HP 10500 Series Configuration Manual page 138

Direct authentication/cross-subnet authentication process (with CHAP/PAP authentication)
Figure 51 Direct authentication/cross-subnet authentication process
Direct authentication/cross-subnet authentication process is as follows:
1. An authentication client initiates authentication by sending an HTTP request. When the HTTP
packet arrives at the access device, the access device allows the packet to pass if it is destined for
the portal server or a predefined free website, or it redirects the packet to the portal server if it is
destined for other websites. The portal server pushes a Web authentication page to the user and
the user enters the username and password.
2. The portal server and the access device exchange CHAP messages. This step is skipped for PAP
authentication.
3. The portal server assembles the username and password into an authentication request message
and sends it to the access device. Meanwhile, the portal server starts a timer to wait for an
authentication acknowledgment message.
4. The access device and the RADIUS server exchange RADIUS packets to authenticate the user.
5. The access device sends an authentication reply to the portal server.
6. The portal server sends an authentication success message to the authentication client to notify it of
logon success.
7. The portal server sends an authentication reply acknowledgment message to the access device.
With extended portal functions, the process includes these additional steps:
8. The security policy server exchanges security check information with the authentication client to
check whether the authentication client meets the security requirements.
9. Based on the security check result, the security policy server authorizes the user to access certain
resources and sends the authorization information to the access device. The access device then
controls access of the user based on the authorization information.
128