- Preface
- Using the Command-Line Interface
- Using the Web Graphical User Interface
-
- Configuring the Switch for Access Point Discovery
- Configuring Data Encryption
- Configuring Retransmission Interval and Retry Count
- Configuring Adaptive Wireless Intrusion Prevention System
- Configuring Authentication for Access Points
- Converting Autonomous Access Points to Lightweight Mode
- Using Cisco Workgroup Bridges
- Configuring Probe Request Forwarding
- Optimizing RFID Tracking
- Configuring Country Codes
- Configuring Link Latency
- Configuring Power over Ethernet
-
- Preventing Unauthorized Access
- Controlling Switch Access with Passwords and Privilege Levels
- Configuring TACACS+
- Configuring RADIUS
- Configuring Kerberos
- Configuring Local Authentication and Authorization
- Configuring Secure Shell (SSH)
- Configuring Secure Socket Layer HTTP
- Configuring IPv4 ACLs
- Configuring IPv6 ACLs
- Configuring DHCP
- Configuring IP Source Guard
- Configuring Dynamic ARP Inspection
- Configuring IEEE 802.1x Port-Based Authentication
- Configuring Web-Based Authentication
- Configuring Port-Based Traffic Control
- Configuring IPv6 First Hop Security
- Configuring Cisco TrustSec
- Configuring Wireless Guest Access
- Managing Rogue Devices
- Classifying Rogue Access Points
- Configuring wIPS
- Configuring Intrusion Detection System
-
- Administering the System
- Performing Switch Setup Configuration
- Configuring Right-To-Use Licenses
- Configuring Administrator Usernames and Passwords
- Configuring 802.11 parameters and Band Selection
- Configuring Aggressive Load Balancing
- Configuring Client Roaming
- Configuring Application Visibility and Control
- Configuring Voice and Video Parameters
- Configuring RFID Tag Tracking
- Configuring Location Settings
- Monitoring Flow Control
- Configuring SDM Templates
- Configuring System Message Logs
- Configuring Online Diagnostics
- Managing Configuration Files
- Configuration Replace and Configuration Rollback
- Working with the Flash File System
- Working with Cisco IOS XE Software Bundles
- Troubleshooting the Software Configuration
- Index
Configuring IPv6 Web Authentication
Prerequisites for IPv6 Web Authentication
The following configurations must be in place before you start with IPv6 Web Authentication:
Restrictions for IPv6 Web Authentication
The following restrictions are implied when using IPv6 web authentication:
Information About IPv6 Web Authentication
Web authentication is a Layer 3 security feature and the switch disallows IP traffic (except DHCP and DNS -related packets) from a particular client until it supplies a valid username and password. It is a simple authentication method without the need for a supplicant or client utility. Web authentication is typically used by customers who deploy a guest-access network. Traffic from both, HTTP and HTTPS, page is allowed to display the login page.
 Note | Web authentication does not provide data encryption and is typically used as simple guest access for either a hot spot or campus atmosphere, where connectivity is always a factor. |
A WLAN is configured as security webauth for web based authentication. The switch supports the following types of web based authentication:
-
Web Authentication – The client enters the credentials in a web page which is then validated by the Wlan controller.
-
Web Consent – The Wlan controller presents a policy page with Accept/Deny buttons. Click Accept button to access the network.
A Wlan is typically configured for open authentication, that is without Layer 2 authentication, when web-based authentication mechanism is used.
Web Authentication Process
The following events occur when a WLAN is configured for web authentication:
The user opens a web browser and enters a URL address, for example, http://www.example.com. The client sends out a DNS request for this URL to get the IP address for the destination. The switch bypasses the DNS request to the DNS server, which in turn responds with a DNS reply that contains the IP address of the destination www.example.com. This, in turn, is forwarded to the wireless clients.
The client then tries to open a TCP connection with the destination IP address. It sends out a TCP SYN packet destined to the IP address of www.example.com.
The switch has rules configured for the client and cannot act as a proxy for www.example.com. It sends back a TCP SYN-ACK packet to the client with source as the IP address of www.example.com. The client sends back a TCP ACK packet in order to complete the three-way TCP handshake and the TCP connection is fully established.
