10-Security Configuration Guide

HomeSupportResource CenterSwitchesH3C S7500E Switch SeriesH3C S7500E Switch SeriesTechnical DocumentsConfigureConfiguration GuidesH3C S7500E Switch Series Configuration Guides-R757X-GL-6W10010-Security Configuration Guide
23-Web authentication configuration
Title Size Download
23-Web authentication configuration 147.92 KB

Configuring Web authentication

Overview

Web authentication is deployed on Layer 2 Ethernet interfaces of the access device to control user access to networks. The access device redirects unauthenticated users to the website provided by the local portal Web server. The users can access the resources on the website without authentication. If the users want to access other network resources, they must pass authentication.

For more information about the local portal Web server, see "Configuring portal authentication."

Web authentication types

Web authentication is classified into the following types:

·     Active authentication—Users visit the authentication website provided by the local portal Web server and enter their username and password for authentication.

·     Forced authentication—Users are redirected to the Web authentication website for authentication when they visit other websites.

Advantages of Web authentication

Web authentication has the following advantages:

·     Allows users to perform authentication through webpages without installing client software.

·     Provides ISPs with diversified management choices and extended functions. For example, the ISPs can place advertisements, provide community services, and publish information on the authentication page.

Web authentication system

A typical Web authentication system consists of four basic components: authentication client, access device, local portal Web server, and AAA server.

Figure 1 Portal system using the local portal server

 

Authentication client

An authentication client is a Web browser that runs HTTP or HTTPS.

Access device

An access device refers to a broadband access device such as a switch or a router. An access device has the following functions:

·     Redirects all HTTP or HTTPS requests of unauthenticated users to the Web authentication page.

·     Interacts with the AAA server to complete authentication, authorization, and accounting.

·     Allows users that pass authentication to access authorized network resources.

Local portal Web server

The access device acts as the local portal Web server. The local portal Web server pushes the Web authentication page to authentication clients and forwards user authentication information (username and password) to the AAA module of the access device. For more information about AAA, see "Configuring AAA."

AAA server

An AAA server interacts with the access device to implement user authentication, authorization, and accounting. A RADIUS server can perform authentication, authorization, and accounting for Web authentication users. An LDAP server can perform authentication for Web authentication users.

Web authentication process

Figure 2 Web authentication process

 

The Web authentication process is as follows:

1.     An unauthenticated user sends an HTTP or HTTPS request. When the access device receives the HTTP or HTTPS request on a Layer 2 Ethernet interface enabled with Web authentication, it redirects the request to the Web authentication page. The user enters the username and password on the Web authentication page.

If the user requests the Web authentication page or free Web resources, the access device permits the request. No Web authentication is performed.

2.     The access device and the AAA server exchange RADIUS packets to authenticate the user.

3.     If the user passes RADIUS authentication, the local portal Web server pushes a login success page to the authentication client.

If the user fails RADIUS authentication, the local portal Web server pushes a login failure page to the authentication client.

Web authentication support for VLAN assignment

Authorization VLAN

Web authentication uses VLANs authorized by the AAA server or the access device to control network resource access of authenticated users.

After a user passes Web authentication, the AAA server or the access device authorizes the user to access a VLAN. If the authorization VLAN does not exist, the access device first creates the VLAN and then assigns the user access interface as an untagged member to the VLAN. If the authorization VLAN already exists, the access device directly assigns the user access interface as an untagged member to the VLAN. Then, the user can access resources in the authorization VLAN.

The initial VLAN and the authorization VLAN of a user might be on different subnets. A user can access the resources in the authorization VLAN only when the IP address of the client is on the same subnet as the authorization VLAN. Therefore, a user might need to update the IP address of the client after the user is assigned to the authorization VLAN.

To deploy Web authentication on a trunk or hybrid port, make sure the port PVID, the authorization VLAN ID, and the user VLAN ID are the same.

