Use the web-based authentication feature, known as web authentication proxy, to authenticate end users on host systems that do not run the IEEE 802.1x supplicant.
 Note |
You can configure web-based authentication on Layer 2 and Layer 3 interfaces.
|
When you initiate an HTTP session, web-based authentication intercepts ingress HTTP packets from the host and sends an HTML login page to the users. The users enter their credentials, which the web-based authentication feature sends to the authentication, authorization, and accounting (AAA) server for authentication.
If authentication succeeds, web-based authentication sends a Login-Successful HTML page to the host and applies the access policies returned by the AAA server.
If authentication fails, web-based authentication forwards a Login-Fail HTML page to the user, prompting the user to retry the login. If the user exceeds the maximum number of attempts, web-based authentication forwards a Login-Expired HTML page to the host, and the user is placed on a watch list for a waiting period.
 Note |
HTTPS traffic interception for central web authentication redirect is not supported.
|
 Note |
You should use global parameter-map (for method-type, custom, and redirect) only for using the same web authentication methods like consent, web consent, and webauth, for all the clients and SSIDs. This ensures that all the clients have the same web-authentication method.
If the requirement is to use Consent for one SSID and Web-authentication for another SSID, then you should use two named parameter-maps. You should configure Consent in first parameter-map and configure webauth in second parameter-map.
|
 Note |
The traceback that
you receive when webauth client tries to do authentication does not have any
performance or behavioral impact. It happens rarely when the context for which
FFM replied back to EPM for ACL application is already dequeued (possibly due
to timer expiry) and the session becomes ‘unauthorized’.
|
Based on where the web pages are hosted, the local web authention can be categorozied as follows:
-
Internal—The internal default HTML pages (Login, Success, Fail, and Expire) in the controller are used during the local web authentication.
-
Customized—The customized web pages (Login, Success, Fail, and Expire) are downloaded onto the controller and used during the local web authentication.
-
External—The customized web pages are hosted on the external web server instead of using the in-built or custom web pages.
Based on the various web authentication pages, the types of web authentication are as follows:
-
Webauth—This is a basic web authentication. Herein, the controller presents a policy page with the user name and password. You need to enter the correct credentials to access the network.
-
Consent or web-passthrough—Herein, the controller presents a policy page with the Accept or Deny buttons. You need to click the Accept button to access the network.
-
Webconsent—This is a combination of webauth and consent web authentication types. Herein, the controller presents a policy page with Accept or Deny buttons along with user name or password. You need to enter the correct credentials and click the Accept button to access the network.
 Note |
The Wireless web authentication feature does not support the bypass type.
|
Local Web Authentication Banner
With Web Authentication, you
can create a default and customized web-browser banners that appears when you
log in to a switch.
The banner appears on both
the login page and the authentication-result pop-up pages. The default banner
messages are as follows:
The Local Web Authentication Banner can be configured in legacy CLIs as follows:
The default banner
Cisco Systems
and
Switch host-name
Authentication appear on the Login Page.
Cisco Systems
appears on the authentication result pop-up page.
Figure 2. Authentication Successful
Banner
The banner can be customized
as follows:
-
Add a message, such as
switch, router, or company name to the banner:
-
Add a logo or text file to the banner:
Figure 3. Customized Web
Banner
If you do not enable a
banner, only the username and password dialog boxes appear in the web
authentication login screen, and no banner appears when you log into the
switch.
Figure 4. Login Screen With No
Banner
For
more information, see the
Session Aware Networking
Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches) Session
Aware Networking Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850
Switches) and the
Web Authentication
Enhancements - Customizing Authentication Proxy Web Pages.