Configuring IPv6 Web Authentication
Download this chapter
Configuring IPv6 Web Authentication Configuring IPv6 Web Authentication
 Feedback

Configuring IPv6 Web Authentication

Prerequisites for IPv6 Web Authentication

The following configurations must be in place before you start with IPv6 Web Authentication:

  • IPv6 Device Tracking.
  • IPv6 DHCP Snooping.
  • Disable security of type 802.1x on the wlan.
  • Each WLAN must have a vlan associated to it.
  • Change the default wlan setting from shutdown to no shutdown.

Restrictions for IPv6 Web Authentication

The following restrictions are implied when using IPv6 web authentication:

Information About IPv6 Web Authentication

Web authentication is a Layer 3 security feature and the switch disallows IP traffic (except DHCP and DNS -related packets) from a particular client until it supplies a valid username and password. It is a simple authentication method without the need for a supplicant or client utility. Web authentication is typically used by customers who deploy a guest-access network. Traffic from both, HTTP and HTTPS, page is allowed to display the login page.


Note
Web authentication does not provide data encryption and is typically used as simple guest access for either a hot spot or campus atmosphere, where connectivity is always a factor.

A WLAN is configured as security webauth for web based authentication. The switch supports the following types of web based authentication:

  • Web Authentication – The client enters the credentials in a web page which is then validated by the Wlan controller.
  • Web Consent – The Wlan controller presents a policy page with Accept/Deny buttons. Click Accept button to access the network.

A Wlan is typically configured for open authentication, that is without Layer 2 authentication, when web-based authentication mechanism is used.

Web Authentication Process

The following events occur when a WLAN is configured for web authentication:

  • The user opens a web browser and enters a URL address, for example, http://www.example.com. The client sends out a DNS request for this URL to get the IP address for the destination. The switch bypasses the DNS request to the DNS server, which in turn responds with a DNS reply that contains the IP address of the destination www.example.com. This, in turn, is forwarded to the wireless clients.
  • The client then tries to open a TCP connection with the destination IP address. It sends out a TCP SYN packet destined to the IP address of www.example.com.
  • The switch has rules configured for the client and cannot act as a proxy for www.example.com. It sends back a TCP SYN-ACK packet to the client with source as the IP address of www.example.com. The client sends back a TCP ACK packet in order to complete the three-way TCP handshake and the TCP connection is fully established.
  • The client sends an HTTP GET packet destined to www.example.com. The switch intercepts this packet and sends it for redirection handling. The HTTP application gateway prepares an HTML body and sends it back as the reply to the HTTP GET requested by the client. This HTML makes the client go to the default web-page of the switch, for example, http://<Virtual-Server-IP>/login.html.
  • The client closes the TCP connection with the IP address, for example, www.example.com.
  • If the client wants to go to virtual IP, the client tries to open a TCP connection with the virtual IP address of the switch. It sends a TCP SYN packet for virtual IP to the switch.
  • The switch responds back with a TCP SYN-ACK and the client sends back a TCP ACK to the switch in order to complete the handshake.
  • The client sends an HTTP GET for /login.html destined to virtual IP in order to request for the login page.
  • This request is allowed to the web server of the switch, and the server responds with the default login page. The client receives the login page in the browser window where the user can log in.

How to Configure IPv6 Web Authentication

Disabling WPA

Before You Begin

Disable 802.1x. A typical web authentication does not use Layer 2 security. Use this configuration to remove Layer 2 security.

SUMMARY STEPS

    1.    configure terminal

    2.    wlan test1 2 test1

    3.    no security wpa


DETAILED STEPS
     Command or ActionPurpose
    Step 1configure terminal


    Example:
    
Switch# configure terminal
     

    Enters the global configuration mode.

     
    Step 2wlan test1 2 test1


    Example: 
    Switch(config)# wlan test1 2 test1
     

    Creates a WLAN and assign an SSID to it.

     
    Step 3no security wpa


    Example:
    Switch(config-wlan)# no security wpa
     

    Disables the WPA support for Wlan.

     
    What to Do Next

    Enable the following:

    • Security Web Authentication.
    • Parameter Local.
    • Authentication List.

    Enabling Security on the WLAN

    SUMMARY STEPS

      1.    parameter-map type web-auth global

      2.    virtual-ip ipv4 192.0.2.1

      3.    virtual-ip ipv6 2001:db8::24:2


    DETAILED STEPS
       Command or ActionPurpose
      Step 1 parameter-map type web-auth global


      Example: 
      Switch(config)# parameter-map type web-auth global
       

      Applies the parameter map to all the web-auth wlans.

       
      Step 2 virtual-ip ipv4 192.0.2.1


      Example: 
      Switch(config-params-parameter-map)# virtual-ip ipv4 192.0.2.1
       

      Defines the virtual gateway IPv4 address.

       
      Step 3 virtual-ip ipv6 2001:db8::24:2


      Example: 
      Switch(config-params-parameter-map)# virtual-ip ipv6 2001:db8::24:2
       

      Defines the virtual gateway IPv6 address.

       

      Enabling a Parameter Map on the WLAN

      SUMMARY STEPS

        1.    security web-auth parameter-map <mapname>


      DETAILED STEPS
         Command or ActionPurpose
        Step 1security web-auth parameter-map <mapname>


        Example: 
        Switch(config-wlan)# security web-auth parameter-map webparalocal
         

        Enables web authentication for the wlan and creates a parameter map.

