Web authentication is
a Layer 3 security feature and the
switch disallows IP traffic (except DHCP and
DNS -related packets) from a particular client until it supplies a valid
username and password. It is a simple authentication method without the need
for a supplicant or client utility. Web authentication is typically used by
customers who deploy a guest-access network. Traffic from both, HTTP and HTTPS,
page is allowed to display the login page.
does not provide data encryption and is typically used as simple guest access
for either a hot spot or campus atmosphere, where connectivity is always a
A WLAN is configured
webauth for web based authentication. The
switch supports the following types of web
– The client enters the credentials in a web page which is then validated by
the Wlan controller.
Web Consent – The
Wlan controller presents a policy page with Accept/Deny buttons. Click Accept
button to access the network.
A Wlan is typically
configured for open authentication, that is without Layer 2 authentication,
when web-based authentication mechanism is used.
The following events occur when a WLAN is configured for web authentication:
The user opens a web browser and enters a URL address, for example, http://www.example.com. The client sends out a DNS request for this URL to get the IP address for the destination. The switch bypasses the DNS request to the DNS server, which in turn responds with a DNS reply that contains the IP address of the destination www.example.com. This, in turn, is forwarded to the wireless clients.
The client then tries to open a TCP connection with the destination IP address. It sends out a TCP SYN packet destined to the IP address of www.example.com.
The switch has rules configured for the client and cannot act as a proxy for www.example.com. It sends back a TCP SYN-ACK packet to the client with source as the IP address of www.example.com. The client sends back a TCP ACK packet in order to complete the three-way TCP handshake and the TCP connection is fully established.
The client sends an HTTP GET packet destined to www.example.com. The switch intercepts this packet and sends it for redirection handling. The HTTP application gateway prepares an HTML body and sends it back as the reply to the HTTP GET requested by the client. This HTML makes the client go to the default web-page of the switch, for example, http://<Virtual-Server-IP>/login.html.
The client closes the TCP connection with the IP address, for example, www.example.com.
If the client wants to go to virtual IP, the client tries to open a TCP connection with the virtual IP address of the switch. It sends a TCP SYN packet for virtual IP to the switch.
The switch responds back with a TCP SYN-ACK and the client sends back a TCP ACK to the switch in order to complete the handshake.
The client sends an HTTP GET for /login.html destined to virtual IP in order to request for the login page.
This request is allowed to the web server of the switch, and the server responds with the default login page. The client receives the login page in the browser window where the user can log in.
Support website provides extensive online resources, including documentation
and tools for troubleshooting and resolving technical issues with Cisco
products and technologies.
security and technical information about your products, you can subscribe to
various services, such as the Product Alert Tool (accessed from Field Notices),
the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS)
most tools on the Cisco Support website requires a Cisco.com user ID and