, allowing only legitimate users who have paid to access the network using their accounts and passwords. Besides, some companies may need to provide some internal resources to some outside users, and want users to be authenticated first. The current access control methods, such as 802.1x and PPPoE, all need the cooperation of client software, and can control user accesses at the access layer only. Portal authentication is proposed to provide a more flexible access control method. It needs no client to be installed and can provide access control at the access layer as well as the network ingresses. 1.2 Benefits Compared with the 802.1x and PPPoE technologies, portal authentication holds the following advantages: Hangzhou H3C Technologies Co., Ltd. 3/13

It authenticates users directly through a Web page, without the cooperation of any client software. It can provide individualized authentication pages at a granularity of VLAN + port + IP address pool. At the same time, a portal website can present advertisements, deliver services, and release information, implementing comprehensive IP service operation. It cares for user management. It supports authentication based on bindings between username and VLAN ID/IP/MAC, and can detect network connectivity between the portal server/bas and the portal clients by sending handshake packets. Re-DHCP portal authentication can implement flexible address allocation and accounting policies, and save public IP addresses. Layer 3 portal authentication can implement user authentication across networks, and control access at the enterprise network egress or the ingress of the key data area. 2 Portal Implementation 2.1 Concepts As shown in Figure 1, a typical portal system consists of four basic components: authentication client (portal client), portal server, broadband access server (BAS), and authentication/authorization/accounting (AAA) server. Figure 1 Portal system components Hangzhou H3C Technologies Co., Ltd. 4/13

Portal client: Client system that triggers authentication requests on a portal network. It can be a browser using the Hypertext Transfer Protocol (HTTP). Portal server: Server system that listens to authentication requests from portal clients and exchanges client identity information with the BAS. It provides free portal services and a web-based authentication interface. BAS: Broadband access server, used to redirect HTTP requests to the portal server, and cooperate with the portal server and AAA server to implement authentication/authorization/accounting for users. AAA server: Authentication/authorization/accounting server, used to cooperate with the BAS to perform authentication/authorization/accounting for users. The above four components interact in the following procedure: (1) When an unauthenticated user enters a website address in the address bar of the IE to access the Internet, an HTTP request is created and sent to the BAS, which redirects the HTTP request to the web authentication homepage of the portal server. (2) On the authentication homepage/authentication dialog box, the user enters and submits the authentication information, which the portal server then transfers to the BAS. (3) Upon receipt of the authentication information, the BAS communicates with the AAA server for authentication and accounting. (4) After successful authentication, the BAS opens a path for the user to access the Internet. 2.2 Protocol Framework The portal protocol consists of two parts, portal access and portal authentication. The following figure illustrates the portal protocol framework: Figure 2 Portal protocol framework Hangzhou H3C Technologies Co., Ltd. 5/13

Portal access prescribes the protocol interactions between a portal client and the portal server. The main interactions are as follows: (1) The portal client sends its authentication information to the portal server through HTTP. (2) The portal server informs the portal client about the authentication result, success or failure, through an HTTP page. (3) The portal server regularly checks whether the portal client is online by sending handshake packets. Portal authentication prescribes the protocol interactions between the portal server and BAS, and mainly includes the following contents: (1) Portal authentication adopts a non-strict client/server structure, and mostly uses request/response messages for interaction. It also defines a notification message for the interaction between the portal server and BAS. (2) Portal authentication packets are carried on UDP. (3) Through a specified local UDP port, the portal server listens to non-response packets sent from the BAS, and sends all packets to the specified port on the BAS. The BAS uses a specified local UDP port to listen to all packets sent from the portal server, and sends non-response packets to the specified port on the portal server. The destination port number of a response packet is the source port number of the corresponding request packet. 2.3 Authentication Process Portal authentication supports two modes: Layer 2 authentication and Layer 3 authentication. Layer 2 authentication falls into two categories: direct authentication and re-dhcp authentication. 1. Layer 2 authentication In Layer 2 authentication mode, the portal server is directly connected to the BAS, or only Layer 2 devices are allowed between them. Direct authentication Before authentication, a user manually configures a public IP address or directly obtains a public IP address through DHCP, and can access only the portal server and Hangzhou H3C Technologies Co., Ltd. 6/13

