Login
- Table of Contents
-
- H3C S3600 Operation Manual-Release 1602(V1.02)
- 00-1Cover
- 00-2Product Overview
- 01-CLI Operation
- 02-Login Operation
- 03-Configuration File Management Operation
- 04-VLAN Operation
- 05-IP Address and Performance Operation
- 06-Voice VLAN Operation
- 07-GVRP Operation
- 08-Port Basic Configuration Operation
- 09-Link Aggregation Operation
- 10-Port Isolation Operation
- 11-Port Security-Port Binding Operation
- 12-DLDP Operation
- 13-MAC Address Table Management Operation
- 14-Auto Detect Operation
- 15-MSTP Operation
- 16-Routing Protocol Operation
- 17-Multicast Operation
- 18-802.1x and System Guard Operation
- 19-AAA Operation
- 20-Web Authentication Operation
- 21-MAC Address Authentication Operation
- 22-VRRP Operation
- 23-ARP Operation
- 24-DHCP Operation
- 25-ACL Operation
- 26-QoS-QoS Profile Operation
- 27-Web Cache Redirection Operation
- 28-Mirroring Operation
- 29-IRF Fabric Operation
- 30-Cluster Operation
- 31-PoE-PoE Profile Operation
- 32-UDP Helper Operation
- 33-SNMP-RMON Operation
- 34-NTP Operation
- 35-SSH Operation
- 36-File System Management Operation
- 37-FTP-SFTP-TFTP Operation
- 38-Information Center Operation
- 39-System Maintenance and Debugging Operation
- 40-VLAN-VPN Operation
- 41-HWPing Operation
- 42-IPv6 Management Operation
- 43-DNS Operation
- 44-Smart Link-Monitor Link Operation
- 45-Access Management Operation
- 46-Appendix
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 20-Web Authentication Operation | 60.85 KB |
Table of Contents
1 Web Authentication Configuration
Introduction to Web Authentication
Web Authentication Configuration
Configuring Web Authentication
Displaying and Maintaining Web Authentication
Web Authentication Configuration Example
When configuring Web authentication, go to these sections for information you are interested in:
l Introduction to Web Authentication
l Web Authentication Configuration
l Displaying and Maintaining Web Authentication
l Web Authentication Configuration Example
Introduction to Web Authentication
Web authentication is a port-based authentication method that is used to control the network access rights of users. With Web authentication, users are freed from installing any special authentication client software.
With Web authentication enabled, before a user passes the Web authentication, it cannot access any network, except that it can access the authentication page or some free IP addresses. After the user passes the Web authentication, it can access any reachable networks.
Web Authentication Configuration
Configuration Prerequisites
Configure an ISP domain and an AAA RADIUS scheme for the domain before performing the following configurations.
l Web authentication can use only a RADIUS authentication scheme; it does not support local authentication and local RADIUS authentication.
l The user number limit configured under an AAA scheme does not take effect for Web authentication. Web authentication does not support accounting. Disable accounting for the AAA scheme.
Configuring Web Authentication
Follow these steps to configure Web authentication:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Set the IP address and port number of the Web authentication server |
web-authentication web-server ip ip-address [ port port-number ] |
Required If no port number is specified, port 80 will be used. No Web authentication server is set by default. |
|
Enable Web authentication globally |
web-authentication enable |
Required Disabled globally by default |
|
Enable Web authentication on a port |
interface interface-type interface-number |
Required Disabled on port by default |
|
web-authentication select method { shared | designated } |
||
|
quit |
||
|
Set a free IP address range that can be accessed by users before Web authentication |
web-authentication free-ip ip-address { mask-length | mask } |
Optional No such address range by default |
|
Set an authentication-free user |
web-authentication free-user ip ip-address mac mac-address |
Optional No such user by default |
|
Forcibly log out the specified or all users. |
web-authentication cut connection { all | mac mac-address | user-name user-name | interface interface-type interface-number } |
Optional |
|
Set the idle user checking interval for Web authentication |
web-authentication timer idle-cut timer |
Optional 900 seconds by default |
|
Set the maximum number of online Web authentication users on a port |
web-authentication max-connection number |
Optional 128 users by default |
l Before enabling global Web authentication, you should first set the IP address of a Web authentication server.