Auth-Fail VLAN

An Auth-Fail VLAN is a VLAN assigned to users who fail authentication. The Auth-Fail VLAN provides network resources such as the patch server, virus definitions server, client software server, and anti-virus software server to the users. The users can use these resources to upgrade their client software or other programs.

Web authentication supports Auth-Fail VLAN on an interface that performs MAC-based access control. If a user on the interface fails authentication, the access devices creates a MAC VLAN entry based on the MAC address of the user and adds the user to the Auth-Fail VLAN. Then, the user can access the portal-free IP resources in the Auth-Fail VLAN. All HTTP or HTTPS requests to non-portal-free IP resources will be redirected to the authentication page. If the user passes authentication, the access device adds the user to the authorized VLAN (if any) or return the user to the initial VLAN of the interface. If the user fails the authentication, the access device keeps the user in the Auth-Fail VLAN.

The initial VLAN and the Auth-Fail VLAN of a user might be on different subnets. A user can access the resources in the Auth-Fail VLAN only when the IP address of the client is on the same subnet as the Auth-Fail VLAN. Therefore, a user might need to update the IP address of the client after the user is assigned to the Auth-Fail VLAN.

Web authentication support for authorization ACLs

Authorization ACL

Web authentication uses ACLs authorized by the AAA server or the access device to control user access to network resources and limit user access rights. When a user passes authentication, the AAA server and the access device assigns an authorization ACL to the access interface of the user. The access device filters traffic from the user on the access interface according to the authorization ACL.

You must configure the authorization ACLs on the access device if you specify authorization ACLs on the authentication server.

To change the access control criteria for the user, you can specify a different authorization ACL on the authentication server or change rules in the authorization ACL on the access device.

The device supports the following types of authorization ACLs:

·     Basic ACLs (ACL 2000 to ACL 2999).

·     Advanced ACLs (ACL 3000 to ACL 3999).

·     Layer 2 ACLs (ACL 4000 to ACL 4999).

For an authorization ACL to take effect, make sure the ACL exists and has ACL rules excluding rules configured with the counting, established, fragment, source-mac, or logging keyword. For more information about ACL rules, see ACL commands in ACL and QoS Command Reference.

Web authentication task list

Tasks at a glance

(Required.) Configuring the Web authentication server

(Required.) Enabling Web authentication

(Optional.) Specifying a Web authentication domain

(Optional.) Setting the redirection wait time

(Optional.) Configuring a Web authentication-free subnet

(Optional.) Setting the maximum number of Web authentication users

(Optional.) Configuring online Web authentication user detection

(Optional.) Configuring an Auth-Fail VLAN

(Optional.) Configuring Web authentication to support Web proxy

 

Configuration prerequisites

The device supports two methods for Web authentication, which are local authentication and RADIUS authentication.

To use the local authentication method, configure usernames and passwords on the access device. User authentication is performed on the access device directly.

When using the RADIUS authentication method, the device acts as a RADIUS client and cooperates with the RADIUS server to perform authentication for users. Before you configure Web authentication by using the RADIUS server, make sure the following requirements are met:

·     The RADIUS server has been installed and configured properly.

·     The authentication client, access device, and RADIUS server can reach each other.

·     The local portal Web server has been configured and can provide Web authentication pages. For more information about the local portal Web server configuration, see "Configuring portal authentication".

·     Usernames and passwords of the users are configured on the RADIUS server. The RADIUS client configuration is performed on the access device. For information about the RADIUS client configuration, see "Configuring AAA."

Configuring the Web authentication server

Perform this task to configure the IP address listened by the Web authentication server, redirection URL, and parameters carried in redirection URL.

Specify the IP address of a Layer 3 interface on the device that is routable to the Web client as the listening IP address of the Web authentication server. As a best practice, use the IP address of a loopback interface rather than that of a Layer 3 interface. A loopback interface has the following advantages:

·     The status of a loopback interface is stable. There will be no authentication page access failures caused by interface failures.

·     A loopback interface does not forward received packets to any networks, avoiding impact on system performances when there are many network access requests.

