Portal authentication server
This help contains the following topics:
Introduction
Portal authentication controls user access to networks by authenticating user identities. Web-based portal authentication allows users to perform authentication through a Web browser without installing client software. Users input username and password on a Web page. The device authenticates the user identities, and controls user access to the network according to the authentication result.
Portal authentication server
The portal authentication server receives authentication requests from portal authentication clients and interacts with the access device to authenticate users. After the device enables with portal authentication, when the device receives a portal packet, it first searches for the locally configured portal authentication server based on the source IP address and VPN instance information in the packet. If a matching portal authentication server is found, the device considers the packet valid and sends an authentication response to that portal authentication server; otherwise, it considers the message invalid and discards it.
Portal authentication server detection
This feature enables the device to periodically detect portal packets (such as login/logout/heartbeat packets) sent by a portal authentication server to determine the reachability of the server. If the device receives a portal packet within a detection timeout and the portal packet is valid, the device considers the portal authentication server to be reachable. Otherwise, the device considers the portal authentication server to be unreachable.
Portal user synchronization
Once the access device loses communication with a portal authentication server, the portal user information on the access device and that on the portal authentication server might be inconsistent after the communication resumes. To address this problem, the device provides the portal user synchronization feature. This feature is implemented by sending and detecting portal synchronization packets, as follows:
The portal authentication server sends the online user information to the access device in a synchronization packet at the user heartbeat interval.
The user heartbeat interval is set on the portal authentication server.
Upon receiving the synchronization packet, the access device compares the users carried in the packet with its own user list and performs the following operations:
If a user contained in the packet does not exist on the access device, the access device informs the portal authentication server to delete the user. The access device starts the synchronization detection timer immediately when a user logs in.
If the user does not appear in any synchronization packet within a synchronization detection interval, the access device considers the user does not exist on the portal authentication server and logs the user out.
Periodically sending register packets to the portal authentication server
This feature is typically used in scenarios where a NAT device exists between a portal authentication server and a large number of access devices.
Before this feature is used, you must configure a static NAT mapping for each access device on the NAT device, causing much workload. After this feature is enabled on an access device, the access device automatically sends a register packet to the portal authentication server. When the server receives the register packet, it records register information for the access device, including the device name, and the IP address and port number after NAT. The register information is used for subsequent authentication information exchanges between the server and the access device. The access device updates its register information on the server by sending register packets at regular intervals.
Excluding an attribute from portal protocol packets
Support of the portal authentication server for portal protocol attributes varies by the server type. If the device sends the portal authentication server a packet that contains an attribute unsupported by the server, the device and the server cannot communicate. To address this issue, you can configure this feature to exclude the unsupported attributes from specific portal protocol packets sent to the portal authentication server.
Restrictions and guidelines
Do not delete a portal authentication server in use. Otherwise, users authenticated by that server cannot log out correctly.
Configuration guide
Analysis
Configure a portal authentication server as shown in the following figure:
Basic configuration
To add a portal authentication server:
From the left navigation pane, select Configure > Authentication > Authentication Global Settings > Portal Authentication. Click the Portal Authentication Server tab.
Click Add above the portal authentication server list. On the page that opens, add a portal authentication server:
Server Name: Enter the name of the portal authentication server.
IP Address: Select the IP version and enter an IP address of the specified version. By default, the IP version is IPv4.
Port: Enter a port number, an integer in the range of 1 to 65534.
Type: Select the portal authentication server type. The default type is iMC.
Key: Enter the key for the portal authentication server.
Confirm Key: Enter the same key for the portal authentication server.
Click Submit.
To manage portal authentication servers:
From the left navigation pane, select Configure > Authentication > Authentication Global Settings > Portal Authentication. Click the Portal Authentication Server tab.
You can perform the following management operations on existing portal authentication servers:
To refresh the portal authentication server list, click Refresh.
To delete portal authentication servers in bulk, select the portal authentication servers you want to delete, and then click Bulk Operation > Bulk Delete.
To import portal authentication servers from a local portal authentication server configuration file, click More > Import.
To export portal authentication servers to a local configuration file, click More > Export.
To edit a portal authentication server, click the Edit icon in the Actions column for that server.
To delete a portal authentication server rule, click the Delete icon in the Actions column for that server.
Advanced configuration
Configure reachability detection
From the left navigation pane, select Configure > Authentication > Authentication Global Settings > Portal Authentication. Click the Portal Authentication Server tab.
Expand the Advanced Configuration area. Turn on reachability detection, and then enter the detection timeout value and select the actions triggered upon server status change.
Configure user info synchronization
From the left navigation pane, select Configure > Authentication > Authentication Global Settings > Portal Authentication. Click the Portal Authentication Server tab.
Expand the Advanced Configuration area. Turn on User Info Sync, and then set the interval for detecting user synchronization messages.
Configure the device to periodically send register packets to the portal authentication server
From the left navigation pane, select Configure > Authentication > Authentication Global Settings > Portal Authentication. Click the Portal Authentication Server tab.
Expand the Advanced Configuration area. Turn on Report of Registration Message to Portal Auth Server, and set the report interval.
Exclude an attribute from portal protocol packets
From the left navigation pane, select Configure > Authentication > Authentication Global Settings > Portal Authentication. Click the Portal Authentication Server tab.
Expand the Advanced Configuration area. In the Attributes Not Carried in Portal Protocol Messages area, turn on this feature.
Click Add above the attribute list, and then select the attribute type and portal protocol packet type.