802.1X and PPPoE access control methods require dedicated client software to be installed and are effective only at the access layer, which does not facilitate network deployment and user access. To solve this problem, an access control mode, which does not require dedicated client software and allows authentication control points to be flexibly deployed, is required.
Portal authentication is developed in this context. It does not require dedicated clients, providing a flexible access control mode. Access control can be implemented at the access layer and the ingress of key data to be protected. Portal authentication is also called web authentication because it uses popular web pages for authentication, which means that users can be authenticated using only a web browser.
MAC address-prioritized portal authentication can be used to avoid frequent password and account entry for reauthentication in the case that a user roams or goes offline and then online again in various scenarios.
In MAC address-prioritized portal authentication, the access device sends the MAC address of a terminal to the RADIUS server for authentication when the terminal performs portal authentication for the first time. If the authentication fails, portal authentication is triggered for the user so that the user can enter the user name and password for identity authentication. The RADIUS server caches a terminal user's MAC address after the first authentication succeeds. If the terminal user is disconnected and then connected to the network within the MAC address validity period, the RADIUS server searches for the MAC address of the terminal user in the cache to authenticate the terminal user. After the authentication succeeds, the portal authentication page is not pushed to the user, and the user can directly access network resources.
- Portal authentication takes effect based on physical ports. If a user connected to a port passes the authentication, the user can access network resources through the port. If a user fails to pass the authentication, the user cannot access network resources.
- Currently, ports that are enabled with portal authentication support only network resource access through HTTP, and does not support other services (such as connected printers, IPC services, AP services, and dumb terminals). If other services need to be supported, use other ports for service isolation.
- Currently, only the portal protocol 2.0 is supported.
HTTP has security risks due to its limitations. Ensure that HTTP is used in a secure environment.
A portal authentication system consists of authentication clients, access device Huawei MA5800 OLT or MA5600T GPON OLT, portal server, and RADIUS server. The portal server and RADIUS server are built in iMaster NCE-Campus, as shown in Figure 1.
- Authentication client: A browser that runs the HTTP protocol or a host that runs the portal client software.
- Access device (OLT Huawei MA5800 X7 for example):
- Redirects all HTTP requests of a user to the portal server before authentication.
- Interacts with the portal server and RADIUS server to implement identity authentication.
- Allows the user to access authorized network resources after the authentication succeeds.
- Portal server: Receives authentication requests from a portal client, provides portal services and authentication web pages, and exchanges authentication information of the authentication client with the access device.
- RADIUS server: Interacts with the access device to authenticate users.
No comments:
Post a Comment