Web authentication is deployed on Layer 2 Ethernet interfaces of the access device to control user access to networks. The access device redirects unauthenticated users to the website provided by the local portal Web server. The users can access the resources on the website without authentication. If the users want to access other network resources, they must pass authentication.

Advantages of Web authentication

Web authentication has the following advantages:

· Allows users to perform authentication through webpages without installing client software.

· Provides ISPs with diversified management choices and extended functions. For example, the ISPs can place advertisements, provide community services, and publish information on the authentication page.

Web authentication system

A typical Web authentication system consists of four basic components: authentication client, access device, local portal Web server, and AAA server.

Figure 1 Portal system using the local portal server

Authentication client

An authentication client is a Web browser that runs HTTP.

Access device

An access device refers to a broadband access device such as a switch or a router. An access device has the following functions:

· Redirects all unauthenticated HTTP requests except those match authentication-free rules to the Web authentication page.

· Interacts with the AAA server to complete authentication, authorization, and accounting.

· Allows users that pass authentication to access authorized network resources.

Local portal Web server

The access device acts as the local portal Web server. The local portal Web server pushes the Web authentication page to authentication clients. Then, it forwards user authentication information (username and password) to the AAA module of the access device for the module to perform authentication, authorization, and accounting on users.

AAA server

An AAA server interacts with the access device to implement user authentication, authorization, and accounting. A RADIUS server can perform authentication, authorization, and accounting for Web authentication users. An LDAP server can perform authentication for Web authentication users. For more information about authentication, authorization, and accounting, see "Configuring AAA."

Web authentication process

As shown in Figure 2, the Web authentication process is as follows:

1. An unauthetnicated user firstly sends an HTTP request. When the access device receives the HTTP request on a Layer 2 Ethernet interface enabled with Web authentication, it redirects the request to the Web authentication page. The user enters the username and password on the Web authentication page.

If the user requests the Web authentication page or free Web resources, the access device permits the request. No Web authentication is performed.

2. The access device and the AAA server exchange authentication packets to authenticate the user.

3. If the user passes Web authentication, the access device (local portal Web server) pushes a login success page to the authentication client.

If the user fails Web authentication, the access device (local portal Web server) pushes a login failure page to the authentication client.

Figure 2 Web authentication process

Web authentication support for VLAN assignment

Authorization VLAN

Web authentication uses VLANs authorized by the AAA server or the access device to control network resource access of authenticated users.

After a user passes Web authentication, the AAA server or the access device authorizes the user to access a VLAN. If the authorization VLAN does not exist, the access device first creates the VLAN and then assigns the user access interface as an untagged member to the VLAN. If the authorization VLAN already exists, the access device directly assigns the user access interface as an untagged member to the VLAN. Then, the user can access resources in the authorization VLAN.

Table 1 describes the way the access device handles authorization VLANs for Web authenticated users.

Table 1 VLAN manipulation

Port type	VLAN manipulation
· Access port · Trunk port · Hybrid port with MAC-based-VLAN disabled	The device assigns the port to the first authenticated user's authorization VLAN. The authorization VLAN becomes the PVID. All Web authentication users on the port must be assigned the same authorization VLAN. If a different authorization VLAN is assigned to a subsequent user, the user cannot pass Web authentication.
Hybrid port with MAC-based VLAN enabled	The device maps the MAC address of each user to its own authorization VLAN regardless of whether the port is a tagged member. The PVID of the port does not change.

Port type

VLAN manipulation

· Access port

· Trunk port

· Hybrid port with MAC-based-VLAN disabled

The device assigns the port to the first authenticated user's authorization VLAN. The authorization VLAN becomes the PVID. All Web authentication users on the port must be assigned the same authorization VLAN. If a different authorization VLAN is assigned to a subsequent user, the user cannot pass Web authentication.

Hybrid port with MAC-based VLAN enabled

The device maps the MAC address of each user to its own authorization VLAN regardless of whether the port is a tagged member. The PVID of the port does not change.

Auth-Fail VLAN

An Auth-Fail VLAN is a VLAN assigned to users who fail authentication. The Auth-Fail VLAN provides network resources such as the patch server, virus definitions server, client software server, and anti-virus software server to the users. The users can use these resources to upgrade their client software or other programs.

Web authentication supports Auth-Fail VLAN on an interface that performs MAC-based access control. If a user on the interface fails authentication, the access device creates a MAC VLAN entry based on the MAC address of the user and adds the user to the Auth-Fail VLAN. Then, the user can access the portal-free IP resources in the Auth-Fail VLAN. All HTTP requests to non-portal-free IP resources will be redirected to the authentication page. If the user still fails authentication, the interface remains in the Auth-Fail VLAN. If the user passes authentication, the access device removes the interface from the Auth-Fail VLAN and assigns the interface to a VLAN as follows:

· If the authentication server assigns an authorization VLAN to the user, the access device assigns the interface to the authorization VLAN.

