Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE 17.11.x

Local web authentication

Local web authentication is a network security mechanism that

authenticates users through a web browser login page
enables access control on host systems that do not run IEEE 802.1X supplicants, and
communicates with authentication, authorization, and accounting (AAA) servers to enforce security policies.

Feature history


Feature Name	Release	Description
Built-in Captive Portal Improvement	Cisco IOS XE 17.1.1	This release introduces support for special characters in the login portal banner title and banner text. The number of characters supported on the banner text has been doubled to 400. The exec-character-bits command has been introduced.

Presentation options for local web authentication web pages

Local web authentication intercepts HTTP sessions on Layer 2 interfaces, and in some cases, Layer 3 interfaces (with restrictions for some switch models). When users try to access the network, local web authentication displays a login page and verifies user credentials with AAA servers, granting or denying access accordingly.

Local web authentication is categorized by the location where its web pages are hosted.

Internal: Uses HTML pages (login, success, fail, and expire) stored on the controller .
Customized: Uses customized HTML pages (login, success, fail, and expire) downloaded onto the controller for a customized user experience.
External: Uses HTML pages hosted on an external web server.

We recommend that you follow the Cisco guidelines to create a customized web authentication login page. If you use the latest versions of Google Chrome or Mozilla Firefox browsers, ensure that your webauth bundle uses this line in the login.html file:

<body onload="loadAction();">

Web authentication modes

The types of web authentication differ according to the available web authentication pages.

Webauth—The controller displays a page with the user name and password. Users enter valid credentials to gain network access.
Consent or web-passthrough—The controller presents a policy page with the Accept and Deny buttons. Users simply click Accept to access the network – no credentials are required.
Webconsent—This mode combines the features of Webauth and Consent. The controller displays a policy page with Accept or Deny buttons along with user name or password. Users must enter the correct credentials and click Accept to access the network.

Additional reference information

You can view the webauth parameter-map information using the show running-config command.
Occasional tracebacks during client authentication do not impact performance or behavior. These tracebacks may occur if the session for which Flexible Forwarding Mode (FFM) replied back to Endpoint Profiler Module (EPM). for ACL application after the session was dequeued, usually because a timer expired or the session becoming unauthorized.
Apply web authentication methods (such as consent, web consent, and webauth) using either a global or named parameter-map under WLAN (for method-type, custom, and redirect). If you do not configure a parameter-map under WLAN, the global parameter-map applies by default.
You can configure web-based authentication on layer 2 and layer 3 interfaces.
When a client reaches maximum HTTP connections (maximum of 200 connections when configured), it will cause Transmission Control Protocol (TCP) resets and client exclusion.

How local web authentication works

Summary

authentication enables secure network access for clients by prompting users to authenticate through a web login page. The process coordinates actions between the user, authentication server, and the network switch. The key components involved in the process are:

User: Initiates the HTTP session and enters authentication credentials.
Network switch: Intercepts traffic, presents login pages, applies policies, and communicates with the authentication server.
Authentication server: Verifies credentials and provides policy enforcement details.

Workflow

These are the stages of the process.

Session initiation: The user starts an HTTP session by attempting to access the network.
Traffic interception and login page presentation: The network switch intercepts the HTTP request and triggers the authorization process. It presents a login page for the user to enter their username and password.
Credential submission and authentication: When the user submits credentials, the switch forwards them to the authentication server.
Authentication outcome:
- If authentication succeeds, the switch downloads and activates the user’s access policy from the server, then displays a login success page.
- If authentication fails, the switch displays a login failure page. The user can retry; after a maximum number of failures, the login expired window is shown, and the host is put on a watch list. After a timeout, the user may try again.
Server non-response handling: If the authentication server does not respond, and an AAA fail policy is in place, the switch applies the failure policy to the host and displays a login success page.
Reauthentication triggers: The switch reauthenticates a client if the host does not respond to an ARP probe (Layer 2), does not send traffic within an idle timeout (Layer 3) suppress-feature-id="uabu_2960l_sw".
Session timeout enforcement: The switch applies either the session timeout configured locally or provided by the server. The default local web authentication session timeout on controller is 1800 seconds from Cisco IOS XE 16.1.1 and later. The default session timeout value was infinite seconds, prior to Cisco IOS XE Denali 16.1.1.
Session termination:
- If the terminate action is set to RADIUS, the switch sends a nonresponsive host request to the server; the server’s response dictates the next action.
- If the terminate action is set to default, the switch dismantles the session and removes the access policy.

Result

The user either gains network access based on successful authentication and applied policies, or is denied access as dictated by the authentication outcome, failure policies, or timeout mechanisms.

Restrictions

You cannot configure bypass authentication with the wireless web authentication feature.
The redirect login URL specified in the web authentication parameter map does not change until an AP rejoins. TTo update the redirect login URL, enable and then disable the WLAN.
If authentication fails, users receive a failure page and can try to log in again. If the number of allowed attempts is exceeded, users may be excluded and receive a specific reason for the exclusion.
Use the local web authentication feature to authenticate end users on host systems that do not run the IEEE 802.1x supplicant.

Roles of devices in local web authentication

In a local web authentication scenario, network devices assume specific roles to manage authentication and access to the LAN:

Client: A device, such as a workstation, that requests network access and responds to authentication requests from the switch. The client must have an HTML browser with JavaScript enabled.
Authentication server: A server that validates the identity of the client. The authentication server notifies the switch if the client is allowed or denied access to the LAN and related services.
Switch: A network device that manages physical access to the network based on the authentication status of the client. The switch relays identity information and authorization responses between the client and the authentication server.

These device roles work together to ensure secure access control through local web authentication processes.

Diagram showing the roles of the client, switch, and authentication server in local web authentication — Figure 1. Local web authentication device roles

Banner messages for local web authentication

Local web authentication banners provide visual feedback to users during authentication on switches. These banners can display default or customized messages and may include additional branding or information on login and result screens.

Default banner messages

When web authentication is enabled, one of these default messages appear on both the login and authentication result pop-up pages:

Authentication Successful
Authentication Failed
Authentication Expired

Commands to configure local web authentication banner

You can configure the local web authentication banner using the new style (Session-aware) CLI mode.

Use the command in the global configuration mode:

Device(config)# parameter map type webauth global
Device(config-params-parameter-map)# banner ?
file <file-name>
text <Banner text>
title <Banner title>

To add a custom message (such as switch, router, or company name) to the banner, use the command:

Device(config)# parameter map type webauth global
Device(config-params-parameter-map)# banner text <text>

To add a logo or text file to the banner, use the command:

Device(config)# parameter map type webauth global
Device(config-params-parameter-map)# banner text <filepath>

Banner examples

Customized web banner with 'Authentication Successful — Figure 2. Customized web banner: Authentication Successful

Login screen showing no banner present. — Figure 3. Login screen with no banner

Banner usage and behavior

The default banners are Cisco Systems and Switch host-name Authentication, and they appear on the login page. The Cisco Systems page appears on the authentication result pop-up page.
The default banners appear unless custom banners are configured.
If you do not enable a banner, only the username and password dialog boxes appear in the web authentication login screen. A banner is not displayed when you log into the switch.

