Login
| Title | Size | Downloads |
|---|---|---|
| H3C S3100 Series Ethernet Switches Operation Manual-Release 22XX Series(V1.00)-Web Authentication Operation.pdf | 113.13 KB |
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 20-Web Authentication Operation | 113.13 KB |
Table of Contents
1 Web Authentication Configuration
Introduction to Web Authentication
Web Authentication Configuration
Configuring Web Authentication
Configuring an Auth-Fail VLAN for Web Authentication
Configuring a Web Authentication-Free User
Configuring HTTPS Access for Web Authentication
Customizing Web Authentication Pages
Customizing Authentication Pages
Editing an Authentication Page File
Configuring Web Authentication Transition
Configuring a Proxy Server Port for Web Authentication
Displaying and Maintaining Web Authentication
Web Authentication Configuration Example
When configuring Web authentication, go to these sections for information you are interested in:
l Introduction to Web Authentication
l Web Authentication Configuration
l Configuring an Auth-Fail VLAN for Web Authentication
l Configuring a Web Authentication-Free User
l Configuring HTTPS Access for Web Authentication
l Customizing Web Authentication Pages
l Configuring Web Authentication Transition
l Configuring a Proxy Server Port for Web Authentication
l Displaying and Maintaining Web Authentication
l Web Authentication Configuration Example
Currently, only the S3100-EI series support Web authentication.
Introduction to Web Authentication
Web authentication is a port-based authentication method that is used to control the network access rights of users. With Web authentication, users are freed from installing any special authentication client software.
With Web authentication enabled, before a user passes the Web authentication, it cannot access any network, except that it can access the authentication page or some free IP addresses. After the user passes the Web authentication, it can access any reachable networks.
Web Authentication Configuration
Configuration Prerequisites
Configure an ISP domain and an AAA RADIUS scheme for the domain before performing the following configurations.
l Web authentication can use only a RADIUS authentication scheme; it does not support local authentication.
l The user number limit configured under an AAA scheme does not take effect for Web authentication. Web authentication does not support accounting. Configure accounting for the AAA scheme as optional.
Configuring Web Authentication
Follow these steps to configure Web authentication:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Set the IP address and port number of the Web authentication server |
web-authentication web-server ip ip-address [ port port-number ] |
Required If no port number is specified, port 80 will be used. No Web authentication server is set by default. |
|
Enable Web authentication globally |
web-authentication enable |
Required Disabled globally by default |
|
Enable Web authentication on a port |
interface interface-type interface-number |
Required Disabled on port by default |
|
web-authentication select method { shared | designated | extended } |
||
|
quit |
||
|
Set a free IP address range that can be accessed by users before Web authentication |
web-authentication free-ip ip-address { mask-length | mask } |
Optional No such address range by default |
|
Forcibly log out the specified or all users. |
web-authentication cut connection { all | mac mac-address | user-name user-name | interface interface-type interface-number } |
Optional |
|
Set the idle user checking interval for Web authentication |
web-authentication timer idle-cut timer |
Optional 900 seconds by default |
|
Set the maximum online time for Web authentication users |
web-authentication timer max-online timer |
Optional 1800 seconds by default |
|
Set the maximum number of online Web authentication users on a port |
web-authentication max-connection number |
Optional 128 users by default |
l Before enabling global Web authentication, you should first set the IP address of a Web authentication server.
l Do not add a Web authentication enabled port to a port aggregation group and do not enable Web authentication on a port that is in a port aggregation group.
l You can make Web authentication settings on individual ports before Web authentication is enabled globally, but they will not take effect. The Web authentication settings on ports take effect immediately once you enable Web authentication globally.
l A Web authentication client and the switch with Web authentication enabled must be able to communicate at the network layer so that the Web authentication page can be displayed on the Web authentication client.
l Web authentication is mutually exclusive with functions that depend on ACLs such as IP filtering, ARP intrusion detection, QoS, and port binding.
l After a user gets online in shared access method, if you configure an authentication-free user whose IP address and MAC address are the same as those of the online user, the online user will be forced to get offline.
l You can use the web-authentication select method extended command to enable Web authentication on a hybrid port.