The IP address and port number of the Web authentication server must be the same as those in the redirection URL. Additionally, the port number of the Web authentication server must be the same as the listening port of the local portal Web server.

To configure the Web authentication server:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Create a Web authentication server and enter its view.

web-auth server server-name

By default, no Web authentication servers exist.

3.     Specify the redirection URL for the Web authentication server.

url url-string

By default, no redirection URL is specified for a Web authentication server.

4.     Return to system view.

quit

N/A

5.     Specify the HTTPS redirect listening port number.

http-redirect https-port port-number

By default, no HTTPS redirect listening port number is specified.

For more information about this command, see HTTP redirect in Layer 3—IP Services Command Reference.

6.     Enter Web authentication server view.

web-server server-name

N/A

7.     Specify the IP address and port number for the Web authentication server.

ip ipv4-address port port-number

By default, no IP address or port number is specified for a Web authentication server.

8.     Configure the parameters to be carried in the redirection URL of the Web authentication server.

url-parameter parameter-name { original-url | source-address | source-mac | value expression }

By default, no parameters are configured to be carried in the redirection URL of a Web authentication server.

 

Enabling Web authentication

For Web authentication to operate correctly, do not enable port security or configure the port security mode on the Layer 2 Ethernet interface enabled with Web authentication.

To enable Web authentication:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enter interface view.

interface interface-type interface-number

N/A

3.     Enable Web authentication and specify the Web authentication server

web-auth enable apply server server-name

By default, Web authentication is disabled.

 

Specifying a Web authentication domain

This feature allows you to specify different authentication domains for Web authentication users on different interfaces. After you specify a Web authentication domain on an interface, the device uses the authentication domain for AAA of all Web authentication users on the interface, ignoring the domain names carried in the usernames.

The device selects the authentication domain for a Web authentication user on an interface in this order:

1.     The authentication domain specified for the interface.

2.     The authentication domain carried in the username.

3.     The system default authentication domain. For information about the default authentication domain, see "Configuring AAA."

To specify an authentication domain for Web authentication users on an interface:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enter interface view.

interface interface-type interface-number

N/A

3.     Specify an authentication domain for Web authentication users on the interface.

web-auth domain domain-name

By default, no authentication domain is specified for Web authentication users.

 

Setting the redirection wait time

The redirection wait time determines the length of time that the device waits to redirect a user to the specified webpage after the user passes Web authentication.

If a user is added to an authorization VLAN after passing Web authentication, the authentication client might change its IP address automatically. To ensure that the redirection URL can be successfully opened, set the redirection wait time to be greater than the time that the client takes to update its IP address.

To set the redirection wait time:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Create a Web authentication server and enter its view.

web-auth server server-name

By default, no Web authentication servers exist.

3.     Set the redirection wait time.

redirect-wait-time period

By default, the redirection wait time is 5 seconds.

 

Configuring a Web authentication-free subnet

You can configure a Web authentication-free subnet so that users can freely access the network resources in the subnet without being authenticated.

To configure a Web authentication-free subnet:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Configure a Web authentication-free subnet.

web-auth free-ip ip-address { mask-length | mask }

By default, no Web authentication-free subnet is configured.

 

Setting the maximum number of Web authentication users

If the maximum number of online Web authentication users you set is less than that of the current online Web authentication users, the limit can be set successfully and does not impact the online Web authentication users. However, the system does not allow new Web authentication users to log in until the number drops down below the limit.

To set the maximum number of Web authentication users:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enter interface view.

interface interface-type interface-number

N/A

3.     Set the maximum number of Web authentication users on the interface.

web-auth max-user max-number

By default, the maximum number of Web authentication users is 1024.

 

Configuring online Web authentication user detection

This feature enables the device to periodically check whether MAC address entries of online users on an interface are refreshed or age out. A user fails the detection if the MAC address entry of the user is not refreshed or ages out. The device forcibly logs out a user if the user fails the detection for successive two times.

To avoid invalid detection, make sure the detection interval is less than or equal to the aging time of MAC address entries.