Authentication states in customized local web authentication

During the local web authentication process, the switch's internal HTTP server hosts four HTML pages to communicate authentication states to the client. You can replace the default internal HTML pages with your own HTML pages. You can also specify a URL to which users are redirected after authentication occurs, which replaces the internal Success page.

The four authentication pages (and states) are:

Login: Credentials are requested from the client.
Success: The client has authenticated successfully.
Fail: Authentication attempt failed.
Expire: The login session expired after excessive failures.

You must configure all four pages. You can use a logo or specify text in all four pages.

Banner examples

Customizable Web Authentication banner — Figure 4. Customizable Authentication Page

Best practices for customizing web authentication pages

Add appropriate text to the banner and login pages as needed.
Always include a valid HTML redirect command in the success page to redirect users to a specific URL after login
Ensure the URL string is well-formed (for example, "http://www.cisco.com") to avoid browser errors.
If you configure web pages for HTTP authentication, include the appropriate HTML commands. For example, HTML commands to set the page time out, to set a hidden password, or to confirm that the same page is not submitted twice.
You can copy the configured web pages to the switch boot flash or the flash.
The login page can reside on one flash device, while the success and failure pages can be stored on another flash device
You must configure all four pages.
All logo files—including image, flash, audio, video, and similar file types—stored in the system directory must use web_auth_<filename> as the file name. System directory examples are flash, disk0, or disk.
You can copy the configured web pages to the switch boot flash or the flash.

Restrictions for customizing web authentication pages

The banner page has no effect if it is configured together with a web authentication page.
When the configured login form is enabled, the CLI command for redirecting users to a specific URL is unavailable. Configure redirection in the web page.
If you enter the CLI command to redirect users to a specific URL after authentication and then configure web pages, the redirect command does not take effect.
The configured authentication proxy feature supports both HTTP and SSL.

Guidelines for configuring a redirection URL for Successful Login page

If you enable the custom authentication proxy web pages feature, you cannot use the redirection URL feature in the CLI. To redirect users after login, configure redirection in the custom login success page.
If you enable the redirection URL feature, the configured authorization proxy banner is not be used.
To remove the specification of a redirection URL, use the no form of the command.
If a redirection URL is required after successful authentication, it must begin with a valid protocol prefix (such as http://) followed by the URL. If http:// is omitted, the browser might show a page not found error or similar issue

Configure default local web authentication

Table 1. Default local web authentication configuration
Feature	Default Setting
AAA	Disabled
RADIUS server IP address UDP authentication port Key	None specified
Default value of inactivity timeout	3600 seconds
Inactivity timeout	Enabled

Configure AAA settings using the wizard

Use the AAA Wizard to streamline the addition of authentication, authorization, and accounting (AAA) servers and settings through a guided interface.

The AAA wizard helps you to add the authentication, authorization and accounting details without going into multiple screens.

The AAA Wizard guides you through configuring RADIUS, TACACS+, and LDAP servers, as well as mapping AAA server groups and methods. The wizard avoids taking you to multiple screens. To edit the details entered using the wizard, use the respective screens.

Note

Configure attribute formats as listed in the Supported authentication and authorization attribute formats section to ensure transactions are not treated as failures.

Before you begin

Ensure you have network information and credentials available for the AAA servers to be configured.

Procedure

Step 1	Choose Configuration > Security > AAA.
Step 2	Click + AAA Wizard. The Add Wizard window is displayed.
Step 3	Go to the RADIUS tab. The RADIUS server option is enabled by default. You can switch between Basic and Advanced options using the radio buttons. In the Name field, enter the name of the RADIUS server. In the IPv4 / IPv6 Server Address field, enter the IPv4 or IPv6 address, or hostname. Select the PAC Key check box to enable Protected Access Credential (PAC) authentication key option. From the Key Type drop-down list, select the authentication key type. In the Key field, enter the authentication key. In the Confirm Key field, re-enter the authentication key. Click Advanced radio button. This enables the advanced options. In the Auth Port field, enter the authorization port number. In the Acct Port field, enter the accounting port number. In the Server Timeout field, enter the timeout duration, in seconds. In the Retry Count field, enter the number of retries. In the Support for CoA field, use the toggle button to enable or disable change-of-authorization (CoA).
Step 4	To enter TACACS+ options, check the TACACS+ check box. This enables the TACACS+ options. You can switch between Basic and Advanced options using the radio buttons. In the Name field, enter the TACACS+ server name. In the IPv4 / IPv6 Server Address field, enter the IPv4 or IPv6 address, or hostname. In the Key field, enter the authentication key. In the Confirm Key field, re-enter the authentication key. Click Advanced radio button. This enables the advanced options. In the Port field, enter the port number to use. In the Server Timeout field, enter the timeout duration, in seconds.
Step 5	To enter LDAP options, check the LDAP check box. This enables the LDAP options. You can switch between Basic and Advanced options using the radio buttons. In the Server Name field, enter the LDAP server name. In the IPv4 / IPv6 Server Address field, enter the IPv4 or IPv6 address, or hostname. In the Port Number field, enter the port number to use. From the Simple Bind drop-down list, select the authentication key type. In the User Base DN field, enter the details. Click Advanced radio button. This enables the advanced options. From the User Attribute drop-down list, select the user attribute. In the User Object Type field, enter the details and click the + icon. The objects added are listed in the window below and you can use the x mark against each object to remove it. In the Server Timeout field, enter the timeout duration, in seconds. Check the Secure Mode check box to enable secure mode. Selecting the Secure Mode option enables the Trustpoint Name drop-down list. From the Trustpoint Name drop-down list, select the trustpoint. Click Next. This enables the Server Group Association screen and RADIUS tab is selected by default.
Step 6	Go to the RADIUS tab. In the Name field, enter the name of the RADIUS server group. From the MAC-Delimiter drop-down list, choose the delimiter to be used in the MAC addresses that are sent to the RADIUS servers. From the MAC Filtering drop-down list, choose a value based on which to filter MAC addresses. To configure dead time for the server group and direct AAA traffic to alternative groups of servers that have different operational characteristics, in the Dead-Time field, enter the amount of time, in minutes, after which a server is assumed to be dead. Choose the servers that you want to include in the server group from the Available Servers list and move them to the Assigned Servers list. Click Next. The TACACS+ window is displayed, if you have selected TACACS+ in Server configuration.
Step 7	Use the TACACS+ window to enter details. In the Name field, enter the name of the TACACS+ server group. Choose the servers that you want to include in the server group from the Available Servers list and move them to the Assigned Servers list. Click Next. The LDAP window is displayed, if you have selected LDAP in server configuration.
Step 8	Use the LDAP window to enter details. In the Name field, enter the name of the LDAP server group. Choose the servers that you want to include in the server group from the Available Servers list and move them to the Assigned Servers list.
Step 9	Click Next. The MAP AAA window is displayed. You can use the check boxes to enable the Authentication, Authorization, and Accounting tabs. You cannot deselect all three options. At least one option has to be selected.
Step 10	Use the Authentication tab to enter authentication details. In the Method List Name field, enter the name of the method list. From the Type drop-down list, choose the type of accounting you want to perform before allowing access to the network. From the Group Type drop-down list, choose if you want to assign a group of servers as your access server, or if you want to use a local server to authenticate access. If you choose local option, Fallback to local option is removed. Check the Fallback to local check box to configure a local server to act as a fallback method when servers in the group are unavailable. From the Available Server Groups list, choose the server groups you want to use to authenticate access to your network and click > icon to move them to the Assigned Server Groups list.
Step 11	Check the Authorization check box to configure authorization details. In the Method List Name field, enter the name of the method list. From the Type drop-down list, choose the type of authorization you want to perform before allowing access to the network. From the Group Type drop-down list, choose if you want to assign a group of servers as your access server, or if you want to use a local server to authorize access. If you choose local option, Fallback to local option is removed. Check the Fallback to local check box to configure a local server to act as a fallback method when servers in the group are unavailable. From the Available Server Groups list, choose the server groups you want to use to authorize access to your network and click > icon to move them to the Assigned Server Groups list.
Step 12	Check the Accounting check box to configure accounting details. In the Method List Name field, enter the name of the method list. From the Type drop-down list, choose the type of accounting you want to perform. From the Available Server Groups list, choose the server groups you want to use to authorize access to your network and click > icon to move them to the Assigned Server Groups list.
Step 13	Click Apply to Device.

