Layer 2 portal authentication process
Figure 38: Local Layer 2 portal authentication process
Local Layer 2 portal authentication takes the following procedure:
The portal authentication client sends an HTTP request. Upon receiving the HTTP request, the access device redirects it to the listening IP address of the local portal server, which supports HTTP and HTTPS requests. The local portal server pushes a Web authentication page to the authentication client. The user enters the username and password on the Web authentication page.
The listening IP address of the local portal server is the IP address of a Layer 3 interface on the access device that can communicate with the portal client. Usually, it is a Loopback interface's IP address.
The access device and the RADIUS server exchange RADIUS packets to authenticate the user.
If the user passes RADIUS authentication, the local portal server pushes a logon success page to the authentication client.
Authorized VLAN
Layer 2 portal authentication supports VLAN assignment by the authentication server. After a user passes portal authentication, if the authentication server is configured with an authorized VLAN for the user, the authentication server assigns the authorized VLAN to the access device. Then, the access device adds the user to the authorized VLAN and generates a MAC VLAN entry. If the authorized VLAN does not exist, the access device first creates the VLAN.
By deploying the authorized VLAN assignment function, you can control which authenticated users can access which network resources.
Auth-Fail VLAN
The Auth-Fail VLAN feature allows users failing authentication to access a VLAN that accommodates network resources such as the patches server, virus definitions server, client software server, and anti-virus software server, so that the users can upgrade their client software or other programs. Such a VLAN is called an Auth-Fail VLAN.
Layer 2 portal authentication supports Auth-Fail VLAN on a port that performs MAC-based access control. With an Auth-Fail VLAN configured on a port, if a user on the port fails authentication, the access devices creates a MAC VLAN entry based on the MAC address of the user and adds the user to the Auth-Fail VLAN. Then, the user can access the non-HTTP resources in the Auth-Fail VLAN, and all HTTP requests of the user will be redirected to the authentication page. If the user passes authentication, the access device adds the user to the assigned VLAN or return the user to the initial VLAN of the port, depending on whether the authentication server assigns a VLAN. If the user fails the authentication, the access device keeps the user in the Auth-Fail VLAN. If an access port receives no traffic from a user in the Auth-Fail VLAN during a specified period of time (90 seconds by default), it removes the user from the Auth-Fail VLAN and adds the user to the initial VLAN of the port.
![[NOTE: ]](images/note.png) | NOTE: After a user is added to the authorized VLAN or Auth-Fail VLAN, the IP address of the client needs to be automatically or manually updated to make sure that the client can communicate with the hosts in the VLAN. | |
Assignment of authorized ACLs
The device can use ACLs to control user access to network resources and limit user access rights. With authorized ACLs specified on the authentication server, when a user passes authentication, the authentication server assigns an authorized ACL for the user, and the device filters traffic from the user on the access port according to the authorized ACL. You must configure the authorized ACLs on the access device if you specify authorized ACLs on the authentication server. To change the access right of a user, specify a different authorized ACL on the authentication server or change the rules of the corresponding authorized ACL on the device.