Portal authentication modes

Portal authentication may work at Layer 2 or Layer 3 of the OSI model.

Layer 2 portal authentication

You can enable Layer 2 portal authentication on an access device's Layer 2 port that connects authentication clients, so that only clients whose MAC addresses pass authentication can access the external network. Only the local portal server provided by the access device supports Layer 2 portal authentication.

Layer 2 portal authentication allows the authentication server to assign different VLANs according to user authentication results so that access devices can thereby control user access to resources. After a client passes authentication, the authentication server can assign an authorized VLAN to allow the user to access the resources in the VLAN. If a client fails authentication, the authentication server can assign an Auth-Fail VLAN. Layer 3 portal authentication does not support VLAN assignment.

Layer 3 portal authentication

You can enable Layer 3 authentication on an access device's Layer 3 interfaces that connect authentication clients. Portal authentication performed on a Layer 3 interface can be direct authentication, re-DHCP authentication, or cross-subnet authentication. In direct authentication and re-DHCP authentication, no Layer 3 forwarding devices exist between the authentication client and the access device. In cross-subnet authentication, Layer 3 forwarding devices may exist between the authentication client and the access device.