When configuring
Web authentication, go to these sections for information you are interested in:
l
Introduction to Web Authentication
l
Web Authentication Configuration
l
Displaying and Maintaining
Web Authentication
l
Web Authentication Configuration
Example
Web authentication is a port-based
authentication method that is used to control the network access rights of
users. With Web authentication, users are freed from installing any special
authentication client software.
With Web authentication enabled, before a
user passes the Web authentication, it cannot access any network, except that
it can access the authentication page or some free IP addresses. After the user
passes the Web authentication, it can access any reachable networks.
Configure an ISP domain and an AAA RADIUS scheme
for the domain before performing the following configurations.
Caution:
l
Web authentication can use only a RADIUS authentication
scheme; it does not support local authentication and local RADIUS
authentication.
l
The user number limit configured under an AAA
scheme does not take effect for Web authentication. Web authentication does not
support accounting. Disable accounting for the AAA scheme.
Follow these steps to configure Web
authentication:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Set the IP address and port number of the
Web authentication server
|
web-authentication web-server ip ip-address [ port port-number ]
|
Required
If no port number is specified, port 80
will be used.
No Web authentication server is set by
default.
|
|
Enable Web authentication globally
|
web-authentication enable
|
Required
Disabled globally by default
|
|
Enable Web authentication on a port
|
interface interface-type interface-number
|
Required
Disabled on port by default
|
|
web-authentication select method { shared | designated }
|
|
quit
|
|
Set a free IP address range that can be
accessed by users before Web authentication
|
web-authentication free-ip ip-address { mask-length | mask }
|
Optional
No such address range by default
|
|
Set an authentication-free user
|
web-authentication free-user ip ip-address mac mac-address
|
Optional
No such user by default
|
|
Forcibly log out the specified or all users.
|
web-authentication cut connection { all | mac mac-address | user-name user-name
| interface interface-type interface-number }
|
Optional
|
|
Set the idle user checking interval for
Web authentication
|
web-authentication timer idle-cut timer
|
Optional
900 seconds by default
|
|
Set the maximum number of online Web
authentication users on a port
|
web-authentication max-connection number
|
Optional
128 users by default
|
Caution:
l
Before enabling global Web authentication, you
should first set the IP address of a Web authentication server.
l
Web authentication cannot be enabled when one of
the following features is enabled, and vice versa: 802.1x, MAC authentication,
port security, port aggregation and IRF.
l
You can make Web authentication settings on
individual ports before Web authentication is enabled globally, but they will
not take effect. The Web authentication settings on ports take effect immediately
once you enable Web authentication globally.
l
A Web authentication client and the switch with
Web authentication enabled must be able to communicate at the network layer so
that the Web authentication page can be displayed on the Web authentication
client.
l
Web authentication is mutually exclusive with functions
that depend on ACLs such as IP filtering, ARP intrusion detection, QoS, and
port binding.
l
After a user gets online in shared access
method, if you configure an authentication-free user whose IP address and MAC
address are the same as those of the online user, the online user will be
forced to get offline.
|
To do…
|
Use the command…
|
Remarks
|
|
Display global and port Web
authentication configuration information
|
display web-authentication
configuration
|
Available in any view
|
|
Display information about specified or
all online Web-authentication users.
|
display web-authentication connection { all | interface interface-type interface-number
| user-name user-name }
|
I. Network requirements
As shown in Figure 1-1, a user connects to the
Ethernet switch through port GigabitEthernet 1/0/1.
l
Configure the DHCP server so that users can
obtain IP addresses from it.
l
Configure Web authentication on GigabitEthernet
1/0/1 to control the access of the user to the Internet.
l
Configure a free IP address range, which can be
accessed by the user before it passes the Web authentication.
II. Network diagram
Figure 1-1 Web authentication for user
III. Configuration procedure
# Perform DHCP-related configuration on the
DHCP server. (It is assumed that the user will automatically obtain an IP
address through the DHCP server.)
# Set the IP address and port number of the
Web authentication server.
<Sysname> system-view
[Sysname] web-authentication
web-server ip 10.10.10.10 port 8080
# Configure a free IP address range, so
that the user can access free resources before it passes the Web
authentication.
[Sysname] web-authentication free-ip
10.20.20.1 24
# Enable Web authentication on GigabitEthernet
1/0/1 and set the user access method to designated.
[Sysname] interface GigabitEthernet 1/0/1
[Sysname-GigabitEthernet1/0/1]
web-authentication select method designated
# Create RADIUS scheme radius1 and enter
its view.
[Sysname] radius scheme radius1
# Set the IP address of the primary RADIUS
authentication server.
[Sysname-radius-radius1] primary
authentication 10.10.10.164
# Enable accounting optional.
[Sysname-radius-radius1] accounting
optional
# Set the password that will be used to
encrypt the messages exchanged between the switch and the RADIUS authentication
server.
[Sysname -radius-radius1] key
authentication expert
# Configure the system to strip domain name
off a user name before transmitting the user name to the RADIUS server.
[Sysname-radius-radius1]
user-name-format without-domain
[Sysname-radius-radius1] quit
# Create ISP domain aabbcc.net for Web
authentication users and enter the domain view.
[Sysname] domain aabbcc.net
# Configure domain aabbcc.net as the
default user domain.
[Sysname] domain default enable
aabbcc.net
# Reference scheme radius1 in domain
aabbcc.net.
[Sysname-isp-aabbcc.net] scheme
radius-scheme radius1
# Enable Web
authentication globally. (It is recommended to take this step as the last step,
so as to avoid the case that a valid user cannot access the network due to that
some other related configurations are not finished.)
[Sysname] web-authentication enable
Now, Web authentication takes effect.
Before the user passes the Web authentication, it cannot access external
networks and can only access the free resource.
The user can perform the following steps to
access the Internet:
Step 1: Enter http://10.10.10.10:8080 in the
address column of IE. A page with the following prompt will be displayed: ”Please input your name and the password!”.
Step 2: Enter the correct user name and
password and then click [login]. The following page will be displayed: ”Authentication passed!”.
Now the user can
access external networks.