The system saves your AAA configuration, associating servers and methods as specified. AAA features are ready for use.

Configure AAA authentication (GUI)

Set up AAA authentication to control network access using the graphical interface.

Use this procedure to define and assign authentication methods and server groups for device access.

Before you begin

Confirm that server groups are configured if you plan to use them.

Procedure

Step 1	Choose Configuration > Security > AAA.
Step 2	In the Authentication section, click Add.
Step 3	In the Quick Setup: AAA Authentication window that is displayed, enter a name for your method list.
Step 4	Choose the type of authentication you want to perform before allowing access to the network, in the Type drop-down list.
Step 5	Choose if you want to assign a group of servers as your access server, or if you want to use a local server to authenticate access, from the Group Type drop-down list.
Step 6	To configure a local server to act as a fallback method when servers in the group are unavailable, check the Fallback to local check box.
Step 7	Choose the server groups you want to use to authenticate access to your network, from the Available Server Groups list and click > icon to move them to the Assigned Server Groups list.
Step 8	Click Save & Apply to Device.

AAA authentication is now configured and applied to the device; users will be authenticated according to the selected methods.

Configure AAA authentication (CLI)

Enable authentication, authorization, and accounting (AAA) on the device for managing login and network access methods.

AAA centralizes user authentication for device access and network services. Use a named or default method list depending on your VTY line configuration.

If a method-list is configured under VTY lines, the corresponding method list must be added to the AAA configuration:

line vty 0 4 
 authorization commands 15 abc
aaa authorization commands 15 abc group tacacs+

If a method-list is not configured under VTY lines, you must add the default method list to the AAA configuration:

line vty 0 4
 aaa authorization commands 15 default group tacacs+

Follow these steps to configure AAA authentication:

Note

Use default list for AAA authorization, if you are planning to use features such as dACL.

Before you begin

Have the TACACS+ server details (address and group name) available.

Procedure

Step 1	Enable AAA functionality. Example: `Device (config)# aaa new-model`
Step 2	Define the list of authentication methods at login. Example: `Device(config)# aaa authentication login default group group1` named_authentication_list refers to any name that is not greater than 31 characters. AAA_group_name refers to the server group name. You need to define the server-group server_name at the beginning itself.
Step 3	Create an authorization method list for web-based authorization. Example: `Device(config)# aaa authorization network default group group1`
Step 4	Specify an AAA server. Example: `Device(config)# tacacs server yourserver`
Step 5	Configure the IP address for the TACACS server. Example: `Device(config-server-tacacs)# address ipv4 10.0.1.12`
Step 6	Specify a AAA server. Example: `Device(config)# tacacs-server host 10.1.1.1`

Configure the HTTP or HTTPS server (GUI)

Set up HTTP and HTTPS access to enable secure web-based management of the device.

HTTP provides basic web access; HTTPS secures connections with SSL encryption. You can configure access ports, authentication, trust points, and session policies to meet your security requirements.

Before you begin

Confirm necessary certificates are available if using HTTPS trust points.

Procedure

Step 1	Choose Administration > Management > HTTP/HTTPS/Netconf.
Step 2	In the HTTP/HTTPS Access Configuration section, enable HTTP Access and enter the port that will listen for HTTP requests. The default port is 80. Valid values are 80, and ports between 1025 and 65535.
Step 3	Enable HTTPS Access on the device and enter the designated port to listen for HTTPS requests. The default port is 1025. Valid values are 443, and ports between 1025 and 65535. On a secure HTTP connection, data to and from an HTTP server is encrypted before being sent over the Internet. HTTP with SSL encryption provides a secure connection to allow such functions as configuring a switch from a web browser.
Step 4	Choose the Personal Identity Verification as enabled or disabled.
Step 5	In the HTTP Trust Point Configuration section, enable Enable Trust Point to use Certificate Authority servers as trustpoints.
Step 6	From the Trust Points drop-down list, choose a trust point.
Step 7	In the Timeout Policy Configuration section, enter the HTTP timeout policy in seconds. Valid values can range from one to 600 seconds.
Step 8	Enter the number of minutes of inactivity allowed before the session times out. Valid values can range from 180 to 1200 seconds.
Step 9	Enter the server life time in seconds. Valid values can range from one to 86400 seconds.
Step 10	Enter the maximum number of requests the device can accept. Valid values range from one to 86400 requests.
Step 11	Save the configuration.

The device is configured for HTTP or HTTPS access according to your specified settings.

Configure the HTTP server (CLI)

Enable HTTP or HTTPS server functionality on your device to support local web authentication.

Local web authentication requires the HTTP server to be enabled on the Device. You can enable the server for either HTTP or HTTPS. Both HTTP and HTTPS servers can be configured to support device management and user authentication.

Note that some browsers, such as the Apple psuedo-browser does not open if you configure only the ip http secure-server command. You should also configure the ip http server command.