· If the authentication server does not assign an authorization VLAN to the user, the access device assigns the interface to the default VLAN.

Web authentication support for authorization ACLs

Web authentication uses ACLs authorized by the AAA server or the access device to control user access to network resources and limit user access rights. When a user passes authentication, the AAA server and the access device assigns an authorization ACL to the access interface of the user. The access device filters traffic from the user on the access interface according to the authorization ACL.

You must configure the authorization ACLs on the access device if you specify authorization ACLs on the authentication server.

To change the access control criteria for the user, you can specify a different authorization ACL on the authentication server or change rules in the authorization ACL on the access device.

Configuration restrictions and guidelines

To access the resources in the authorization or Auth-Fail VLAN, a user must update the IP address of the client after being assigned to the authorization or Auth-Fail VLAN.

The switch supports only the following types of authorization ACLs:

· Basic ACLs (ACL 2000 to ACL 2999).

· Advanced ACLs (ACL 3000 to ACL 3999).

As a best practice, perform Web authentication on users directly connected to the device. As shown in Figure 3, if you enable Web authentication on Port B to authenticate non-directly connected users (the hosts), you must follow these restrictions and guidelines:

· If the RADIUS server assigns an authorization VLAN to the users, make sure the following conditions are met:

¡ The link between Device A and Device B is a trunk link.

¡ The PVIDs of Port A1 and Port B are the same as the authorization VLAN ID.

· If the RADIUS server does not assign an authorization VLAN to the users, make sure the PVIDs of Port A1 and Port B are the same.

Figure 3 Web authentication for non-directly connected users

Web authentication task list

Tasks at a glance
(Required.) Configuring the Web authentication server
(Required.) Configuring a local portal Web server For more information about this task, see "Configuring portal authentication."
(Required.) Enabling Web authentication
(Optional.) Specifying a Web authentication domain
(Optional.) Setting the redirection wait time
(Optional.) Configuring a Web authentication-free subnet
(Optional.) Setting the maximum number of Web authentication users
(Optional.) Configuring online Web authentication user detection
(Optional.) Configuring an Auth-Fail VLAN
(Optional.) Configuring Web authentication to support Web proxy

Configuration prerequisites

The device supports two methods for Web authentication, which are local authentication and RADIUS authentication.

To use the local authentication method, configure usernames and passwords on the access device. User authentication is performed on the access device directly.

When using the RADIUS authentication method, the device acts as a RADIUS client and cooperates with the RADIUS server to perform authentication for users. Before you configure Web authentication by using the RADIUS server, make sure the following requirements are met:

· The RADIUS server has been installed and configured properly.

· The authentication client, access device, and RADIUS server can reach each other.

· Usernames and passwords of the users are configured on the RADIUS server. The RADIUS client configuration is performed on the access device. For information about the RADIUS client configuration, see "Configuring AAA."

Configuring the Web authentication server

Perform this task to configure the IP address listened by the Web authentication server, redirection URL, and parameters carried in redirection URL.

Specify the IP address of a Layer 3 interface on the device that is routable to the Web client as the listening IP address of the Web authentication server. As a best practice, use the IP address of a loopback interface rather than that of a Layer 3 interface. A loopback interface has the following advantages:

· The status of a loopback interface is stable. There will be no authentication page access failures caused by interface failures.

· A loopback interface does not forward received packets to any networks, avoiding impact on system performances when there are many network access requests.

The port number of the Web authentication server must be the same as the listening port of the local portal Web server.

To configure the Web authentication server:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a Web authentication server and enter its view.	web-auth server server-name	By default, no Web authentication servers exist.
3. Specify the IP address and port number for the Web authentication server.	ip ipv4-address port port-number	By default, no IP address or port number is specified for a Web authentication server.
4. Specify the redirection URL for the Web authentication server.	url url-string	By default, no redirection URL is specified for a Web authentication server. The IP address and port number in the specified redirection URL must be the same as those of the Web authentication server.
5. Configure the parameters to be carried in the redirection URL of the Web authentication server.	url-parameter parameter-name { original-url \| source-address \| source-mac \| value expression }	By default, no parameters are configured to be carried in the redirection URL of a Web authentication server.

Enabling Web authentication

For Web authentication to operate correctly, do not enable port security or configure the port security mode on the Layer 2 Ethernet interface enabled with Web authentication.