l Web authentication cannot be enabled when one of the following features is enabled, and vice versa: 802.1x, MAC authentication, port security, port aggregation and IRF.
l You can make Web authentication settings on individual ports before Web authentication is enabled globally, but they will not take effect. The Web authentication settings on ports take effect immediately once you enable Web authentication globally.
l A Web authentication client and the switch with Web authentication enabled must be able to communicate at the network layer so that the Web authentication page can be displayed on the Web authentication client.
l Web authentication is mutually exclusive with functions that depend on ACLs such as IP filtering, ARP intrusion detection, QoS, and port binding.
l After a user gets online in shared access method, if you configure an authentication-free user whose IP address and MAC address are the same as those of the online user, the online user will be forced to get offline.
Displaying and Maintaining Web Authentication
|
To do… |
Use the command… |
Remarks |
|
Display global and port Web authentication configuration information |
display web-authentication configuration |
Available in any view |
|
Display information about specified or all online Web-authentication users. |
display web-authentication connection { all | interface interface-type interface-number | user-name user-name } |
Web Authentication Configuration Example
Network requirements
As shown in Figure 1-1, a user connects to the Ethernet switch through port Ethernet 1/0/1.
l Configure the DHCP server so that users can obtain IP addresses from it.
l Configure Web authentication on Ethernet 1/0/1 to control the access of the user to the Internet.
l Configure a free IP address range, which can be accessed by the user before it passes the Web authentication.
Network diagram
Figure 1-1 Web authentication for user
Configuration procedure
# Perform DHCP-related configuration on the DHCP server. (It is assumed that the user will automatically obtain an IP address through the DHCP server.)
# Set the IP address and port number of the Web authentication server.
<Sysname> system-view
[Sysname] web-authentication web-server ip 10.10.10.10 port 8080
# Configure a free IP address range, so that the user can access free resources before it passes the Web authentication.
[Sysname] web-authentication free-ip 10.20.20.1 24
# Enable Web authentication on Ethernet 1/0/1 and set the user access method to designated.
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] web-authentication select method designated
# Create RADIUS scheme radius1 and enter its view.
[Sysname] radius scheme radius1
# Set the IP address of the primary RADIUS authentication server.
[Sysname-radius-radius1] primary authentication 10.10.10.164
# Enable accounting optional.
[Sysname-radius-radius1] accounting optional
# Set the password that will be used to encrypt the messages exchanged between the switch and the RADIUS authentication server.
[Sysname -radius-radius1] key authentication expert
# Configure the system to strip domain name off a user name before transmitting the user name to the RADIUS server.
[Sysname-radius-radius1] user-name-format without-domain
[Sysname-radius-radius1] quit
# Create ISP domain aabbcc.net for Web authentication users and enter the domain view.
[Sysname] domain aabbcc.net
# Configure domain aabbcc.net as the default user domain.
[Sysname] domain default enable aabbcc.net
# Reference scheme radius1 in domain aabbcc.net.
[Sysname-isp-aabbcc.net] scheme radius-scheme radius1
# Enable Web authentication globally. (It is recommended to take this step as the last step, so as to avoid the case that a valid user cannot access the network due to that some other related configurations are not finished.)
[Sysname] web-authentication enable
Now, Web authentication takes effect. Before the user passes the Web authentication, it cannot access external networks and can only access the free resource.
The user can perform the following steps to access the Internet:
Step 1: Enter http://10.10.10.10:8080 in the address column of IE. A page with the following prompt will be displayed: ”Please input your name and the password!”.
Step 2: Enter the correct user name and password and then click [login]. The following page will be displayed: ”Authentication passed!”.
Now the user can access external networks.