Procedure

Step 1

Enable the HTTP server. The local web authentication feature uses the HTTP server to communicate with the hosts for user authentication.

Example:


Device(config)# ip http server

Step 2

Enable HTTPS.

Example:


Device(config)# ip http secure-server

You can configure custom authentication proxy web pages or specify a redirection URL for successful login.

Note

To ensure secure authentication when you enter the ip http secure-server command, the login page is always in HTTPS (secure HTTP) even if the user sends an HTTP request.

Step 3

Returns to privileged EXEC mode.

Example:


Device(config)# end

The Device is now configured with the HTTP or HTTPS or both. This allows local web authentication and secure browser access for users.

Allow special characters for serial port

Configure the serial port to support special characters for advanced device communication.

Use this procedure when the connected device or application requires processing special characters on the serial console port.

Procedure

Step 1	Enter global configuration mode. Example: `Device# configure terminal`
Step 2	Configure the primary terminal line number. Example: `Device(config)# line console 0`
Step 3	Configure the time to disconnect idle EXEC sessions using the exec-timeout `mins` `sec` command. Example: `Device(config-line)# exec-timeout 12 0`
Step 4	Configure login authentication checking using the login authentication `word` default command. Example: `Device(config-line)# login authentication NO_LOGIN` It can be authentication list with a name or the default authentication list
Step 5	Configure the character widths of EXEC command characters using the exec-character-bit `{` 7 `\|` 8`}` command. Example: `Device(config-line)# exec-character-bit 8`
Step 6	Configure the stop bits for the console port using the stopbits `{` 1 `\|` 1.5`\|` 2`}` command. Example: `Device(config-line)# stopbits 1`
Step 7	Return to privileged EXEC mode. Example: `Device(config-line)# end`

The serial port is now configured to support special characters according to your settings.

Allow special characters for VTY port

Enable the use of special (non-standard) characters in the banner text for Virtual Teletype (VTY) ports, which enhances customization options and supports global character sets.

You may want to allow special characters in the banner displayed on the VTY port—for example, to include accented letters, non-English text, or symbols for branding or user communication.

Before you begin

Ensure you have determined the desired banner text and any required special characters.

Procedure

Step 1	Enter global configuration mode. Example: `Device# configure terminal`
Step 2	Create a parameter map and enters parameter-map webauth configuration mode. Example: `Device(config)# parameter-map type webauth global`
Step 3	Create a custom banner using the banner text `text` command. Example: `Device(config-params-parameter-map)# banner text #Hêllö#` You can create a custom banner (of up to 400 characters) by entering c <banner-text> c, where c is a delimiting character. If the string exceeds the maximum limit of 400 characters, an error message is displayed and the configuration is rejected. Also, the parser has a limitation of 254 characters per line (including the CLI keywords). If you want to use more than 254 characters, ensure that you split it into two or multiple lines. The webauth login page displays only the default banner strings, if banner command is not configured.
Step 4	Return to privileged EXEC mode. Example: `Device(config-params-parameter-map)# end`

Special characters are now permitted in the VTY port banner. Your custom banner will display to users connecting through VTY, supporting internationalization and personalization requirements.

HTTP and HTTPS access modes for web authentication

The table describes the various CLI combinations.

You can control HTTP and HTTPS access separately for device management (admin) and web authentication by configuring web authentication using CLI command combinations. The main commands involved are:

ip http server : Enables HTTP access to the device for administration.
ip http secure-server : Enables HTTPS access to the device for administration and is required for HTTPS access to web authentication.
webauth-http-enable (under parameter-map type webauth global) : Allows HTTP access for web authentication without enabling HTTP access for administration. This command is not enabled by default.
secure-webauth-disable (under parameter-map type webauth global ): Disables HTTPS access for web authentication only. This command is not enabled by default.

CLI combinations

The table describes the possible CLI combinations.


Admin (Device Management)		Web Authentication		Required Configurations
HTTP Access	HTTPS Access	HTTP Access	HTTPS Access	Admin	Web Authentication
No	Yes	Yes	Yes	`no ip http server ip http secure-server`	`no ip http server ip http secure-server parameter-map type webauth global webauth-http-enable`
No	Yes	No	Yes	`no ip http server ip http secure-server`	`no ip http server ip http secure-server`
No	Yes	Yes	No	`no ip http server ip http secure-server`	`no ip http server ip http secure-server parameter-map type webauth global webauth-http-enable secure-webauth-disable`
No	Yes	No	No	`no ip http server ip http secure-server`	`no ip http server ip http secure-server parameter-map type webauth global secure-webauth-disable`
No	No	No	Yes	`no ip http server no ip http secure-server`	Not supported
No	No	Yes	No	`no ip http server no ip http secure-server`	`no ip http server no ip http secure-server parameter-map type webauth global webauth-http-enable`
Yes	No	Yes	No	`ip http server no ip http secure-server`	`ip http server no ip http secure-server`
Yes	Yes	Yes	No	`ip http server ip http secure-server`	`ip http server ip http secure-server parameter-map type webauth global secure-webauth-disable`

For HTTP access to web authentication without enabling HTTP admin access, do not use ip http server . Instead, configure webauth-http-enable in the parameter-map type webauth global mode
HTTPS access for web authentication always requires ip http secure-server .
To disable HTTPS access for web authentication, configure the secure-webauth-disable command.
The combinations above allow granular control over how users can access the device for both management and web authentication purposes.

Limitations

These guidelines and limitations help you configure HTTP and HTTPS requests for web authentication.

Enable HTTPS for device management before you enable HTTPS web authentication
If secure-webauth-disable is configured and the client's initial request is https://< >, central web authentication cannot be performed.

Configuring HTTP and HTTPS Requests for Web Authentication (CLI)

To configure the HTTP and HTTPS requests being sent to the webauth module, complete the steps given below:

Procedure

	Command or Action	Purpose
Step 1	enable Example: `Device# enable`	Enables privileged EXEC mode. Enter your password if prompted.
Step 2	configure terminal Example: `Device# configure terminal`	Enters global configuration mode.
Step 3	no ip http server Example: `Device(config)# no ip http server`	Sets the HTTP server to its default.
Step 4	ip http {server \| secure-server} Example: `Device(config)# ip http server`	Enables the HTTP server or the HTTP secure server.
Step 5	parameter-map type webauth global Example: `Device(config)# parameter-map type webauth global`	Enables the global parameter map mode.
Step 6	secure-webauth-disable Example: `Device(config-params-parameter-map)# secure-webauth-disable`	Disables HTTP secure server for web authentication.
Step 7	webauth-http-enable Example: `Device(config-params-parameter-map)# webauth-http-enable`	Enables HTTP server for web authentication.

Create a parameter map (GUI)

Define criteria-based policies to control device and user access within the local policy framework.