To configure online Web authentication user detection:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enter interface view.

interface interface-type interface-number

N/A

3.     Enable online Web authentication user detection.

web-auth offline-detect interval interval

By default, online Web authentication user detection is disabled.

Configuring an Auth-Fail VLAN

Perform this task to allow authentication failed Web authentication users to access resources in the Auth-Fail VLAN.

When you configure an Auth-Fail VLAN, follow these restrictions and guidelines:

·     To make the Auth-Fail VLAN take effect, you must also enable MAC-based VLAN on the interface, and set the subnet of the Auth-Fail VLAN as the Web authentication-free subnet.

·     Because MAC-based VLAN takes effect only on Hybrid ports, Auth-Fail VLAN also takes effect only on Hybrid ports.

·     If a VLAN is specified as the super VLAN, do not configure the VLAN as an Auth-Fail VLAN of an interface. If a VLAN is specified as an Auth-Fail VLAN of an interface, do not configure the VLAN as a super VLAN.

·     Do not delete the VLAN that has been configured as an Auth-Fail VLAN. To delete this VLAN, first cancel the Auth-Fail VLAN configuration by using undo web-auth auth-fail vlan command.

To configure an Auth-Fail VLAN:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enter interface view.

interface interface-type interface-number

N/A

3.     Configure an Auth-Fail VLAN.

web-auth auth-fail vlan authfail-vlan-id

By default, no Auth-Fail VLAN exists.

 

Configuring Web authentication to support Web proxy

By default, proxied HTTP requests cannot trigger Web authentication but are silently dropped. To allow such HTTP requests to trigger Web authentication, specify the port numbers of the Web proxy servers on the device.

If a user's browser uses the Web Proxy Auto-Discovery (WPAD) protocol to discover Web proxy servers, you must perform the following tasks:

·     Add the port numbers of the Web proxy servers on the device.

·     Configure authentication-free rules to allow user packets destined for the IP address of the WPAD server to pass without authentication.

For Web authentication to support Web proxy:

·     You must add the port numbers of the Web proxy servers on the device.

·     Users must make sure their browsers that use a Web proxy server do not use the proxy server for the listening IP address of the local portal Web server. Thus, HTTP packets that the Web authentication user sends to the local portal Web server are not sent to the Web proxy server.

To configure Web authentication to support a Web proxy:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Add a Web proxy server port number.

web-auth proxy port port-number

By default, no Web proxy server port number is configured and proxied HTTP requests cannot trigger Web authentication.

 

Displaying and maintaining Web authentication

Execute display commands in any view.

 

Task

Command

Display Web authentication configuration information on interfaces.

display web-auth [ interface interface-type interface-number ]

Display Web authentication-free subnets.

display web-auth free-ip

Display Web authentication server information.

display web-auth server [ server-name ]

(In standalone mode.) Display Web authentication user information.

display web-auth user [ interface interface-type interface-number | slot slot-number ]

(In IRF mode.) Display Web authentication user information.

display web-auth user [ interface interface-type interface-number | chassis chassis-number slot slot-number ]

 

Web authentication configuration examples

Web authentication using the local authentication server

Network requirements

As shown in Figure 3, the host is connected to the device through GigabitEthernet 1/0/1.

Configure Web authentication to meet the following requirements:

·     The device performs local Web authentication on users that access the network through GigabitEthernet 1/0/1.

·     The device pushes customized Web authentication pages to users and use HTTP to transfer the authentication data.

Figure 3 Network diagram

 

Configuration prerequisites

·     Assign IP addresses to the host and the device as shown in Figure 3, and make sure the host and the device can reach each other.

·     Customize the authentication pages, compress them to a file, and upload the file to the root directory of the storage medium of the switch. In this example, the file is abc.zip.

Configuration procedure

1.     Create VLANs, assign IP addresses to the VLAN interfaces, and assign interfaces to the VLANs. (Details not shown.)

