Got it

Comparison Between PPPoE, Web+Portal, and 802.1x Authentication Modes

230 0 1 0

Hello everyone,

Today, I'd like to show you the comparison between PPPoE, Web+Portal, and 802.1x authentication modes.

The authentication technology is the initial step of AAA (authentication, authorization, and accounting). AAA generally includes four steps: user terminal, AAAClient, AAA Server, and accounting software. The communication method between the user terminal and the AAA Client is usually called "authentication mode". The current main technologies are as follows: PPPoE, Web+Portal, and IEEE802.1x. The three methods have their background reasons and technical characteristics. The following three brief analysis of the three main authentication technologies:


1. PPPoE

The Point-to-Point Protocol over Ethernet (PPPo) protocol allows a PPP session to be initiated via a simple Ethernet bridge that connects to the client.

The establishment of PPPoE requires two phases, namely the Discovery stage and the PPP Session Stage. When a host wants to initiate a PPPoE session, it must first complete the search phase to determine the Ethernet MAC address of the peer and establish a PPPoE session number (SESSION_ID).



* is an extension of traditional PSTN narrowband dial-up access technology in Ethernet access technology

* Consistent with the original narrowband network user access authentication system

* End users are relatively easy to receive




*The PPP protocol and the Ethernet technology are essentially different. The PPP protocol needs to be encapsulated into the Ethernet frame again, so the encapsulation efficiency is very low.

*PPPoE generates a large amount of broadcast traffic during the discovery phase, which has a great impact on network performance.

* Multicast services are difficult to develop, and most of the video services are based on multicast.

* Operators need to provide client terminal software, maintenance workload is too large

*PPPoE authentication generally requires an external BAS. After the authentication is completed, the service data flow must also pass through the BAS device, which is likely to cause a single point bottleneck and failure, and the device is usually very expensive.



2. Web+ Portal

The basic process of portal authentication is that the client first obtains an IP address through the DHCP protocol (it can also use a static IP address), but the client cannot use the obtained IP address to log on to the Internet, and can only access a specific IP before the authentication is passed. Address, which is usually the IP address of the PORTAL server. Portal-certified access devices must have this capability. This can be done by modifying the access control list (ACL) of the access device. At the same time, the user can also input the user name and password on the webpage, which will be transmitted to the Portal Server by the WEB client application, and then the interaction between the Portal Server and the NAS to implement the user authentication. In addition to obtaining the user's username and password, Portal Server also obtains the user's IP address and uses it as an index to identify the user. Then, the Portal Server communicates directly with the NAS using the Portal protocol, and the NAS communicates directly with the RADIUS server to complete the user authentication and online process. Because of security issues, it usually supports strong CHAP-style authentication.




* No special client software required, reducing network maintenance workload

*l can provide business authentication such as Portal



*WEB is carried on the 7-layer protocol, which has higher requirements for equipment and high network construction cost;

* User connectivity is poor, it is not easy to detect user offline, time-based charging is difficult to achieve;

*Ease of use is not good enough. Before users access the network, whether it is TELNET, FTP or other services, they must use the browser for WEB authentication;

* IP address allocation Before user authentication, if the user is not an Internet user, it will cause a waste of addresses, and it is not convenient for multi-ISP support.

*Business flow and data flow cannot be distinguished before and after authentication





The 802.1x protocol is a Layer 2 protocol. It does not need to reach Layer 3, and the access layer switch does not need to support 802.1q VLANs. The overall performance of the device is not high, which can effectively reduce the network construction cost.

* Implemented by multicast, solves the broadcast problem of other authentication protocols, and has good support for multicast services. The service packet is directly carried on the normal Layer 2 packet. After the user passes the authentication, the service flow and the authentication flow are separated. There is no special requirement for subsequent packet processing.



*Requires specific client software

* The problem of the existing corridor switch of the network: Since 802.1x is a relatively new Layer 2 protocol, the corridor switch is required to support the transparent transmission of the authentication packet or complete the authentication process. Therefore, in the process of fully adopting the protocol, there is already on the Internet. User switch upgrade processing problem;

*IP address allocation and network security issues: The 802.1x protocol is a Layer 2 protocol. It is only responsible for the authentication control of the user port. After the port authentication is completed, the user needs to continue to solve the user IP address allocation after entering the Layer 3 IP network. Layer 3 network security and other issues, therefore, the Ethernet switch +802.1x alone, can not fully solve the problems of the operational, manageable and access security of the Ethernet access of the metropolitan area network;

* Billing problem: The 802.1x protocol can charge the time according to the time between the user's authentication and offline, and can not count the traffic. Therefore, traffic-based charging cannot be performed or the user's always-on requirements can be met.

Authentication methodWEB/PORTALPPPOE802.1x
Standard degreeManufacturer privateRFC2516IEEE standard
Package overheadsmallbigsmall
Access control mode device portuseruser
IP addressPre-authentication assignmentPost-certification assignment Post-certification assignment
Multicast supportgood
Number of VLANs requiredmany
Support for multiple ISPs poor
Client software no need needneed
Device supportFactory privately ownedIndustry equipmentIndustry equipment
User connectivitybad
Requirements for equipmentHigh (full VLAN)high (BAS)low

In summary, the outstanding advantages of 802.1 x authentication are simple implementation, high authentication efficiency, and security. No need for multi-service network management equipment, you can ensure that the IP network is not connected. At the same time, the single point of failure of the network authentication charging bottleneck is eliminated. User authentication is implemented on the Layer 2 network, which greatly reduces the network construction cost of the entire network. Currently, 802.1x-based authentication technology is very common in campus network applications.

This is what I want to share with you today, thank you!

  • x
  • convention:


You need to log in to comment to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."

My Followers

Login and enjoy all the member benefits


Huawei Enterprise Support Community
Huawei Enterprise Support Community
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Please bind your phone number to obtain invitation bonus.