Portal authentication modes, Layer 3 portal authentication – H3C Technologies H3C WX3000E Series Wireless Switches User Manual

149

Authentication page customization support

The local portal server function allows you to customize authentication pages. You can customize

authentication pages by editing the corresponding HTML files and then compress and save the files to the
storage medium of the device. A set of customized authentication pages consists of six authentication

pages—the logon page, the logon success page, the online page, the logoff success page, the logon

failure page, and the system busy page. A local portal server pushes a corresponding authentication

page at each authentication phase. If you do not customize the authentication pages, the local portal
server pushes the default authentication pages.

NOTE:

For the rules of customizing authentication pages, see "

Customizing authentication pages

."

Portal authentication modes

Portal authentication may work at Layer 2 or Layer 3 of the OSI model. The device supports only Layer 3

portal authentication.

Layer 3 portal authentication

You can enable Layer 3 authentication on an access device's Layer 3 interfaces that connect

authentication clients. Portal authentication performed on a Layer 3 interface can be direct authentication,

re-DHCP authentication, or cross-subnet authentication. In direct authentication and re-DHCP

authentication, no Layer-3 forwarding devices exist between the authentication client and the access
device. In cross-subnet authentication, Layer-3 forwarding devices may exist between the authentication

client and the access device.

•

Direct authentication
Before authentication, a user manually configures a public IP address or directly obtains a public
IP address through DHCP, and can access only the portal server and predefined free websites.

After passing authentication, the user can access the network resources. The process of direct

authentication is simpler than that of re-DHCP authentication.

•

Re-DHCP authentication
Before authentication, a user gets a private IP address through DHCP and can access only the

portal server and predefined free websites. After passing authentication, the user is allocated a
public IP address and can access the network resources. No public IP address is allocated to those

who fail authentication. This solves the IP address planning and allocation problem and can be

useful. For example, a service provider can allocate public IP addresses to broadband users only

when they access networks beyond the residential community network.

NOTE:

The local portal server function does not support re-DHCP authentication.

•

Cross-subnet authentication
Cross-subnet authentication is similar to direct authentication, but it allows Layer 3 forwarding
devices to be present between the authentication client and the access device.

In direct authentication, re-DHCP authentication, and cross-subnet authentication, the client's IP address
is used for client identification. After a client passes authentication, the access device generates an

access control list (ACL) for the client based on the client's IP address to permit packets from the client to

go through the access port. Because no Layer 3 devices are present between the authentication clients

and the access device in direct authentication and re-DHCP authentication, the access device can