         

        Enabling Authentication List on WLAN

        SUMMARY STEPS

          1.    security web-auth authentication-list webauthlistlocal


        DETAILED STEPS
           Command or ActionPurpose
          Step 1 security web-auth authentication-list webauthlistlocal


          Example: 
          Switch(config-wlan)# security web-auth
           

          Enables web authentication for the wlan and creates a local web authentication list.

           

          Configuring a Global WebAuth WLAN Parameter Map

          Use this example to configure a global web auth WLAN and add a parameter map to it.

          SUMMARY STEPS

            1.    parameter-map type webauth global

            2.    virtual-ip ipv6 2001:db8:4::1

            3.    ratelimit init-state-sessions 120

            4.    max-https-conns 70


          DETAILED STEPS
             Command or ActionPurpose
            Step 1 parameter-map type webauth global


            Example: 
            Switch (config)# parameter-map type webauth global
             

            Configures a global webauth and adds a parameter map to it.

             
            Step 2virtual-ip ipv6 2001:db8:4::1


            Example: 
            Switch (config-params-parameter-map)# virtual-ip ipv6 2001:db8:4::1
             

            Defines a virtual gateway IP address that appears to the wireless clients for authentication.

             
            Step 3 ratelimit init-state-sessions 120


            Example: 
            Switch (config-params-parameter-map)# ratelimit init-state-sessions 120
             

            Sets the global ratelimit to limit the bandwidth that the web clients can use on the switch to avoid over-flooding attacks.

             
            Step 4 max-https-conns 70


            Example: 
            Switch (config-params-parameter-map)# max-http-conns 70
             

            Sets the maximum number of attempted http connections on the switch to avoid over-flooding atatcks.

             

            Configuring the WLAN

            Before You Begin
            • The WLAN must have a Vlan associated with it. By default, a new Wlan is always associated with Vlan 1, which can be changed as per the configuration requirements.
            • Configure and enable the WLAN to no shutdown. By default, the Wlan is configured with the shutdown parameter and is disabled.
            SUMMARY STEPS

              1.    wlan 1

              2.    client vlan interface ID

              3.    security web-auth authentication list webauthlistlocal

              4.    security web-auth parameter-map global

              5.    no security wpa

              6.    no shutdown

              7.    end


            DETAILED STEPS
               Command or ActionPurpose
              Step 1 wlan 1


              Example: 
              Switch(config-wlan)# wlan 1 name vicweb ssid vicweb
               

              Creates a wlan and assign an SSID to it.

               
              Step 2client vlan interface ID


              Example:
              Switch(config-wlan)# client vlan VLAN0136
               

              Assigns the client to vlan interface.

               
              Step 3security web-auth authentication list webauthlistlocal


              Example:
              Switch(config-wlan)# security web-auth authentication-list webauthlistlocal
               

              Configures web authentication for the wlan.

               
              Step 4 security web-auth parameter-map global


              Example:
              Switch(config-wlan)# security web-auth parameter-map global
               

              Configures the parameter map on the wlan.

               
              Step 5no security wpa


              Example:
              Switch(config-wlan)# no security wpa
               

              Configures the security policy for a wlan. This enables the wlan.

               
              Step 6no shutdown


              Example:
              Switch(config-wlan)# no shutdown
               

              Configures and enables the Wlan.

               
              Step 7end


              Example:
              Switch(config)# end
               

              Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-z to exit global configuration mode.

               

              Enabling IPv6 in Global Configuration Mode

              Enable IPv6 in global configuration for web authentication.

              SUMMARY STEPS

                1.    configure terminal

                2.    web-auth global

                3.    virtual IPv6


              DETAILED STEPS
                 Command or ActionPurpose
                Step 1 configure terminal


                Example: 
                Switch# configure terminal
                 

                Enters global configuration mode.

                 
                Step 2web-auth global


                Example:
                Switch(config)# parameter-map type webauth global
                 

                Globally configures the parameter map type as web authentication.

                 
                Step 3virtual IPv6


                Example:
                Switch(config-params-parameter-map)# virtual-ip ipv6
                 
                Selects IPv6 as the virtaul IP for web authentication.
                Note   

                You can also select IPv4 as the preferred IP for web authentication.

                 

                Verifying IPv6 Web Authentication

                Verifying the Parameter Map

                Use the show running configuration command to verify the parameter map configured for Wlan.

                SUMMARY STEPS

                  1.    show running config


                DETAILED STEPS
                   Command or ActionPurpose
                  Step 1show running config


                  Example: 
                  Switchshow running config
                   

                  Displays the entire running configuration for the switch. Grep for parameter map to view the result.

                    

                  wlan alpha 2 alpha
 no security wpa
 no security wpa akm dot1x
 no security wpa wpa2
 no security wpa wpa2 ciphers aes
 security web-auth
 security web-auth authentication-list webauthlistlocal
 security web-auth parameter-map webparalocal

                  Verifying Authentication List

                  Use the show running configuration command to verify the authentication list configured for the Wlan.

                  SUMMARY STEPS

                    1.    show running configuration

                    2.    end


                  DETAILED STEPS
                     Command or ActionPurpose
                    Step 1show running configuration


                    Example: 
                    Switch#show running-config
                     

                    Displays the Wlan configuration.

                    Switch# show running-config
                     
                    Step 2end


                    Example:
                    Switch(config)# end
                     

                    Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-z to exit global configuration mode.

                      

                    Switch#show running-config
 ..................................
 ..................................
 ..................................
 wlan alpha 2 alpha
 no security wpa
 no security wpa akm dot1x
 no security wpa wpa2
 no security wpa wpa2 ciphers aes
 security web-auth
 security web-auth authentication-list webauthlistlocal
 security web-auth parameter-map webparalocal
 ..................................
 ..................................
 ..................................