296Web authentication page provided by the portal Web server. The user can also visit theauthentication website to log in. The user must log in through the H3C iNode client for extendedportal functions.2. The user enters the authentication information on the authentication page/dialog box andsubmits the information. The portal Web server forwards the information to the portalauthentication server. The portal authentication server processes the information and forwardsit to the access device.3. The access device interacts with the AAA server to implement authentication, authorization,accounting for the user.4. If security policies are not imposed on the user, the access device allows the authenticated userto access networks.If security policies are imposed on the user, the portal client, the access device, and the securitypolicy server interact to check the user host. If the user passes the security check, the securitypolicy server authorizes the user to access resources based on the check result.Local portal serviceSystem componentsAs shown in Figure 96, a local portal system consists of an authentication client, access device, andAAA server. The access device acts as both the portal Web server and the portal authenticationserver to provide the local portal Web service for the authentication client. The authentication clientcan only be a Web browser, and it cannot be a user host that runs a portal client. Therefore,extended portal functions are not supported and no security policy server is required.Figure 96 System componentsPortal page customizationTo provide the local portal web service, you must customize a set of authentication pages that thedevice will push to users. You can customize multiple sets of authentication pages, compress eachset of the pages to a .zip file, and upload the compressed files to the storage medium of the device.On the device, you must specify one of the files as the default authentication page file by using thedefault-logon-page command.For more information about authentication page customization, see "Customizing authenticationpages."Portal authentication modesPortal authentication has three modes: direct authentication, re-DHCP authentication, andcross-subnet authentication. In direct authentication and re-DHCP authentication, no Layer 3forwarding devices exist between the authentication client and the access device. In cross-subnetauthentication, Layer 3 forwarding devices can exist between the authentication client and theaccess device.Direct authenticationA user manually configures a public IP address or obtains a public IP address through DHCP. Beforeauthentication, the user can access only the portal Web server and predefined authentication-free