Operation Manual – PortalH3C S7500E Series Ethernet Switches Chapter 1 Portal Configuration1-4Caution:z Because a portal client uses an IP address as its ID, ensure that there is no NetworkAddress Translation (NAT) device between the authentication client, access device,portal server, and authentication/accounting server when deploying portalauthentication. This is to avoid authentication failure due to NAT operations.z Currently, only a RADIUS server can serve as the authentication/accounting serverin a portal system.1.1.4 Portal Authentication ModesPortal authentication supports two modes: non-Layer 3 authentication and Layer 3authentication.I. Non-Layer 3 authenticationNon-Layer 3 authentication falls into two categories: direct authentication andRe-DHCP authentication.z Direct authenticationBefore authentication, a user manually configures a public IP address or directlyobtains a public IP address through DHCP, and can access only the portal server andpredefined free websites. After passing authentication, the user can access the Internet.The process of direct authentication is simpler than that of re-DHCP authentication.z Re-DHCP authenticationBefore authentication, a user gets a private IP address through DHCP and can accessonly the portal server and predefined free websites. After passing authentication, theuser is allocated a public IP address and can access the Internet. No public IP addressis allocated to those who fails authentication. This solves the problem about IP addressplanning and allocation and proves to be useful. For example, a service provider canallocate public IP addresses to broadband users only when they access networksbeyond the residential community network.II. Layer 3 authenticationLayer 3 portal authentication is similar to direct authentication. However, in Layer-3portal authentication mode, a Layer 3 forwarding device can be present between theauthentication client and the access device.III. Differences between Layer 3 and non-Layer 3 authentication modesz Networking mode