Portal system components
A typical portal system comprises these basic components: authentication client, access device, portal server, authentication/accounting server, and security policy server.
Figure 36: Portal system components
Authentication client
An authentication client is an entity seeking access to network resources. It is typically an end-user terminal such as a PC. A client can use a browser or portal client software for portal authentication. Client security check is implemented through communications between the client and the security policy server.
To implement security check, the client must be the HPE iNode client.
Access device
Access devices control user access. An access device can be a switch or router that provides the following functions:
Redirecting HTTP requests from unauthenticated users to the portal server.
For Layer 3 portal authentication, the device handles received HTTP requests from unauthenticated users according to whether these HTTP requests are sent from Web browsers such as Microsoft IE. If yes, the device redirects these HTTP requests to the portal server. If not, the device does not redirect these HTTP requests.
Interacting with the portal server, the security policy server, and the authentication/accounting server for identity authentication, security check, and accounting.
Allowing users who have passed identity authentication and security check to access granted Internet resources.
Portal server
A portal server listens to authentication requests from authentication clients and exchanges client authentication information with the access device. It provides free portal services and pushes web authentication pages to users.
A portal server can be an entity independent of the access device or an entity embedded in the access device. In this document, the term "portal server" refers to an independent portal server, and the term "local portal server" refers to an embedded portal server.
Authentication/accounting server
An authentication/accounting server implements user authentication and accounting through interaction with the access device.
Only a RADIUS server can serve as the remote authentication/accounting server in a portal system.
Security policy server
A security policy server interacts with authentication clients and access devices for security check and resource authorization.
The components of a portal system interact as follows:
When an unauthenticated user enters a website address in the browser's address bar to access the Internet, an HTTP request is created and sent to the access device. The access device then redirects the HTTP request to the portal server's web authentication homepage. For extended portal functions, authentication clients must run the portal client software.
On the authentication homepage/authentication dialog box, the user enters and submits the authentication information, which the portal server then transfers to the access device.
Upon receipt of the authentication information, the access device communicates with the authentication/accounting server for authentication and accounting.
After successful authentication, the access device checks whether there is a corresponding security policy for the user. If not, it allows the user to access the Internet. Otherwise, the client communicates with the access device and the security policy server for security check. If the client passes security check, the security policy server authorizes the user to access the Internet resources.
NOTE: Portal authentication supports NAT traversal whether it is initiated by a Web client or an HPE iNode client. NAT traversal must be configured when the portal client is on a private network and the portal server is on a public network. | ||