2.     Configure a local user:

# Create a local network access user named localuser.

<Device>system-view

[Device] local-user localuser class network

# Set the password to localpass in plaintext form for user localuser.

[Device-luser-network-localuser] password simple localpass

# Authorize the user to use LAN access services.

[Device-luser-network-localuser] service-type lan-access

[Device-luser-network-localuser] quit

3.     Configure an ISP domain:

# Create an ISP domain named local.

[Device] domain local

# Configure the ISP domain to perform local authentication, authorization, and accounting for LAN users.

[Device-isp-local] authentication lan-access local

[Device-isp-local] authorization lan-access local

[Device-isp-local] accounting lan-access local

[Device-isp-local] quit

4.     Configure a local portal Web server:

# Create a local portal Web server, and configure the server use HTTP to exchange authentication information with clients.

[Device] portal local-web-server http

# Specify file abc.zip as the default authentication page file for the local portal Web server. (This file must exist in the root directory of the device.)

[Device-portal-local-websvr-http] default-logon-page abc.zip

# Specify the HTTP listening port number as 80 for the portal Web server.

[Device–portal-local-websvr-http] tcp-port 80

[Device-portal-local-websvr-http] quit

5.     Configure Web authentication:

# Create a Web authentication server named user.

[Device] web-auth server user

# Configure the redirection URL for the Web authentication server as http://20.20.0.1/portal/.

[Device-web-auth-server-user] url http://20.20.0.1/portal/

# Specify 20.20.0.1 as the IP address and 80 as the port number for the Web authentication server.

[Device-web-auth-server-user] ip 20.20.0.1 port 80

[Device-web-auth-server-user] quit

# Specify ISP domain local as the Web authentication domain.

[Device] interface gigabitethernet 1/0/1

[Device-GigabitEthernet1/0/1] web-auth domain local

# Enable Web authentication by using Web authentication server user.

[Device-GigabitEthernet1/0/1] web-auth enable apply server user

[Device-GigabitEthernet1/0/1] quit

Verifying the configuration

# Display online Web authentication user information after user localuser passes Web authentication.

<Device> display web-auth user

  Total online web-auth users: 1

 

User Name: localuser

  MAC address: acf1-df6c-f9ad

  Access interface: GigabitEthernet1/0/1

  Initial VLAN: 1

  Authorization VLAN: N/A

  Authorization ACL ID: N/A

  Authorization user profile: N/A

Web authentication using the RADIUS authentication server

Network requirements

As shown in Figure 4, the host is connected to the device through GigabitEthernet 1/0/1.

Configure Web authentication to meet the following requirements:

·     The device performs Web authentication for users by using a RADIUS server.

·     The device pushes customized Web authentication pages to users and use HTTP to transfer the authentication data.

Figure 4 Network diagram

 

Configuration prerequisites

·     Assign IP addresses to the host, the device, and the RADIUS server as shown in Figure 4 and make sure they can reach each other.

·     Configure the RADIUS server properly to provide authentication and accounting functions for users. In this example, the username is configured as user1 on the RADIUS server.

·     Customize the authentication pages, compress them to a file, and upload the file to the root directory of the storage medium of the switch. In this example, the file is abc.zip.

Configuration procedure

1.     Create VLANs, assign IP addresses to the VLAN interfaces, and assign interfaces to the VLANs. (Details not shown.)

2.     Configure a RADIUS scheme:

# Create a RADIUS scheme named rs1.

<Device> system-view

[Device] radius scheme rs1

# Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers.

