Fast Authentication Process

User Login Process

As shown in Figure 1 User login process, the user sends a DHCP Discover message to the BRAS. After receiving the message, the BRAS creates a user entry, assigns an IP address to the user through DHCP, and grants permissions that allow the user to access only limited network resources. The user can access only the specified web page. If the user accesses other web pages, the user is redirected to the web authentication page. On the web authentication page, the user can click the button indicating confirmation for authentication without entering the username or password. After the authentication is successful, the user can access network resources.

Figure 1 User login process

User Logout Process

As shown in Figure 2, when the user needs to go offline, the user clicks the button indicating logout on the authentication result page to send a logout request to the web server. After accounting is complete, the user goes offline normally.

Figure 2 User logout process

Username Generation Mode

If a username template is bound to the BAS interface through which users go online using the default-user-name-template command, the system generates usernames based on the username template. If no username template is bound to the user access interface but a mode for generating pure usernames is configured using the default-user-name command in the AAA view, the system generates pure usernames based on the configured mode. If neither of the preceding configurations is available, the system generates usernames based on the default configuration. Interface-specific configuration applies only to the interface, whereas the default configuration and the configuration in the AAA view take effect globally.

A pure username can be generated using any of the following methods:

• The system uses the IP address carried in the Access-Request packet of a user as the pure username. This method applies only to Layer 3 access users and static users whose Access-Request packets carry IP addresses.
• The system uses the MAC address carried in the Access-Request packet of a user as the pure username.
• The system uses the Access-Line-Id information (DHCP Option 82/DHCPv6 Option 18+37) carried in the Access-Request packet of a user as the pure username.
• The system uses the hostname (configured using the sysnamehost-name command in the system view) as the pure username.
• The system uses any combination of the IP address, MAC address, Access-Line-Id information (DHCP Option 82/DHCPv6 Option 18+37), and hostname as the pure username. The preceding information is presented in the pure username in the order they are configured.
• The system generates a pure username based on access interface and VLAN information of a user in the format configured using the vlanpvc-to-username command.

The system then generates a username based on the pure username, default authentication domain configured on the BAS interface, and domain name delimiter and position configured in the system. The username can be in either of the following formats: pure username+domain name delimiter+domain name (if the system is configured to place the domain name behind the domain name delimiter) or domain name+domain name delimiter+pure username (if the system is configured to place the domain name before the domain name delimiter).

Password Generation Modes

You can run the default-password command to specify the mode in which the system automatically generates the password for an IPoX user. For example:

• The system uses the manually configured IPoX password.
• The system uses all or part of the Vendor-Class attribute (DHCPv4 Option 60/DHCPv6 Option 16) carried in the user's Access-Request packet as the IPoX password.
• The system uses all of the User-Class attribute (DHCPv4 Option 77/DHCPv6 Option 15) carried in the user's Access-Request packet as the IPoX password.