Two Portal authentication modes are available based on the network layer where it is used: Layer 2 authentication and Layer 3 authentication.
Layer 2 authentication is recommended when the client and access device are either directly connected or have only Layer 2 devices between them. In this scenario, the device can learn users' MAC addresses and identify the users using their MAC addresses and IP addresses.
Layer 2 authentication provides a simple authentication process while ensures high security. However, users must be in the same network segment as the access device, causing inflexible networking.
Layer 3 authentication is recommended when Layer 3 forwarding devices exist between the client and access device. In this scenario, the device cannot obtain the MAC address of a client and uses only the IP address of the client to identify the user.
Layer 3 authentication allows for flexible networking and facilitates remote control. However, users can only be identified using their IP addresses, leading to poor security.