Use this task to create a parameter map by specifying match criteria and associating service templates. This enables dynamic policy application based on device type, user role, and other attributes.

Before you begin

Ensure you have the required policy details and service templates ready.

Procedure

Step 1	Choose Configuration > Security > Local Policy.
Step 2	Click Add.
Step 3	Click Policy Map.
Step 4	Enter Policy Map Name.
Step 5	In the Match Criteria List settings, click Add.
Step 6	In the Add Match Criteria settings, choose the service template from the Service Template drop-down list.
Step 7	Choose the filters from Device Type, User Role, User Name, OUI and MAC Address drop-down lists.
Step 8	Click Add Criteria.
Step 9	Click Apply to Device.

The parameter map is created and applied, enabling policy enforcement based on the selected criteria.

Configure local web authentication (GUI)

Enable local web authentication for your network using GUI.

Use this task to set authentication parameters, banner messages, and related settings for web authentication.

Procedure

Step 1	Choose Configuration > Security > Web Auth.
Step 2	On the Web Auth page, click Add.
Step 3	In the Create Web Auth Parameter window that is displayed, enter a name for the parameter map.
Step 4	In the Maximum HTTP Connections field, enter the maximum number of HTTP connections that you want to allow.
Step 5	In the Init-State Timeout field, enter the time after which the timer expires because the user failed to enter valid credentials in the login page.
Step 6	Choose the type of Web Auth parameter.
Step 7	Click Apply to Device.
Step 8	On the Web Auth page, click the name of the parameter map.
Step 9	In the Edit WebAuth Parameter window that is displayed, choose the required Banner Type. If you choose Banner Text, enter the required banner text to be displayed. If you choose File Name, specify the path of the file from which the banner text has to be picked up.
Step 10	Enter the virtual IP addresses as required.
Step 11	Set the status of WebAuth Intercept HTTPS, Captive Bypass Portal, and Watch List Enable as required.
Step 12	In the Watch List Expiry Timeout field, enter the time in seconds after which the watch list should time out.
Step 13	Set appropriate status for Disable Success Window, Disable Logout Window, and Login Auth Bypass for FQDN.
Step 14	Check the Sleeping Client Status check box to enable authentication of sleeping clients and then specify the Sleeping Client Timeout in minutes. The valid range is between 10 minutes and 43200 minutes.
Step 15	Click the Advanced tab.
Step 16	In the Redirect for log-in field, enter the name of the external server to send login request.
Step 17	In the Redirect On-Success field, enter the name of the external server to redirect after a successful login.
Step 18	In the Redirect On-Failure field, enter the name of the external server to redirect after a login failure.
Step 19	To configure external local web authentication, perform these steps: Under Redirect to External Server in the Redirect Append for AP MAC Address field, enter the AP MAC address. In the Redirect Append for Client MAC Address field, enter the client MAC address. In the Redirect Append for WLAN SSID field, enter the WLAN SSID. In the Portal IPV4 Address field, enter the IPv4 address of the portal to send redirects. In the Portal IPV6 Address field, enter the IPv6 address of the portal to send redirects, if IPv6 address is used.
Step 20	To configure customized local web authentication, perform these steps: Under Customized Page, specify the following pages: Login Failed Page Login Page Logout Page Login Successful Page
Step 21	Click Update & Apply.

Local web authentication is enabled with your specified settings.

Configure internal local web authentication (CLI)

Set up internal local web authentication on your device using CLI.

Follow the procedure given below to configure the internal local web authentication:

Procedure

In the global configuration mode, create a parameter map

Example:


Device(config)# parameter-map type webauth sample

Creates the parameter map.

The name of the parameter map must not exceed 99 characters.

Internal local web authentication is configured. The device now prompts clients to authenticate through the web portal before granting full network access.

Configure the customized local web authentication (CLI)

Configure custom local web authentication workflow on a Cisco device by specifying custom portal pages using CLI.

Perform this procedure to offer users a personalized login, success, and failure experience during web authentication.

Before you begin

Ensure you have valid HTML files for login, success, expired, and failure pages uploaded to device storage.
Configure a virtual IP in the global parameter map to use the customized web authentication bundle.

Procedure

Step 1	In the global configuration mode, configure the webauth type parameter. Example: `Device(config)# parameter-map type webauth sample` You need to configure a virtual IP in the global parameter map to use the customized web authentication bundle.
Step 2	Configures webauth sub-types using the type {authbypass \| consent \| webauth \| webconsent} command. Example: `Device(config-params-parameter-map)# type webauth` Types are passthru, consent, webauth, or webconsent.
Step 3	Configures the customized login page using the custom-page login device `html-filename` command. Example: `Device(config-params-parameter-map)# custom-page login device bootflash:login.html`
Step 4	Configures the customized login expiry page using the custom-page login expired device `html-filename` command. Example: `Device(config-params-parameter-map)# custom-page login expired device bootflash:loginexpired.html`
Step 5	Configures the customized login success page using the custom-page success device `html-filename` command. Example: `Device(config-params-parameter-map)# custom-page success device bootflash:loginsuccess.html`
Step 6	Configures the customized login failure page using the custom-page failure device `html-filename` command. Example: `Device(config-params-parameter-map)# custom-page failure device bootflash:loginfail.html`

The customized local web authentication portal is configured. Users will see the specified custom pages during the authentication process.

Configure the external local web authentication (CLI)

Enable external local web authentication on your device by configuring the required CLI parameters.

Use this procedure to set up external local web authentication settings, including parameter maps and redirect URLs, using the CLI.

Before you begin

Gather the parameter map name and redirect URLs.

Procedure

Step 1

Enter global configuration mode.

Example:


Device# configure terminal

Step 2

Configure the webauth type parameter.

Example:


Device(config)# parameter-map type webauth sample

Step 3

Configure the web authentication sub types, such as authbypass, consent, passthru, webauth, or webconsent using the type {authbypass | consent | webauth | webconsent} command.

Example:


Device(config-params-parameter-map)# type webauth

Step 4

Configure the redirect URL for the login, failure, and success pages using the redirect [for-login | on-failure | on-success] URL command.

Example:


Device(config-params-parameter-map)# redirect for-login
http://www.cisco.com/login.html

Note

In the redirect URL, you need to press Ctrl+v and type ? to configure the ? character.

The ? character is commonly used in URL when ISE is configured as an external portal.

Step 5

Configure the external portal IPv4 address using the redirect portal {ipv4 | ipv6} ip-address command.

Example:


Device(config-params-parameter-map)# redirect portal ipv4 23.0.0.1

When using FQDN, use an IP address associated with the domain. If the domain resolves to more than one IP address, use the FQDN URL instead of an individual IP address.

Step 6

Return to privileged EXEC mode.

Example:


Device(config-params-parameter-map)# end

External local web authentication is configured. The device redirects users to the appropriate portal for authentication events according to your parameter map and settings.