Configuring an Auth-Fail VLAN for Web Authentication
In some cases, it is required to allow clients failing Web authentication to access network resources such as the virus definitions upgrade server. You can configure a Web authentication Auth-Fail VLAN to meet such requirements.
A Web authentication Auth-Fail VLAN can be a port-based Auth-Fail VLAN (PAFV) or MAC-based Auth-Fail VLAN (MAFV), depending on the VLAN assignment mode:
l PAFV
In this mode, if a user on a port fails Web authentication, the port will be added to the Auth-Fail VLAN, allowing all users on the port to access resources in the Auth-Fail VLAN.
l MAFV
MAFV on a port requires cooperation of the MAC VLAN function on the port. When a user on the port fails Web authentication, the MAC address of the user will be bound with the Auth-Fail VLAN, and the user can access only the resources in the Auth-Fail VLAN.
Configuration Prerequisites
l Enable Web authentication globally.
l Create the VLAN to be configured as the Auth-Fail VLAN.
l Configure the port as a hybrid port.
l Enable Web authentication on the port and set the Web authentication access method on the port to extended.
Configuration Procedure
Follow these steps to configure an Auth-Fail VLAN for Web authentication:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter port view |
interface interface-type interface-number |
— |
|
Configure an Auth-Fail VLAN for Web authentication |
web-authentication auth-fail vlan authfail-vlan-id |
Required Not configured by default. |
l Different ports can be configured with different Auth-Fail VLANs, but one port can be configured with one Auth-Fail VLAN at most.
l If you configure both Web authentication and MAC authentication on a port and specify an MAFV for Web authentication and an MGV for MAC authentication, the assignment of the MAFV entry for a user will overwrite the MGV entry for the user, while the assignment of the MGV entry for a user will not overwrite the MAFV entry for the user.
l If the MAFV for 802.1X authentication on a port has been assigned to a user, the MAFV for Web authentication will not take effect for the user.
Configuring a Web Authentication-Free User
Follow these steps to configure a web authentication-free user:
|
To do… |
Use the command… |
Remarks |
|
|
Enter system view |
system-view |
— |
|
|
Configure a web authentication-free user |
In system view |
web-authentication free-user ip ip-address mac mac-address [ interface interface-list ] |
Required Use at least one approach. By default, no web authentication-free user is configured. |
|
In Ethernet interface view |
interface interface-type interface-number |
||
|
web-authentication free-user ip ip-address mac mac-address |
|||
Configuring HTTPS Access for Web Authentication
HTTP and HTTPS can be used for interaction between an authentication client and an access device:
l If HTTP is used, there are potential security problems because HTTP packets are transferred in plain text;
l If HTTPS is used, data security is ensured because HTTPS packets are transferred in ciphertext based on SSL.
After you configure HTTPS access for Web authentication on the switch, the switch will allow clients to use HTTPS to open the authentication pages for secure transmission of authentication information.
Configuration Prerequisites
To configure the access protocol as HTTPS, be sure to configure the PKI domain and SSL server policy, and request a certificate for the PKI domain at first. For information about SSL and PKI configuration, refer to PKI Operation and SSL Operation in this manual.
Configuration Procedure
Follow these steps to specify the access protocol for Web authentication:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Specify the access protocol |
web-authentication protocol { http | https server-policy policy-name } |
Required HTTP is used by default. |
l You must configure this command before enabling Web authentication. That is, after enabling Web authentication, you cannot change the access protocol for Web authentication.
l The SSL server policy must exist and, after the HTTPS access configuration, must not be removed.
Customizing Web Authentication Pages
Customizing Page Elements
The default Web authentication page is a frame, which consists of four parts. The device allows you to customize the four parts in form of text strings.
Follow these steps to customize Web authentication page elements:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Customize the Web authentication page elements |
web-authentication customize { corp-name corporation-text | email email-string | phone-num phonenum-string | platform-name platform-text } |
Optional By default, there is no customized information on Web authentication pages. |
The web-authentication customize command is used to customize part of the information provided on the default authentication page. You cannot change the overall style of the authentication page. This is applicable to simple authentication pages.
Customizing Authentication Pages
The device also supports Web authentication pages totally developed by third parties as long as the authentication pages comply with rules of customizing the authentication page file. You can load such customized authentication pages to the device, providing authentication pages with richer contents and flexible styles.