[Device-radius-rs1] primary authentication 192.168.0.112

[Device-radius-rs1] primary accounting 192.168.0.112

[Device-radius-rs1] key authentication simple radius

[Device-radius-rs1] key accounting simple radius

# Exclude the ISP domain name from the username sent to the RADIUS server.

[Device-radius-rs1] user-name-format without-domain

[Device-radius-rs1] quit

3.     Configure an authentication domain:

# Create an ISP domain named dm1.

[Device] domain dm1

# Configure AAA methods for the ISP domain

[Device-isp-dm1] authentication lan-access radius-scheme rs1

[Device-isp-dm1] authorization lan-access radius-scheme rs1

[Device-isp-dm1] accounting lan-access radius-scheme rs1

[Device-isp-dm1] quit

4.     Configure a local portal Web server:

# Configure a local port Web server to use HTTP to exchange authentication information with clients.

[Device] portal local-web-server http

# Specify the file abc.zip as the default authentication page file for the local portal Web server. (This file must exist in the directly root directory of the storage medium.)

[Device-portal-local-websvr-http] default-logon-page abc.zip

# Specify 80 as the port number listened by the portal Web server for HTTP.

[Device–portal-local-websvr-http] tcp-port 80

[Device-portal-local-websvr-http] quit

5.     Configure Web authentication:

# Create Web authentication server named user.

[Device] web-auth server user

# Specify http://20.20.0.1/portal/ as the redirection URL for the Web authentication server.

[Device-web-auth-server-user] url http://20.20.0.1/portal/

# Specify the IP address of the Web authentication server as 20.20.0.1 (the IP address of Loopback 0) and the port number as 80.

[Device-web-auth-server-user] ip 20.20.0.1 port 80

[Device-web-auth-server-user] quit

# Specify domain dml as the Web authentication domain.

[Device] interface gigabitethernet 1/0/1

[Device-GigabitEthernet1/0/1] web-auth domain dm1

# Enable Web authentication by using Web authentication server user.

[Device-GigabitEthernet1/0/1] web-auth enable apply server user

[Device-GigabitEthernet1/0/1] quit

Verifying the configuration

# Display Web authentication user information after user user1 passes Web authentication.

<Device> display web-auth user

  Total online web-auth users: 1

 

User Name: user1

  MAC address: acf1-df6c-f9ad

  Access interface: GigabitEthernet1/0/1

  Initial VLAN: 100

  Authorization VLAN: N/A

  Authorization ACL ID: N/A

  Authorization user profile: N/A

Troubleshooting Web authentication

Failure to come line (Web authentication configuration correct)

Symptom

A Web authentication page can be correctly pushed, but a local user cannot pass Web authentication to come online.

The display this command displays that Web authentication settings have been correctly configured, including the local user, Web authentication server, authentication domain, loopback and VLAN interface settings.

The display this command displays that Web authentication is enabled both on the user access interface and the RADIUS server-facing interface.

Analysis

Web authentication needs to be enabled only on the user access interface. Web authentication cannot operate correctly if it is enabled on both the user access interface and the RADIUS server-facing interface.

Solution

Disable Web authentication on the RADIUS server-connecting interface.

Failure to come online (local authentication interface using the default ISP domain)

Symptom

No authentication domain is specified for the local authentication interface. A user fails to pass Web authentication to come online.

Analysis

If no Web authentication domain is specified, the system default ISP domain (domain system) is used for Web authentication. The system default domain uses the local authentication method by default. Using these default domain settings, the local authentication should have operated correctly.

The local authentication fails might because that the authentication method of the system default domain is changed or the system default domain is changed.

Solution

To resolve the problem, perform the following tasks:

1.     Use the display domain command to identify whether the AAA methods for Web users in the system default domain are local.

2.     If the AAA methods for Web users in the system default domain are not local, reconfigure the AAA methods as local.

Failure to come line (VLAN configured on interface)

Symptom

A user belongs to a VLAN different from the VLAN to which the RADIUS server-facing interface belongs. The user cannot pass Web authentication to come online.

Analysis

Users can access the external network only when the user access interface and the RADIUS server-facing interface belong to the same VLAN.

Solution

To resolve the problem, use one of the following methods:

·     Remove the RADIUS server-connecting interface from its VLAN and then assign the RADIUS server-facing interface to the VLAN to which the user access interface belongs.

·     Remove the user access interface from its VLAN and then assign the user access interface to the VLAN to which the RADIUS server-facing interface belongs.