Explanation of portal authentication failure after EAP is extended with Range Extenders

Problem phenomenon: After portal authentication is set on EAP, if a range extender is used to expand the EAP network, only clients connected to the range extender for the first time need portal authentication, and all subsequent devices are connected to the range extender can access the Internet without authentication.

Relevant interpretation:

1. Principles of portal authentication

The following figure shows a simple portal authentication process. When the client connects to EAP for the first time, EAP binds the MAC address of the client to the controller server. After authentication, the client can access network resources.

2. Forwarding process of wireless data frame under WDS

WDS, namely wireless distribution system, is the abbreviation of wireless network deployment extension system. In short, WDS is to use two (or more) wireless broadband routers / AP / RE to extend the wireless signal to a more far-reaching range through a mutual connection. The communication data between APs in WDS can be divided into three address communication and four address communication.

2.1 Four address communication (Standard WDS)

When AP1 and AP2 use four addresses for communication, their data frame structure includes four MAC addresses PC1, AP1, AP2 and, PC2. The network structure is transparent and data sending and receiving are completely equal.

Note: Two APS need to support four addresses before four address communication can be carried out, so as to reduce the compatibility between devices.

2.2 Three address communication (Non-Standard WDS)

In this case, the RE is associated with the AP as a client and then broadcasts the SSID to the rear, which is equivalent to a client with multiple IPS connected to the AP.

At this time, the data frame structure of communication between RE and AP is three addresses. RE will replace the MAC addresses of all back devices with the MAC addresses of RE itself so that the AP side thinks that only one device is connected to AP. RE needs to maintain a corresponding table between IP and MAC, and do the addressing and forwarding work of replacing source MAC and destination MAC.

The data forwarding of three addresses needs to be carried out with the help of an IP address, and the forwarding efficiency is low; But it has good compatibility and can expand the network system with most devices.

The following figure is a typical three address communication data structure. Its source IP is different, but the MAC address in the data frame is exactly the same.

3. Reasons why portal authentication does not take effect

At present, when RE expands the EAP network, three addresses are used for communication between them. Because the application scenarios of the two devices are different, they cannot be compatible with four addresses. No matter how many devices there are at the back end of the RE, the MAC address bound between the EAP and the controller server is the MAC address of the RE during portal authentication. At this time, the server thinks that only one device is connected to the EAP. Therefore, the devices connected to the RE only need to be authenticated once, and other devices do not need to be authenticated again.

4. Related solutions

The RE with the proxy mode is used. In proxy mode, the RE will virtualize the MAC address of the device connected to it. The RE will use this virtual MAC address to communicate with the front AP so that the front AP can recognize different MAC addresses, so as to make the portal authentication effective.

However, in order that some devices are considered on the premise of compatibility, not all REs support proxy mode. The RE models that do not support proxy mode are listed below for reference only:

850RE v7; 855RE v5; 860RE v6; 854RE v4; RE550; RE505X; RE605X; RE200 v5; RE315 v1.0; RE230 v2.0; RE450 v2.0; RE450 v3.0

Note: RE=Range Extender