08-Direct Portal Authentication
1 Direct Portal Authentication
To view this video, click the download link.
Software Version Used
This video was recorded based on the following versions:
l iMC: iMC PLAT 3.20-E2501, iMC UAM 3.60-E6101
l iNode: iNode 3.60-E6101
Web interfaces of different versions may vary.
On a network, usually there are devices of many vendors. In this case, it is hard to have all users to go through the 802.1X authentication. Portal authentication can solve this problem.
To deploy portal authentication, you only need to enable portal authentication on a key device, called the portal gateway. Then, all users that connect to the network through the device must pass portal authentication. As the portal gateway can be deployed at the access layer or the convergence layer, or even attached to a convergence layer or core layer device, portal authentication can control user accesses very flexibly. Besides, portal authentication can be provided through Web pages, in which case no client software installation is necessary. All these advantages of portal authentication make it popular in network applications.
Portal authentication involves four roles: portal server, AAA server, access device (Switch in the above figure), and PC.
l HTTP/portal is used for interaction between the PC and the portal server.
l The portal protocol is used for interaction between the portal server and the access device.
l The RADIUS protocol is used for interaction between the access device and the AAA server.
The iMC UAM system integrates the AAA server and the portal server.
Usually, portal authentication is used together with DHCP, which assigns IP addresses for PCs dynamically. Thus, a DHCP server is needed. There are two common methods to deploy the DHCP server:
l Deploy a separate device in the network as the DHCP server. In this case, you need to configure the access device as the DHCP relay. The DHCP server assigns IP addresses for PCs.
l Use the access device as the DHCP server as well. This method is used in this example.
Recommended Configuration Flow
In this example, the iNode client is used for portal authentication, instead of the web-based portal authentication mode.
You can configure and test portal authentication in six steps, as shown in the following figure:
Step1 Add Access Device.
Add an access device that supports AAA to the iMC system, so that the access device acts as the AAA client to cooperate with the iMC system.
Step2 Add Service.
Add a service to the iMC system.
A service is a set of policies for user authentication and authorization. This step shows how to add a service that contains no policy, to the iMC system.
Step3 Add Account
Add a basic access account to the iMC system.
Each user accessing the network must have an account configured in the iMC. It includes such information as account name and password.
This step demonstrates how to add a basic user access account to the iMC system and apply for the service configured at step 2.
Step4 Configure Portal Service
The portal service configurations include:
l Configuring the portal server to make it capable for portal authentication.
l Configuring the cooperation between the portal server and the access device. This has the similar functionality as step 1. The difference is that the cooperation configured here is for portal protocol interaction, while that configured at step 1 is for RADIUS protocol interaction.
This step shows how to 1) configure the portal server, 2) add an IP address group, and 3) add the portal device and reference the configured IP address group. 2) and 3) together restrict the range where users are allowed for portal access.
Step5 Configure Access Device
Configure the RADIUS scheme, ISP domain, portal, and DHCP on the access device to control user accesses.
Step6 Configure iNode Client
1) Create a portal connection on the iNode client.
2) Use the user account added at step 3 to initiate an authentication.
You can see that the user account can pass portal authentication and access the network successfully.