predefined free websites. After passing authentication, the user can access the Internet using the public IP address. The process of direct authentication is simpler than that of re-dhcp authentication but is not flexible in networking. Re-DHCP authentication Before authentication, a user gets a private IP address through DHCP and can access only the portal server and predefined free websites. After passing authentication, the user is allocated a public IP address and can access the Internet. No public IP address is allocated to those who fails authentication. This mode saves the public IP addresses but still lacks flexibility in networking. 2. Layer 3 authentication Layer 3 portal authentication mode allows Layer 3 forwarding devices to be present between the authentication client and the BAS, and therefore is more flexible in networking than Layer 2 authentication mode. For Layer 3 portal authentication is similar to direct authentication, the following only describes the direct and re-dhcp authentication modes in details. 2.3.1 Direct Authentication Process 1. Work flow Portal client Portal server BAS RADIUS server 1) Trigger authentication 2) Challenge request 3) Challenge response 4) Authentication request 5) RADIUS authentication 6) Authentication response 7) Authentication result Figure 3 Direct authentication process Hangzhou H3C Technologies Co., Ltd. 7/13

2. Authentication procedure The following process takes CHAP authentication as an example. For PAP authentication, steps 2), 3) and 4) can be omitted. (1) The portal client triggers portal authentication by sending an HTTP request. (2) Upon receipt of the request, the portal server first sends a challenge request to the BAS and starts a timer to wait for the response from the BAS. If the portal server receives no response from the BAS before the timer expires, the portal server re-transmits the request to the BAS. If the portal server retransmits the request for the maximum number of times but still receives no response, it informs the portal client that the portal authentication has failed. (3) After the BAS receives the challenge request, it checks the validity of the request and responds to the request if it is valid. (4) Upon receipt of the challenge response, the portal server calculates the CHAP- PASSWORD based on the CHAP algorithm, and then sends an authentication request to the BAS and starts a timer to wait for the response from the BAS. If the portal server receives no response from the BAS before the timer expires, the portal server re-transmits the request to the BAS. If the portal server retransmits the request for the maximum number of times but still receives no response, it informs the portal client that the portal authentication has failed. (5) After the BAS receives the authentication request, it checks the packet validity and, if the packet is valid, processes the request packet. That is, the BAS constructs a RADIUS authentication request based on the authentication mode (CHAP) and sends the RADIUS request to the RADIUS server, and then starts a timer to wait for the response from the RADIUS server. If the BAS receives no response from the RADIUS server before the timer expires, the BAS retransmits the request to the RADIUS server. If the BAS retransmits the request for the maximum number of times but still receives no response, it considers that the authentication fails. (6) The BAS sends an authentication response to the portal server according to the RADIUS authentication result. (7) The portal server informs the portal client of the portal authentication result based on the received authentication response (succeeded or failed). Hangzhou H3C Technologies Co., Ltd. 8/13

2.3.2 Re-DHCP Authentication Process 1. Work flow Portal client Portal server BAS RADIUS server 1) Trigger authentication 2) Challenge request 3) Challenge response 7) Authentication result 4) Authentication request 6) Authentication response (Authentication succeeds) 5) RADIUS authentication 8) User IP change notification 9) IP change acknowledgement 10) Log out the user 10) Accounting request Figure 4 Re-DHCP authentication process 2. Authentication procedure (1) The portal client triggers an authentication request through HTTP. (2) Upon receipt of the request, the portal server first sends a challenge request to the BAS and starts a timer to wait for the response from the BAS. (3) After the BAS receives the challenge request, it checks the validity of the request and responds to the request if it is valid. (4) The portal server first sends an authentication request to the BAS and starts a timer to wait for the response from the BAS. (5) The BAS and the RADIUS server exchange RADIUS packets to perform RADIUS authentication. (6) The BAS sends an authentication response, which contains a control message, to the portal server based on the RADIUS authentication result and the timer. If the RADIUS authentication succeeds, the control message requires the portal server to inform the portal client to release the obtained IP address and re-apply an IP address. Hangzhou H3C Technologies Co., Ltd. 9/13