Configure the web authentication WLANs

Configure a WLAN with web authentication security using CLI. Map authentication lists and parameter maps using the CLI.

Perform this task to set up a WLAN that uses web authentication, specifying key identifiers and settings through the CLI on your network device.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Enter WLAN configuration submode using the wlanprofile-namewlan-idSSID_name command.

Example:

Device(config)# wlan wlan-test 3 ssid-test

profile-name: Profile name of the configured WLAN.
wlan-id: Wireless LAN identifier. Range is from 1 to 512.
SSID_Name: SSID, which can contain up to 32 alphanumeric characters.

Step 3

Disable WPA security.

Example:


Device(config-wlan)# no security wpa

Step 4

Enable web authentication for WLAN.

Example:


Device(config-wlan)# security web-auth

Step 5

Enable web authentication for WLAN using the security web-auth {authentication-list authentication-list-name | parameter-map parameter-map-name} command.

Example:


Device(config-wlan)# security web-auth authentication-list webauthlistlocal

Device(config-wlan)# security web-auth parameter-map sample

Here is a description of some of the parameters.

authentication-list authentication-list-name : Sets the authentication list for IEEE 802.1x.
parameter-map parameter-map-name : Configures the parameter map.

Note

When security web-auth is enabled, you can map the default authentication-list and global parameter-map . This is applicable for authentication-list and parameter-map that are not explicitly mentioned.

Step 6

Return to privileged EXEC mode.

Example:


Device(config-wlan)# end

The WLAN is configured with web authentication security and the desired authentication and parameter settings.

Configure pre-auth web authentication ACL (GUI)

Map a pre-authentication access control list (ACL) to a WLAN to control network access for users before authentication.

Use this procedure to enforce security policies by restricting network access to specified resources while users are in the pre-authenticated state on a wireless LAN.

Before you begin

Ensure that you have configured an access control list (ACL) and a WLAN.

Procedure

Step 1	Choose Configuration > Tags & Profiles > WLANs.
Step 2	Click the name of the WLAN.
Step 3	In the Edit WLAN window, click the Security tab and then click the Layer3 tab.
Step 4	Click Show Advanced Settings.
Step 5	In the Preauthenticaion ACL section, choose the appropriate ACL to be mapped to the WLAN.
Step 6	Click Update & Apply to Device.

The selected pre-authentication ACL is now mapped to the WLAN. Devices connecting to this WLAN must adhere to the access restrictions defined by the ACL until they authenticate.

Configure pre-auth web authentication ACL (CLI)

Set up a pre-authentication web authentication access control list (ACL) and apply it to a WLAN using CLI commands. This ensures only authorized traffic passes through before web authentication occurs.

Use this task to control the network traffic permitted before clients authenticate on a WLAN. The ACL defines which clients and protocols are allowed through during the web authentication process.

Before you begin

Gather the required network and client information.
Determine the ACL rules (permit or deny) and relevant addresses.

Procedure

Step 1

Enters global configuration mode.

Example:


Device# configure terminal

Step 2

Create an ACL list using the access-list access-list-number {deny | permit} hostname source-wildcard-bits command.

Example:


Device(config)# access-list 2 deny your_host 10.1.1.1 log

The access-list-number is a decimal number from one to 99, 100 to 199, 300 to 399, 600 to 699, 1300 to 1999, 2000 to 2699, or 2700 to 2799.

Enter deny or permit to specify whether to deny or permit if the conditions are matched.

The source is the source address of the network or host from which the packet is being sent specified as:

The 32-bit quantity in dotted-decimal format.
The keyword any as an abbreviation for source and source-wildcard of 0.0.0.0 255.255.255.255. You do not need to enter a source-wildcard.
The keyword host as an abbreviation for source and source-wildcard of source 0.0.0.0.

(Optional) The source-wildcard applies wildcard bits to the source.

Note

AP forwards traffic, if it matches with any of the ACLs applied in the pre-authentication ACLs. It is recommended to use bi-directional rules for client in webauth pending and downstream traffic.

Step 3

Create the WLAN.

Example:


Device(config)# wlan mywlan 34 mywlan-ssid

profile-name is the WLAN name which can contain up to 32 alphanumeric characters.

wlan-id is the wireless LAN identifier. The valid range is from one to 512.

ssid-name is the SSID which can contain 32 alphanumeric characters.

Step 4

Map the ACL to the web auth WLAN.

Example:


Device(config-wlan)# ip access-group web name

access-list-name is the IPv4 ACL name or ID.

Step 5

Return to privileged EXEC mode.

Example:


Device(config-wlan)# end

The ACL is configured and mapped to the WLAN. Only permitted traffic can pass before web authentication.

Configure the maximum web authentication request retries

Set the maximum number of web authentication request retries to control how many times the system attempts web authentication before stopping.

Configure this setting to adjust the tolerance for failed web authentication attempts, which can improve network security and user experience.

Before you begin

Ensure you are in global configuration mode on your device.

Procedure

Step 1

Configure the maximum web authentication request retries using the wireless security web-auth retries number command.

Example:


Device(config)# wireless security web-auth retries 2

number is the maximum number of web authentication request retries. The valid range is zero to 20.

Step 2

Return to privileged EXEC mode.

Example:


Device(config)# end

The system is now configured with your specified maximum number of web authentication request retries.

Configure a local banner in web authentication page (GUI)

Use this task to configure a banner that will display on the login page for web authentication sessions.

Procedure

Step 1	Choose Configuration > Security > Web Auth.
Step 2	In the Webauth Parameter Map tab, click the parameter map name. The Edit WebAuth Parameter window is displayed.
Step 3	In the General tab and choose the required Banner Type: If you choose Banner Text, enter the required banner text to be displayed. If you choose File Name, specify the path of the file from which the banner text has to be picked up.
Step 4	Click Update & Apply.

Configure a local banner in web authentication page (CLI)

Present a custom banner to users on the Web Authentication page to meet organizational messaging or compliance requirements.

Use this task to configure a banner that displays on the login page for web authentication sessions.

Procedure

Step 1	Enter global configuration mode. Example: `Device# configure terminal`
Step 2	Configure the web authentication parameters. Enters the parameter map configuration mode. Example: `Device(config)# parameter-map type webauth param-map`
Step 3	Enable the local banner using the banner `[` `file` \| `banner-text` `\|` `title]` command. Example: `Device(config-params-parameter-map)# banner http C My Switch C` Create a custom banner by entering C banner-text C (where C is a delimiting character), or file that indicates a file (for example, a logo or text file) that appears in the banner, or title that indicates the title of the banner.
Step 4	Return to privileged EXEC mode. Example: `Device(config-params-parameter-map)# end`

The specified banner displays on the web authentication page as configured.

Configure Type WebAuth, Consent, or both

Configure a parameter map to use webauth type, consent, or webconsent login types.