Follow these steps to customize Web authentication pages:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Configure or modify the Web authentication page file |
web-authentication customize file web-file |
Optional By default, there is no customized authentication page file. |
l After you configure and load a Web authentication page file, the device will display the loaded Web authentication pages. The customized information (configured in section Customizing Page Elements) for the default authentication page will not be displayed.
l The file name specified by fileName must contain the system root directory and the relative path, such as unit1>flash:/test.zip.
Editing an Authentication Page File
With Web authentication, the device allows you to customize the Web authentication pages to be pushed to users. You can compress and then upload the customized authentication page files in HTML format to the local storage medium of the device. Each authentication page file includes seven main index pages, which are login page, login success page, login failure page, online page, system busy page, authentication-free page, and logout success page.
For the Web authentication to operate normally and steadily, you need to follow the following rules when customizing authentication pages:
Rules on file names
The main pages of the authentication pages have predefined file names, which cannot be changed. The following table lists the names.
Table 1-1 Main authentication page file names
|
Main authentication page |
File name |
|
Login page |
login.htm |
|
Login success page |
loginSuccess.htm |
|
Login failure page |
loginFail.htm |
|
Online page Pushed for online state notification |
online.htm |
|
System busy page Pushed when the system is busy or the user is in the login process |
busy.htm |
|
Authentication-free page |
freeUser.htm |
|
Logout success page |
logoutSuccess.htm |
You can define the names of the files other than the main authentication page files. The file names and directory names are case-insensitive.
Rules on page requests
The web authentication module supports only Post and Get requests.
l Get requests are used to get the static files in the authentication pages and allow no recursion. For example, if file Login.htm includes contents that perform Get action on file ca.htm, file ca.htm cannot include any reference to file Login.htm.
l Post requests are used when users submit username and password pairs, log on the system, and log off the system.
Rules on Post request attributes
1) Observe the following requirements when editing a form of an authentication page:
l An authentication page can have multiple forms, but there must be one and only one form whose action is null. Otherwise, user information cannot be sent to the local portal server.
l The username attribute is fixed as WaUser, and the password attribute is fixed as WaPwd.
l Attribute WaButton is required to indicate the action that the user requests, which can be Login or Logout.
l A login Post request must contain WaUser, WaPwd, and WaButton attributes.
l A logout Post request must contain the WaButton attribute.
2) Authentication pages login.htm and loginFail.htm must contain the login Post request.
The following example shows part of the script in page login.htm.
<form action=login.cgi method = post >
<p>User name:<input type="text" name = "WaUser" style="width:160px;height:22px" maxlength=64>
<p>Password :<input type="password" name = "WaPwd" style="width:160px;height:22px" maxlength=32>
<p><input type=SUBMIT value="Login" name = "WaButton" style="width:60px;">
</form>
3) Authentication pages loginSuccess.htm and online.htm must contain the logout Post request.
The following example shows part of the script in page online.htm.
<form action=login.cgi method = post >
<p><input type=SUBMIT value="Logout" name="WaButton" style="width:60px;">
</form>
Rules on page file compression and saving
l A set of authentication page files must be compressed into a standard zip file. A zip file name is in the form of *****.zip, and can contain only letters, numerals, and underscores.
l Zip files can be transferred to the device through FTP or TFTP.
Rules on file size and contents
For the system to push customized authentication pages smoothly, you need comply with the following size and content requirements on authentication pages.
l The size of the zip file of each set of authentication pages, including the main authentication pages and the page elements, must be no more than 500 KB.
l The size of a single page, including the main authentication page and the page elements, must be no more than 50 KB before being compressed.
l Page elements can contain only static contents such as HTML, JS, CSS, and pictures.
Configuring Web Authentication Transition
A WLAN client is connected to a switch through a wireless access point (AP). It may move between the ports of the switch when it, for example, roams between different APs. If the client moves to another port after passing web authentication, the switch will reject the access of the client because it cannot sense the port transition and thus web re-authentication cannot be triggered. To solve this problem, web authentication transition is introduced. It has the following two transition modes:
l auto: In auto mode, a web authenticated user can move between ports in the same access VLAN without needing re-authentication and the switch keeps the user in authenticated state on the new port after transition.
l secure: In secure mode, a web authenticated user must be re-authenticated before it can access another port. If the user passes re-authentication, the switch deletes the connection information of the user on the previous port and creates new connection information for the user on the new access port. If not, the user cannot access the new port but can still access the previous port.
