The following configurations must be in place before you start with IPv6 Web Authentication:
IPv6 Device Tracking.
IPv6 DHCP Snooping.
Disable security of type 802.1x on the wlan.
Each WLAN must have a vlan associated to it.
Change the default wlan setting from shutdown to no shutdown.
Restrictions for IPv6 Web Authentication
The following restrictions are implied when using IPv6 web authentication:
Information About IPv6 Web Authentication
Web authentication is a Layer 3 security feature and the
switch disallows IP traffic (except DHCP and DNS -related
packets) from a particular client until it supplies a valid username and password. It is a simple
authentication method without the need for a supplicant or client
utility. Web authentication is typically used by customers who deploy a guest-access network. Traffic from both, HTTP and HTTPS, page is allowed to display the login page.
Web authentication does not provide data
encryption and is typically used as simple guest
access for either a hot spot or campus atmosphere, where connectivity is always a factor.
A WLAN is configured as security webauth for web based authentication. The switch supports the following types of web based authentication:
Web Authentication – The client enters the credentials in a web page which is then validated by the Wlan controller.
Web Consent – The Wlan controller presents a policy page with Accept/Deny buttons. Click Accept button to access the network.
A Wlan is typically configured for open authentication, that is without Layer 2 authentication, when web-based authentication mechanism is used.
The following events occur when a WLAN is configured for web authentication:
The user opens a web browser and enters a URL address, for example, http://www.example.com. The client sends out a DNS request for this URL to get the IP address for the destination. The switch bypasses the DNS request to the DNS server, which in turn responds with a DNS reply that contains the IP address of the destination www.example.com. This, in turn, is forwarded to the wireless clients.
The client then tries to open a TCP connection with the destination IP address. It sends out a TCP SYN packet destined to the IP address of www.example.com.
The switch has rules configured for the client and cannot act as a proxy for www.example.com. It sends back a TCP SYN-ACK packet to the client with source as the IP address of www.example.com. The client sends back a TCP ACK packet in order to complete the three-way TCP handshake and the TCP connection is fully established.
The client sends an HTTP GET packet destined to www.example.com. The switch intercepts this packet and sends it for redirection handling. The HTTP application gateway prepares an HTML body and sends it back as the reply to the HTTP GET requested by the client. This HTML makes the client go to the default web-page of the switch, for example, http://<Virtual-Server-IP>/login.html.
The client closes the TCP connection with the IP address, for example, www.example.com.
If the client wants to go to virtual IP, the client tries to open a TCP connection with the virtual IP address of the switch. It sends a TCP SYN packet for virtual IP to the switch.
The switch responds back with a TCP SYN-ACK and the client sends back a TCP ACK to the switch in order to complete the handshake.
The client sends an HTTP GET for /login.html destined to virtual IP in order to request for the login page.
This request is allowed to the web server of the switch, and the server responds with the default login page. The client receives the login page in the browser window where the user can log in.
How to Configure IPv6 Web Authentication
Before You Begin
Disable 802.1x. A typical web authentication does not use Layer 2 security. Use this configuration to remove Layer 2 security.
2.wlan test1 2 test1
Command or Action
Switch# configure terminal
Enters the global configuration mode.
wlan test1 2 test1
Switch(config)# wlan test1 2 test1
Creates a WLAN and assign an SSID to it.
Switch(config-wlan)# no security wpa
Disables the WPA support for Wlan.
What to Do Next
Enable the following:
Security Web Authentication.
Enabling Security on the WLAN
1.parameter-map type web-auth global
2.virtual-ip ipv4 192.0.2.1
3.virtual-ip ipv6 2001:db8::24:2
Command or Action
parameter-map type web-auth global
Switch(config)# parameter-map type web-auth global
Applies the parameter map to all the web-auth wlans.