Web authentication is a Layer 3 security feature and the switch disallows IP traffic (except DHCP and DNS -related packets) from a particular client until it supplies a valid username and password. It is a simple authentication method without the need for a supplicant or client utility. Web authentication is typically used by customers who deploy a guest-access network. Traffic from both, HTTP and HTTPS, page is allowed to display the login page.
Web authentication does not provide data encryption and is typically used as simple guest access for either a hot spot or campus atmosphere, where connectivity is always a factor.
A WLAN is configured as security webauth for web based authentication. The switch supports the following types of web based authentication:
Web Authentication – The client enters the credentials in a web page which is then validated by the Wlan controller.
Web Consent – The Wlan controller presents a policy page with Accept/Deny buttons. Click Accept button to access the network.
A Wlan is typically configured for open authentication, that is without Layer 2 authentication, when web-based authentication mechanism is used.
The following events occur when a WLAN is configured for web authentication:
The user opens a web browser and enters a URL address, for example, http://www.example.com. The client sends out a DNS request for this URL to get the IP address for the destination. The switch bypasses the DNS request to the DNS server, which in turn responds with a DNS reply that contains the IP address of the destination www.example.com. This, in turn, is forwarded to the wireless clients.
The client then tries to open a TCP connection with the destination IP address. It sends out a TCP SYN packet destined to the IP address of www.example.com.
The switch has rules configured for the client and cannot act as a proxy for www.example.com. It sends back a TCP SYN-ACK packet to the client with source as the IP address of www.example.com. The client sends back a TCP ACK packet in order to complete the three-way TCP handshake and the TCP connection is fully established.
The client sends an HTTP GET packet destined to www.example.com. The switch intercepts this packet and sends it for redirection handling. The HTTP application gateway prepares an HTML body and sends it back as the reply to the HTTP GET requested by the client. This HTML makes the client go to the default web-page of the switch, for example, http://<Virtual-Server-IP>/login.html.
The client closes the TCP connection with the IP address, for example, www.example.com.
If the client wants to go to virtual IP, the client tries to open a TCP connection with the virtual IP address of the switch. It sends a TCP SYN packet for virtual IP to the switch.
The switch responds back with a TCP SYN-ACK and the client sends back a TCP ACK to the switch in order to complete the handshake.
The client sends an HTTP GET for /login.html destined to virtual IP in order to request for the login page.
This request is allowed to the web server of the switch, and the server responds with the default login page. The client receives the login page in the browser window where the user can log in.
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.
To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.