Portal authentication across VPNs
Use portal authentication across MPLS VPNs in cases where branches belong to different VPNs that are isolated from each other, and all portal users in the branches need to be authenticated by the server at the headquarters. As shown in Figure 44, the PE connecting the authentication clients serves as the NAS. The NAS is configured with portal authentication and AAA authentication, both of which support authentication across VPNs. The NAS can transmit a client's portal authentication packets in a VPN transparently through the MPLS backbone to the servers in another VPN. This feature implements centralized client authentication across different VPNs while ensuring the separation of packets of the different VPNs.
This feature is not applicable to VPNs with overlapping address spaces.
Figure 44: Network diagram for portal authentication across VPNs
Portal authentication configured on MCE devices can also support authentication across VPNs. For information about MCE, see MPLS Configuration Guide.
For information about AAA implementation across VPNs, see "Configuring AAA."