To enable Web authentication:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Enable Web authentication and specify the Web authentication server	web-auth enable apply server server-name	By default, Web authentication is disabled.

Specifying a Web authentication domain

This feature allows you to specify different authentication domains for Web authentication users on different interfaces. After you specify a Web authentication domain on an interface, the device uses the authentication domain for AAA of all Web authentication users on the interface, ignoring the domain names carried in the usernames.

The device selects the authentication domain for a Web authentication user on an interface in this order:

1. The authentication domain specified for the interface.

2. The authentication domain carried in the username.

3. The system default authentication domain.

For information about the authentication domain, see "Configuring AAA."

To specify an authentication domain for Web authentication users on an interface:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Specify an authentication domain for Web authentication users on the interface.	web-auth domain domain-name	By default, no authentication domain is specified for Web authentication users.

Setting the redirection wait time

The redirection wait time determines the length of time that the device waits to redirect a user to the specified webpage after the user passes Web authentication.

You need to change the redirection wait time in some scenarios, for example, when a user needs to update the client IP address after passing Web authentication. To ensure that the specified webpage can be successfully opened, set the redirection wait time to be greater than the time that the user takes to update the IP address of the client.

To set the redirection wait time:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a Web authentication server and enter its view.	web-auth server server-name	By default, no Web authentication servers exist.
3. Set the redirection wait time.	redirect-wait-time period	By default, the redirection wait time for authenticated users is 5 seconds.

Configuring a Web authentication-free subnet

You can configure a Web authentication-free subnet so that users can freely access the network resources in the subnet without being authenticated.

To configure a Web authentication-free subnet:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure a Web authentication-free subnet.	web-auth free-ip ip-address { mask-length \| mask }	By default, no Web authentication-free subnet is configured. As a best practice, do not configure the same address value for a Web authentication-free subnet and an 802.1X free IP. Otherwise, when you cancel one of the configuration, the other configuration does not take effect, either.

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Configure a Web authentication-free subnet.

web-auth free-ip ip-address { mask-length | mask }

By default, no Web authentication-free subnet is configured.

As a best practice, do not configure the same address value for a Web authentication-free subnet and an 802.1X free IP. Otherwise, when you cancel one of the configuration, the other configuration does not take effect, either.

Setting the maximum number of Web authentication users

If the maximum number of online Web authentication users you set is less than that of the current online Web authentication users, the limit can be set successfully and does not impact the online Web authentication users. However, the system does not allow new Web authentication users to log in until the number drops down below the limit.

Set a reasonable maximum number of Web authentication users to avoid high CPU usage caused by too many users.

To set the maximum number of Web authentication users:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Set the maximum number of Web authentication users on the interface.	web-auth max-user max-number	By default, the maximum number of Web authentication users is 1024.

Configuring online Web authentication user detection

This feature enables the device to detect packets of an online user at the specified detection interval. If no packet from the user is received within the interval, the device logs out the user and notifies the RADIUS server to stop accounting for the user.

To prevent the device from mistakenly logging out users, set the detection interval to be the same as the aging time of MAC address entries.

To configure online Web authentication user detection:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Enable online Web authentication user detection.	web-auth offline-detect interval interval	By default, online Web authentication user detection is disabled.

Configuring an Auth-Fail VLAN

Perform this task to allow authentication failed Web authentication users to access resources in the Auth-Fail VLAN.

When you configure an Auth-Fail VLAN, follow these restrictions and guidelines:

· To make the Auth-Fail VLAN take effect, you must also enable MAC-based VLAN on the interface, and set the subnet of the Auth-Fail VLAN as the Web authentication-free subnet.

· Because MAC-based VLAN takes effect only on Hybrid ports, Auth-Fail VLAN also takes effect only on Hybrid ports.

· If a VLAN is specified as the super VLAN, do not configure the VLAN as an Auth-Fail VLAN of an interface. If a VLAN is specified as an Auth-Fail VLAN of an interface, do not configure the VLAN as a super VLAN.

· Do not delete the VLAN that has been configured as an Auth-Fail VLAN. To delete this VLAN, first cancel the Auth-Fail VLAN configuration by using undo web-auth auth-fail vlan command.

To configure an Auth-Fail VLAN:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Configure an Auth-Fail VLAN.	web-auth auth-fail vlan authfail-vlan-id	By default, no Auth-Fail VLAN exists.

Configuring Web authentication to support Web proxy

By default, proxied HTTP requests cannot trigger Web authentication but are silently dropped. To allow such HTTP requests to trigger Web authentication, specify the port numbers of the Web proxy servers on the device.