(7) The portal server sends an authentication result to the portal client. After receiving the message, if the authentication succeeds, the portal client releases the original private IP address and re-applies a new public IP address. (8) The BAS checks the IP address of the portal client through gratuitous ARP packets sent by the portal client. Once an IP address change is detected, the BAS sends a user IP change notification message to the portal server, and starts a timer to wait for the IP change acknowledgement. (9) After receiving the user IP change notification from the BAS and the IP update notification from the portal client, the portal server confirms the address update with the portal client and sends the IP change acknowledgement to the BAS. If the portal server receives the notification message from only one side (BAS or portal client), it considers that the user IP address has not changed. (10) The IP change acknowledgement message carries the IP change result information. If the BAS receives the information of successful IP change, it sends an accounting request to the RADIUS server to get the user online. If the BAS receives the information of failed IP change, the BAS logs out the user forcibly and sends a notification message to the portal server. 2.4 Logout Process A portal client can initiate a logout request. The portal server or BAS can force a user to log out. 2.4.1 Initiative Logout Process The specific steps are as follows: (1) The portal client initiates an logout request through HTTP. (2) Upon receiving the logout request, the portal server sends the logout request to the BAS and starts a timer to wait for the BAS response. If the portal server receives no response from the BAS before the timer expires, the portal server re-transmits the request to the BAS until it gets a response or the retransmission limit is reached. The retransmission limit can be adjusted as needed. Hangzhou H3C Technologies Co., Ltd. 10/13

(3) After the BAS receives the logout request from the portal server, it sends a logout response to the portal server and a stop accounting message to the RADIUS server. Normally, as a user s logout request will surely be granted, the portal server will inform the portal client of logout success immediately after it receives the logout request, rather than waiting for the logout acknowledgement from the BAS. 2.4.2 Forced Logout Process When an administrator logs out a user through the command line interface, or the BAS detects that a user has gone offline, or an interface or interface card connecting users is removed, the BAS needs to inform the portal server to log out the user forcibly. The specific steps are as follows: (1) The BAS sends a user forced logout message to the portal server to inform the portal server that the portal client has already gone offline. (2) After receiving the notification, the portal server sends an acknowledge to the BAS to confirm the logout, and at the same time, notifies the portal client that the network is disconnected. If the BAS does not receive the acknowledgement from the portal server within a certain period, the BAS re-transmits the notification message to the portal server until it gets the acknowledgement or the retransmission limit is reached. Although the notification progress initiated by the BAS has failed, the portal server will know that the portal client has gone offline in the end and log out the user. This is because of the heartbeat detect mechanism that functions between the portal server and client. Hangzhou H3C Technologies Co., Ltd. 11/13

3 Application Scenarios 3.1 Application of Layer 2 Portal Authentication Internet CAMS platform Internal netowork DHCP server BAS Portal client Figure 5 Network diagram for Layer 2 portal authentication Configure portal on the Layer 2 device connecting portal clients to implement authentication and accounting for portal users accessing the internal network. The portal service module needs to be configured on the CAMS platform. Hangzhou H3C Technologies Co., Ltd. 12/13

3.2 Application of Layer 3 Portal Authentication Figure 6 Network diagram for Layer 3 portal authentication configuration You can configure portal on the ingress BAS to perform authentication and accounting for users accessing the key service area on the internal network from the external network, and for internal users accessing the Internet. In this case, a Layer 3 switching device can be present between the users and the device with portal configured. 4 References RFC 2865: Remote Authentication Dial In User Service (RADIUS) Copyright 2008 Hangzhou H3C Technologies Co., Ltd. All rights reserved. No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd. The information in this document is subject to change without notice. Hangzhou H3C Technologies Co., Ltd. 13/13

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information