- Table of Contents
-
- H3C Low-End Ethernet Switches Configuration Guide(V1.01)
- 01-Login Configuration Guide
- 02-VLAN Configuration Guide
- 03-IP Address Configuration Guide
- 04-Voice VLAN Configuration Guide
- 05-GVRP Configuration Guide
- 06-Ethernet Interface Basic Configuration Guide
- 07-Link Aggregation Configuration Guide
- 08-Port Isolation Configuration Guide
- 09-Port Security Configuration Guide
- 10-Port Binding Configuration Guide
- 11-MAC Address Table Management Configuration Guide
- 12-DLDP Configuration Guide
- 13-Auto Detect Configuration Guide
- 14-MSTP Configuration Guide
- 15-Routing Configuration Guide
- 16-Multicast Configuration Guide
- 17-802.1x Configuration Guide
- 18-AAA Configuration Guide
- 19-MAC Authentication Configuration Guide
- 20-VRRP Configuration Guide
- 21-ARP Configuration Guide
- 22-DHCP Configuration Guide
- 23-ACL Configuration Guide
- 24-QoS-QoS Profile Configuration Guide
- 25-Web Cache Redirection Configuration Guide
- 26-Mirroring Configuration Guide
- 27-IRF Configuration Guide
- 28-Cluster Configuration Guide
- 29-PoE-PoE Profile Configuration Guide
- 30-UDP Helper Configuration Guide
- 31-SNMP-RMON Configuration Guide
- 32-NTP Configuration Guide
- 33-SSH Configuration Guide
- 34-FTP and TFTP Configuration Guide
- 35-Information Center Configuration Guide
- 36-VLAN-VPN Configuration Guide
- 37-HWPing Configuration Guide
- 38-DNS Configuration Guide
- 39-Access Management Configuration Guide
- 40-Web Authentication Configuration Guide
- 41-IPv6 Management Configuration Guide
- 42-Smart link - Monitor Link Configuration Guide
- 43-VLAN Mapping Configuration Guide
- Related Documents
-
Title | Size | Download |
---|---|---|
40-Web Authentication Configuration Guide | 50.33 KB |
1 Web Authentication Configuration Guide
Configuring Web Authentication
Networking and Configuration Requirements
Configuring Web Authentication
Web authentication is a port-based authentication method that is used to control the network access rights of users. With Web authentication, users are freed from installing any special authentication client software.
With Web authentication enabled, before a user passes the Web authentication, it cannot access any network, except that it can access the authentication page or some free IP addresses. After the user passes the Web authentication, it can access any reachable networks.
Network Diagram
Figure 1-1 Network diagram for Web authentication
Networking and Configuration Requirements
As shown inFigure 1-1, a user connects to the Ethernet switch through port Ethernet 1/0/1.
l Configure Web authentication on Ethernet 1/0/1 to control the access of the user to the Internet.
l Configure a free IP address range, which can be accessed by the user before it passes the Web authentication.
l Configure the DHCP server so that users can obtain IP addresses from it.
Applicable Product Matrix
Product series |
Software version |
Hardware version |
S3600-SI/EI series Ethernet switches |
Release 1510, Release1602 |
All versions |
S5600 series Ethernet switches |
Release 1510, Release1602 |
All versions |
S3100-52P |
Release 1500, Release 1602 |
S3100-52P |
Configuration Procedure
# Perform DHCP-related configuration on the DHCP server. (It is assumed that the user will automatically obtain an IP address through the DHCP server.)
# Set the IP address and port number of the Web authentication server.
<H3C> system-view
[Sysname] web-authentication web-server ip 10.10.10.10 port 8080
# Configure a free IP address range, so that the user can access free resources before it passes the Web authentication.
[Sysname] web-authentication free-ip 10.20.20.1 24
# Enable Web authentication on Ethernet 1/0/1 and set the user access method to designated.
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] web-authentication select method designated
# Create RADIUS scheme radius1 and enter its view.
[Sysname] radius scheme radius1
# Set the IP address of the primary RADIUS authentication server.
[Sysname-radius-radius1] primary authentication 10.10.10.164
# Enable accounting optional.
[Sysname-radius-radius1] accounting optional
# Set the password that will be used to encrypt the messages exchanged between the switch and the RADIUS authentication server.
[Sysname -radius-radius1] key authentication expert
# Configure the system to strip domain name off a user name before transmitting the user name to the RADIUS server.
[Sysname-radius-radius1] user-name-format without-domain
[Sysname-radius-radius1] quit
# Create ISP domain aabbcc.net for Web authentication users and enter the domain view.
[Sysname] domain aabbcc.net
# Configure domain aabbcc.net as the default user domain.
[Sysname] domain default enable aabbcc.net
# Reference scheme radius1 in domain aabbcc.net.
[Sysname-isp-aabbcc.net] scheme radius-scheme radius1
# Enable Web authentication globally. (It is recommended to take this step as the last step, so as to avoid the case that a valid user cannot access the network due to that some other related configurations are not finished.)
[Sysname] web-authentication enable
Now, Web authentication takes effect. Before the user passes the Web authentication, it cannot access external networks and can only access the free resource.
The user can perform the following steps to access the Internet:
Step 1: Enter http://10.10.10.10:8080 in the address column of IE. A page with the following prompt will be displayed: ”Please input your name and the password!”.
Step 2: Enter the correct user name and password and then click [login]. The following page will be displayed: ”Authentication passed!”.
Now the user can access external networks.
Complete Configuration
web-authentication web-server ip 10.10.10.10 port 8080
#
domain default enable aabbcc.net
#
web-authentication web-server ip 10.10.10.10 port 8080
web-authentication free-ip 10.20.20.0 255.255.255.0
web-authentication enable
#
radius scheme radius1
primary authentication 10.10.10.164
accounting optional
key authentication expert
user-name-format without-domain
#
domain aabbcc.net
scheme radius-scheme radius1
#
interface Ethernet1/0/1
web-authentication select method designated
#
Precautions
l Before enabling global Web authentication, you should first set the IP address of a Web authentication server.
l Web authentication cannot be enabled when one of the following features is enabled, and vice versa: 802.1x, MAC authentication, port security, port aggregation and IRF.
l You can make Web authentication settings on individual ports before Web authentication is enabled globally, but they will not take effect. The Web authentication settings on ports take effect immediately once you enable Web authentication globally.
l A Web authentication client and the switch with Web authentication enabled must be able to communicate at the network layer so that the Web authentication page can be displayed on the Web authentication client.
l Web authentication is mutually exclusive with functions that depend on ACLs such as IP filtering, ARP intrusion detection, QoS, and port binding.
l After a user gets online in shared access method, if you configure an authentication-free user whose IP address and MAC address are the same as those of the online user, the online user will be forced to get offline.