If a user's browser uses the Web Proxy Auto-Discovery (WPAD) protocol to discover Web proxy servers, you must perform the following tasks:

· Add the port numbers of the Web proxy servers on the device.

· Configure authentication-free rules to allow user packets destined for the IP address of the WPAD server to pass without authentication.

For Web authentication to support Web proxy:

· You must add the port numbers of the Web proxy servers on the device.

· Users must make sure their browsers that use a Web proxy server do not use the proxy server for the listening IP address of the local portal Web server. Thus, HTTP packets that the Web authentication user sends to the local portal Web server are not sent to the Web proxy server.

To configure Web authentication to support a Web proxy:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Add a Web proxy server port number.	web-auth proxy port port-number	By default, no Web proxy server port number is configured and proxied HTTP requests cannot trigger Web authentication.

Displaying and maintaining Web authentication

Execute display commands in any view.

Task	Command
Display Web authentication configuration information on interfaces.	display web-auth [ interface interface-type interface-number ]
Display Web authentication-free subnets.	display web-auth free-ip
Display Web authentication server information.	display web-auth server [ server-name ]
Display Web authentication user information.	display web-auth user [ interface interface-type interface-number \| slot slot-number ]

Web authentication configuration examples

Web authentication using the local authentication server

Network requirements

As shown in Figure 4, the host is connected to the device through GigabitEthernet 1/0/1.

Configure Web authentication to meet the following requirements:

· The device performs local Web authentication on users that access the network through GigabitEthernet 1/0/1.

· The device pushes customized Web authentication pages to users and use HTTP to transfer the authentication data.

Figure 4 Network diagram

‌

Configuration prerequisites

· Assign IP addresses to the host and the device as shown in Figure 4, and make sure the host and the device can reach each other.

· Customize the authentication pages, compress them to a file, and upload the file to the root directory of the storage medium of the switch. In this example, the file is abc.zip.

Configuration procedure

1. Create VLANs, assign IP addresses to the VLAN interfaces, and assign interfaces to the VLANs. (Details not shown.)

2. Configure a local user:

# Create a local network access user named localuser.

<Device>system-view

[Device] local-user localuser class network

# Set the password to localpass in plaintext form for user localuser.

[Device-luser-network-localuser] password simple localpass

# Authorize the user to use LAN access services.

[Device-luser-network-localuser] service-type lan-access

[Device-luser-network-localuser] quit

3. Configure an ISP domain:

# Create an ISP domain named local.

[Device] domain local

# Configure the ISP domain to perform local authentication, local authorization, and local accounting for LAN-access users.

[Device-isp-local] authentication lan-access local

[Device-isp-local] authorization lan-access local

[Device-isp-local] accounting lan-access local

[Device-isp-local] quit

4. Configure a local portal Web server:

# Create a local portal Web server, and configure the server use HTTP to exchange authentication information with clients.

[Device] portal local-web-server http

# Specify file abc.zip as the default authentication page file for the local portal Web server. (This file must exist in the root directory of the device. For more information about customizing authentication pages, see "Configuring portal authentication.")

[Device-portal-local-websvr-http] default-logon-page abc.zip

# Specify the HTTP listening port number as 80 for the portal Web server.

[Device–portal-local-websvr-http] tcp-port 80

[Device-portal-local-websvr-http] quit

5. Configure Web authentication:

# Create a Web authentication server named user.

[Device] web-auth server user

# Configure the redirection URL for the Web authentication server as http://20.20.0.1/portal/.

[Device-web-auth-server-user] url http://20.20.0.1/portal/

# Specify 20.20.0.1 as the IP address and 80 as the port number for the Web authentication server.

[Device-web-auth-server-user] ip 20.20.0.1 port 80

[Device-web-auth-server-user] quit

# Specify ISP domain local as the Web authentication domain.

[Device] interface gigabitethernet 1/0/1

[Device-GigabitEthernet1/0/1] web-auth domain local

# Enable Web authentication by using Web authentication server user.

[Device-GigabitEthernet1/0/1] web-auth enable apply server user

[Device-GigabitEthernet1/0/1] quit

Verifying the configuration

# Display online Web authentication user information after user localuser passes Web authentication.

[Device] display web-auth user

Total online web-auth users: 1

User Name: localuser

MAC address: acf1-df6c-f9ad

Access interface: GigabitEthernet1/0/1

Initial VLAN: 14

Authorization VLAN: N/A

Authorization ACL ID: N/A

Authorization user profile: N/A

Web authentication using the RADIUS authentication server

Network requirements

As shown in Figure 5, the host is connected to the device through GigabitEthernet 1/0/1.