Use this configuration to enable flexible guest access authentication for users on supported devices.

Procedure

Step 1	Enter global configuration mode. Example: `Device # configure terminal`
Step 2	Configure the Webauth type parameter. Example: `Device (config) # parameter-map type webauth webparalocal`
Step 3	Configure webauth type to consent. You can configure the type as Webauth, Consent, or both (Webconsent). Example: `Device (config-params-parameter-map) # type consent`
Step 4	Return to privileged EXEC mode. Example: `Device (config-params-parameter-map) # end`
Step 5	Display the configuration details. Example: `Device (config) # show running-config \| section parameter-map type webauth test`

The parameter map is configured to use Webauth, Consent, or Webconsent types as specified, ready for client authentication.

Configure preauthentication ACL

Set up a preauthentication access control list (ACL) to restrict network access prior to client authentication.

Use this task when you need to limit which resources clients can reach before they have authenticated on a WLAN.

Procedure

Step 1	Enter global configuration mode. Example: `Device# configure terminal`
Step 2	Enter the WLAN you want to configure. Example: `Device (config)# wlan ramban`
Step 3	Disable the WLAN. Example: `Device (config-wlan)# shutdown`
Step 4	Configure ACL that has to be applied before authentication. Example: `Device (config-wlan)# ip access-group web preauthrule`
Step 5	Enable the WLAN again. Example: `Device (config)# no shutdown`
Step 6	Return to privileged EXEC mode. Example: `Device (config-wlan)# end`
Step 7	Display the configuration details. wlan-name Example: `Device# show wlan name ramban`

The preauthentication ACL is now active on the WLAN, restricting client access prior to authentication.

Configure trustpoint for local web authentication

Configure a trustpoint on your controller to support secure local web authentication.

Setting up a trustpoint allows the controller to present a domain-specific certificate trusted by client browsers during redirection to the portal (such as *.com).

Before you begin

Ensure that a certificate is installed on your controller. Using trustpoint controller presents the domain specific certificate that client browser trusts when it gets redirected to *.com portal.

Procedure

Step 1	Enter global configuration mode. Example: `Device# configure terminal`
Step 2	Create the parameter map. Example: `Device (config)# parameter-map type webauth global`
Step 3	Configure trustpoint for local web authentication. Example: `Device (config-params-parameter-map)# trustpoint trustpoint-name`
Step 4	Return to privileged EXEC mode. Example: `Device (config-params-parameter-map)# end`

The controller presents the specified domain-specific certificate during local web authentication, ensuring clients can trust the portal redirection

Example: obtain a web authentication certificate

This example shows how to obtain web authentication certificate.


Device# configure terminal
Device(config)# crypto pki import cert pkcs12 tftp://10.1.0.100/ldapserver-cert.p12 cisco
Device(config)# end
Device# show crypto pki trustpoints cert
	Trustpoint cert:
    Subject Name: 
    e=rkannajr@cisco.com
    cn=sthaliya-lnx
    ou=WNBU
    o=Cisco
    l=SanJose
    st=California
    c=US
          Serial Number (hex): 00
    Certificate configured.
Device# show  crypto pki certificates cert
Certificate
  Status: Available
  Certificate Serial Number (hex): 04
  Certificate Usage: General Purpose
  Issuer: 
    e=rkannajr@cisco.com
    cn=sthaliya-lnx
    ou=WNBU
    o=Cisco
    l=SanJose
    st=California
    c=US
  Subject:
    Name: ldapserver
    e=rkannajr@cisco.com
    cn=ldapserver
    ou=WNBU
    o=Cisco
    st=California
    c=US
  Validity Date: 
    start date: 07:35:23 UTC Jan 31 2012
    end   date: 07:35:23 UTC Jan 28 2022
  Associated Trustpoints: cert ldap12 
  Storage: nvram:rkannajrcisc#4.cer

CA Certificate
  Status: Available
  Certificate Serial Number (hex): 00
  Certificate Usage: General Purpose
  Issuer: 
    e=rkannajr@cisco.com
    cn=sthaliya-lnx
    ou=WNBU
    o=Cisco
    l=SanJose
    st=California
    c=US
  Subject: 
    e=rkannajr@cisco.com
    cn=sthaliya-lnx
    ou=WNBU
    o=Cisco
    l=SanJose
    st=California
    c=US
  Validity Date: 
    start date: 07:27:56 UTC Jan 31 2012
    end   date: 07:27:56 UTC Jan 28 2022
  Associated Trustpoints: cert ldap12 ldap 
  Storage: nvram:rkannajrcisc#0CA.cer

Example: display a web authentication certificate

This example shows how to display a web authentication certificate.


Device# show crypto ca certificate verb
					Certificate
  			Status: Available
  			Version: 3
  			Certificate Serial Number (hex): 2A9636AC00000000858B
  			Certificate Usage: General Purpose
  			Issuer:
    cn=Cisco Manufacturing CA
    o=Cisco Systems
  		Subject:
    Name: WS-C3780-6DS-S-2037064C0E80
    Serial Number: PID:WS-C3780-6DS-S SN:FOC1534X12Q
    cn=WS-C3780-6DS-S-2037064C0E80
    serialNumber=PID:WS-C3780-6DS-S SN:FOC1534X12Q
  		CRL Distribution Points:
    http://www.cisco.com/security/pki/crl/cmca.crl
  		Validity Date:
    start date: 15:43:22 UTC Aug 21 2011
    end   date: 15:53:22 UTC Aug 21 2021
  		Subject Key Info:
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (1024 bit)
  		Signature Algorithm: SHA1 with RSA Encryption
  		Fingerprint MD5: A310B856 A41565F1 1D9410B5 7284CB21
  		Fingerprint SHA1: 04F180F6 CA1A67AF 9D7F561A 2BB397A1 0F5EB3C9
 			X509v3 extensions:
    X509v3 Key Usage: F0000000
      Digital Signature
      Non Repudiation
      Key Encipherment
      Data Encipherment
    X509v3 Subject Key ID: B9EEB123 5A3764B4 5E9C54A7 46E6EECA 02D283F7
    X509v3 Authority Key ID: D0C52226 AB4F4660 ECAE0591 C7DC5AD1 B047F76C
    Authority Info Access:
  		Associated Trustpoints: CISCO_IDEVID_SUDI
  		Key Label: CISCO_IDEVID_SUDI

Example: choose the default web authentication login page

This example shows how to choose a default web authentication login page.