The client sends an HTTP GET packet destined to www.example.com. The switch intercepts this packet and sends it for redirection handling. The HTTP application gateway prepares an HTML body and sends it back as the reply to the HTTP GET requested by the client. This HTML makes the client go to the default web-page of the switch, for example, http://<Virtual-Server-IP>/login.html.
The client closes the TCP connection with the IP address, for example, www.example.com.
If the client wants to go to virtual IP, the client tries to open a TCP connection with the virtual IP address of the switch. It sends a TCP SYN packet for virtual IP to the switch.
The switch responds back with a TCP SYN-ACK and the client sends back a TCP ACK to the switch in order to complete the handshake.
The client sends an HTTP GET for /login.html destined to virtual IP in order to request for the login page.
This request is allowed to the web server of the switch, and the server responds with the default login page. The client receives the login page in the browser window where the user can log in.
How to Configure IPv6 Web Authentication
Disabling WPA
Disable 802.1x. A typical web authentication does not use Layer 2 security. Use this configuration to remove Layer 2 security.
DETAILED STEPS
| Command or Action | Purpose |
|---|
Enable the following:
Enabling Security on the WLAN
1.
parameter-map type web-auth global
2.
virtual-ip ipv4 192.0.2.1
3.
virtual-ip ipv6 2001:db8::24:2
DETAILED STEPS
Enabling a Parameter Map on the WLAN
1.
security web-auth
parameter-map <mapname>
DETAILED STEPS
| Command or Action | Purpose |
|---|
Enabling Authentication List on WLAN
1.
security web-auth authentication-list webauthlistlocal
DETAILED STEPS
| Command or Action | Purpose |
|---|
Configuring a Global WebAuth WLAN Parameter Map
Use this example to configure a global web auth WLAN and add a parameter map to it.
1.
parameter-map type webauth global
2.
virtual-ip ipv6 2001:db8:4::1
3.
ratelimit init-state-sessions 120
4.
max-https-conns 70
DETAILED STEPS
Configuring the WLAN
1.
wlan 1
2.
client vlan interface ID
3.
security web-auth authentication list webauthlistlocal
4.
security web-auth parameter-map global
5.
no security wpa
6.
no shutdown
7.
end
DETAILED STEPS
Enabling IPv6 in Global Configuration Mode
Enable IPv6 in global configuration for web authentication.
1.
configure terminal
2.
web-auth global
3.
virtual IPv6
DETAILED STEPS
Verifying IPv6 Web Authentication
Verifying the Parameter Map
Use the show running configuration command to verify the parameter map configured for Wlan.
1.
show running config
DETAILED STEPS
| Command or Action | Purpose |
|---|
wlan alpha 2 alpha
no security wpa
no security wpa akm dot1x
no security wpa wpa2
no security wpa wpa2 ciphers aes
security web-auth
security web-auth authentication-list webauthlistlocal
security web-auth parameter-map webparalocal
Verifying Authentication List
Use the show running configuration command to verify the authentication list configured for the Wlan.
1.
show running configuration
2.
end
DETAILED STEPS
| Command or Action | Purpose |
|---|
Switch#show running-config
..................................
..................................
..................................
wlan alpha 2 alpha
no security wpa
no security wpa akm dot1x
no security wpa wpa2
no security wpa wpa2 ciphers aes
security web-auth
security web-auth authentication-list webauthlistlocal
security web-auth parameter-map webparalocal
..................................
..................................
..................................
Additional References
Related Documents
| Related Topic | Document Title |
|---|---|
| IPv6 command reference | IPv6 Command Reference (Catalyst 3650 Switches) |
| Web Authentication configuration | Security Configuration Guide (Catalyst 3650 Switches) |
Error Message Decoder
| Description | Link |
|---|---|
|
To help you research and resolve system error messages in this release, use the Error Message Decoder tool. |
https://www.cisco.com/cgi-bin/Support/Errordecoder/index.cgi |
MIBs
| MIB | MIBs Link |
|---|---|
| All supported MIBs for this release. |
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: |
Technical Assistance
| Description | Link |
|---|---|
|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |
Feature Information for IPv6 Web Authentication
|
Feature |
Release |
Modification |
|---|---|---|
|
IPv6 Web Authentication Functionality |
Cisco IOS XE 3.3SE |
This feature was introduced. |
Feedback