Configure Web authentication to meet the following requirements:

· The device performs Web authentication for users by using a RADIUS server.

· The device pushes customized Web authentication pages to users and use HTTP to transfer the authentication data.

Figure 5 Network diagram

‌

Configuration prerequisites

· Assign IP addresses to the host, the device, and the RADIUS server as shown in Figure 5 and make sure they can reach each other.

· Configure the RADIUS server properly to provide authentication and accounting functions for users. In this example, the username is configured as user1 on the RADIUS server.

· Customize the authentication pages, compress them to a file, and upload the file to the root directory of the storage medium of the switch. In this example, the file is abc.zip.

Configuration procedure

1. Create VLANs, assign IP addresses to the VLAN interfaces, and assign interfaces to the VLANs. (Details not shown.)

2. Configure a RADIUS scheme:

# Create a RADIUS scheme named rs1.

<Device> system-view

[Device] radius scheme rs1

# Specify the primary authentication server and primary accounting server, and configure the keys for communication with the servers.

[Device-radius-rs1] primary authentication 192.168.0.112

[Device-radius-rs1] primary accounting 192.168.0.112

[Device-radius-rs1] key authentication simple radius

[Device-radius-rs1] key accounting simple radius

# Exclude the ISP domain name from the username sent to the RADIUS server.

[Device-radius-rs1] user-name-format without-domain

[Device-radius-rs1] quit

3. Configure an authentication domain:

# Create an ISP domain named dm1.

[Device] domain dm1

# Configure AAA methods for the ISP domain

[Device-isp-dm1] authentication lan-access radius-scheme rs1

[Device-isp-dm1] authorization lan-access radius-scheme rs1

[Device-isp-dm1] accounting lan-access radius-scheme rs1

[Device-isp-dm1] quit

4. Configure a local portal Web server:

# Configure a local port Web server to use HTTP to exchange authentication information with clients.

[Device] portal local-web-server http

# Specify the file abc.zip as the default authentication page file for the local portal Web server. (This file must exist in the directly root directory of the storage medium.)

[Device-portal-local-websvr-http] default-logon-page abc.zip

# Specify 80 as the port number listened by the portal Web server for HTTP.

[Device–portal-local-websvr-http] tcp-port 80

[Device-portal-local-websvr-http] quit

5. Configure Web authentication:

# Create Web authentication server named user.

[Device] web-auth server user

# Specify http://20.20.0.1/portal/ as the redirection URL for the Web authentication server.

[Device-web-auth-server-user] url http://20.20.0.1/portal/

# Specify the IP address of the Web authentication server as 20.20.0.1 (the IP address of Loopback 0) and the port number as 80.

[Device-web-auth-server-user] ip 20.20.0.1 port 80

[Device-web-auth-server-user] quit

# Specify domain dml as the Web authentication domain.

[Device] interface gigabitethernet 1/0/1

[Device-GigabitEthernet1/0/1] web-auth domain dm1

# Enable Web authentication by using Web authentication server user.

[Device-GigabitEthernet1/0/1] web-auth enable apply server user

[Device-GigabitEthernet1/0/1] quit

Verifying the configuration

# Display Web authentication user information after user user1 passes Web authentication.

[Device] display web-auth user

Total online web-auth users: 1

User Name: user1

MAC address: acf1-df6c-f9ad

Access interface: GigabitEthernet1/0/1

Initial VLAN: 1

Authorization VLAN: N/A

Authorization ACL ID: N/A

Authorization user profile: N/A

Troubleshooting Web authentication

Failure to come online (local authentication interface using the default ISP domain)

Symptom

No authentication domain is specified for the local authentication interface. A user fails to pass Web authentication to come online.

Analysis

If no Web authentication domain is specified, the system default ISP domain (domain system) is used for Web authentication. The system default domain uses the local authentication method by default. Using these default domain settings, the local authentication should have operated correctly.

The local authentication fails might because that the authentication method of the system default domain is changed or the system default domain is changed.

Solution

To resolve the problem, perform the following tasks:

1. Use the display domain command to verify whether the AAA methods for Web users in the system default domain are correct.

2. If the AAA methods for Web users in the system default domain are not correct, reconfigure the AAA methods.

08-Security Configuration Guide

Authentication client

Access device

Local portal Web server

AAA server

Auth-Fail VLAN

Displaying and maintaining Web authentication

Web authentication configuration examples

Configuration prerequisites

Configuration procedure

Verifying the configuration

Network requirements

Configuration prerequisites

Configuration procedure

Verifying the configuration

Symptom

Analysis

Solution

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us