Follow these steps to configure the transition mode for Web authentication users:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Configure the transition mode for Web authentication users |
web-authentication move-mode {auto | secure } |
Required secure by default. |
The auto mode allows a user to move between ports in the same VLAN rather than different VLANs. If a user moves between VLANs, the access is denied but the previous port is still open for this user.
Configuring a Proxy Server Port for Web Authentication
When a proxy server is used for web authentication, its port must be specified. The port cannot be the one used in the web-authentication web-server ip ip-address port port-number command; otherwise, an error prompts.
Follow these steps to configure a proxy server port for web authentication:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Configure a proxy server port for web authentication |
web-authentication web-proxy port port-number |
Required No proxy server port is confiugred by default. |
If the proxy server is detected through Web Proxy Auto Discovery (WPAD) rather than configured manually, you need to perform the following configuration in addition to the port configuration:
l If DNS and WINS servers are providing services in the network, use the command web-authentication free-ip to configure their IP addresses as web authentication free IP addresses so that clients can access these severs.
l If no DHCP, DNS or WINS servers are deployed in the network, configure the broadcast address of the subnet where the client resides as the web authentication free IP address so that the clients can searches for a proxy server through broadcast.
Displaying and Maintaining Web Authentication
|
To do… |
Use the command… |
Remarks |
|
Display global and port Web authentication configuration information |
display web-authentication configuration |
Available in any view |
|
Display information about specified or all online Web-authentication users. |
display web-authentication connection { all | interface interface-type interface-number | user-name user-name } |
Web Authentication Configuration Example
Network requirements
As shown in Figure 1-1, a user connects to the Ethernet switch through port Ethernet 1/0/1.
l Configure the DHCP server so that users can obtain IP addresses from it.
l Configure Web authentication on Ethernet 1/0/1 to control the access of the user to the Internet.
l Configure a free IP address range, which can be accessed by the user before it passes the Web authentication.
Network diagram
Figure 1-1 Web authentication for user
Configuration procedure
# Perform DHCP-related configuration on the DHCP server. (It is assumed that the user will automatically obtain an IP address through the DHCP server.)
# Set the IP address and port number of the Web authentication server.
<Sysname> system-view
[Sysname] web-authentication web-server ip 10.10.10.10 port 8080
# Configure a free IP address range, so that the user can access free resources before it passes the Web authentication.
[Sysname] web-authentication free-ip 10.20.20.1 24
# Enable Web authentication on Ethernet 1/0/1 and set the user access method to designated.
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] web-authentication select method designated
# Create RADIUS scheme radius1 and enter its view.
[Sysname] radius scheme radius1
# Set the IP address of the primary RADIUS authentication server.
[Sysname-radius-radius1] primary authentication 10.10.10.164
# Enable accounting optional.
[Sysname-radius-radius1] accounting optional
# Set the password that will be used to encrypt the messages exchanged between the switch and the RADIUS authentication server.
[Sysname -radius-radius1] key authentication expert
# Configure the system to strip domain name off a user name before transmitting the user name to the RADIUS server.
[Sysname-radius-radius1] user-name-format without-domain
[Sysname-radius-radius1] quit
# Create ISP domain aabbcc.net for Web authentication users and enter the domain view.
[Sysname] domain aabbcc.net
# Configure domain aabbcc.net as the default user domain.
[Sysname] domain default enable aabbcc.net
# Reference scheme radius1 in domain aabbcc.net.
[Sysname-isp-aabbcc.net] scheme radius-scheme radius1
# Enable Web authentication globally. (It is recommended to take this step as the last step, so as to avoid the case that a valid user cannot access the network due to that some other related configurations are not finished.)
[Sysname] web-authentication enable
Now, Web authentication takes effect. Before the user passes the Web authentication, it cannot access external networks and can only access the free resource.
The user can perform the following steps to access the Internet:
Step 1: Enter http://10.10.10.10:8080 in the address column of IE.
Step 2: Enter the correct user name and password and then click [login]. The following page will be displayed: ”Authentication passed!”.
Now the user can access external networks.