Device# configure terminal
Device(config)# parameter-map type webauth test
This operation will permanently convert all relevant authentication commands to their CPL control-policy equivalents. As this conversion is irreversible and will 
disable the conversion CLI 'authentication display [legacy|new-style]', you are strongly advised to back up your current configuration before proceeding.
Do you wish to continue? [yes]: yes
Device(config)# wlan wlan50
Device(config-wlan)# shutdown
Device(config-wlan)# security web-auth authentication-list test
Device(config-wlan)# security web-auth parameter-map test
Device(config-wlan)# no shutdown
Device(config-wlan)# end
Device# show running-config | section wlan50
wlan wlan50 50 wlan50
 security wpa akm wpa2
 security wpa wpa1
 security wpa wpa1 ciphers aes
 security wpa wpa1 ciphers tkip
 security web-auth authentication-list test
 security web-auth parameter-map test
 session-timeout 1800
 no shutdown

Device# show running-config | section parameter-map type webauth test
parameter-map type webauth test
 type webauth

Example: Choosing a Customized Web Authentication Login Page from an IPv4 External Web Server

This example shows how to choose a customized web authentication login page from an IPv4 external web server.


Device# configure terminal
Device(config)# parameter-map type webauth global
Device(config-params-parameter-map)# virtual-ip ipv4 192.0.2.1.
Device(config-params-parameter-map)# parameter-map type webauth test
Device(config-params-parameter-map)# type webauth
Device(config-params-parameter-map)# redirect for-login http://9.1.0.100/login.html
Device(config-params-parameter-map)# redirect portal ipv4 9.1.0.100
Device(config-params-parameter-map)# end
Device# show running-config | section parameter-map
parameter-map type webauth global
virtual-ip ipv4 192.0.2.1.
parameter-map type webauth test
type webauth
redirect for-login http://10.1.0.100/login.html
redirect portal ipv4 10.1.0.100
security web-auth parameter-map rasagna-auth-map
security web-auth parameter-map test

Example: choose a customized web authentication login page from an IPv6 external web server

This example shows how to choose a customized web authentication login page from an IPv6 external web server.


Device# configure terminal
Device(config)# parameter-map type webauth global
Device(config-params-parameter-map)# virtual-ip ipv6 2001:DB8::/48
Device(config-params-parameter-map)# parameter-map type webauth test
Device(config-params-parameter-map)# type webauth
Device(config-params-parameter-map)# redirect for-login http://9:1:1::100/login.html
Device(config-params-parameter-map)# redirect portal ipv6 9:1:1::100
Device(config-params-parameter-map)# end
Device# show running-config | section parameter-map
parameter-map type webauth global
virtual-ip ipv6 2001:DB8::/48
parameter-map type webauth test
type webauth
redirect for-login http://10:1:1::100/login.html
redirect portal ipv6 10:1:1::100
security web-auth parameter-map rasagna-auth-map
security web-auth parameter-map test

Example: assigning login, login failure, and logout pages per WLAN

This example shows how to assign login, login failure and logout pages per WLAN.


Device# configure terminal
Device(config)# parameter-map type webauth test
Device(config-params-parameter-map)# custom-page login device flash:loginsantosh.html
Device(config-params-parameter-map)# custom-page login expired device flash:loginexpire.html
Device(config-params-parameter-map)# custom-page failure device flash:loginfail.html
Device(config-params-parameter-map)# custom-page success device flash:loginsucess.html
Device(config-params-parameter-map)# end
Device# show running-config | section parameter-map type webauth test
	parameter-map type webauth test
 type webauth
 redirect for-login http://10.1.0.100/login.html
 redirect portal ipv4 10.1.0.100
 custom-page login device flash:loginsantosh.html
 custom-page success device flash:loginsucess.html
 custom-page failure device flash:loginfail.html
 custom-page login expired device flash:loginexpire.html

Example: configure preauthentication ACL

This example shows how to configure preauthentication ACL.


Device# configure terminal
Device(config)# wlan fff
Device(config-wlan)# shutdown
Device(config-wlan)# ip access-group web preauthrule
Device(config-wlan)# no shutdown
Device(config-wlan)# end
Device# show wlan name fff

Example: configure webpassthrough

This example shows how to configure webpassthrough.


Device# configure terminal
Device(config)# parameter-map type webauth webparalocal
Device(config-params-parameter-map)# type consent
Device(config-params-parameter-map)# end
Device# show running-config | section parameter-map type webauth test
	parameter-map type webauth test
 type webauth
 redirect for-login http://10.1.0.100/login.html
 redirect portal ipv4 10.1.0.100

Verify web authentication type

To verify the web authentication type, run the command:

Device# show parameter-map type webauth all
Type Name
---------------------------------
Global global
Named webauth
Named ext
Named redirect
Named abc
Named glbal
Named ewa-2

Device# show parameter-map type webauth global
Parameter Map Name : global
Banner:
Text : CisCo
Type : webauth
Auth-proxy Init State time : 120 sec
Webauth max-http connection : 100
Webauth logout-window : Enabled
Webauth success-window : Enabled
Consent Email : Disabled
Sleeping-Client : Enabled
Sleeping-Client timeout : 60 min
Virtual-ipv4 : 10.0.2.1.
Virtual-ipv4 hostname :
Webauth intercept https : Disabled
Webauth Captive Bypass : Disabled
Webauth bypass intercept ACL :
Trustpoint name :
HTTP Port : 80
Watch-list:
Enabled : no
Webauth login-auth-bypass:

Device# show parameter-map type webauth name global
Parameter Map Name : global
Type : webauth
Auth-proxy Init State time : 120 sec
Webauth max-http connection : 100
Webauth logout-window : Enabled
Webauth success-window : Enabled
Consent Email : Disabled
Sleeping-Client : Disabled
Webauth login-auth-bypass:

Configure EWA with single WebAuth server address and default ports (80/443) (CLI)

Configure External Web Authentication (EWA) on your device to use a single WebAuth server address with default ports (80 or 443).

Use this procedure when you want to redirect guest WLAN clients to a specific WebAuth portal using default HTTP or HTTPS ports.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Define the authentication method at login.

Example:

Device(config)# aaa authentication login WEBAUTH local

Step 3

Create the parameter map using the parameter-map type webauth parameter-map-name command.

Example:

Device(config)# parameter-map type webauth ISE-Ext-Webauth_IP

The parameter-map-name must not exceed 99 characters.

Step 4

Configure the webauth type parameter.

Example:

Device(config-params-parameter-map)# type webauth

Step 5

Configure the URL string for redirect during login using the redirect for-login URL-String command.

Example:

Device(config-params-parameter-map)#  redirect for-login https://192.168.0.98:443/portal/PortalSetup.action?portal=ad64b062-1098-11e7-8591-005056891b52

Step 6

Configure the external portal IPv4 address.

Example:

Device(config-params-parameter-map)# redirect portal ipv4 192.168.0.98

Step 7

Return to global configuration mode.

Example:

Device(config-params-parameter-map)# exit

Step 8

Configure a WLAN using the wlan wlan-name wlan-id SSID-name command.

Example:

Device(config)#  wlan EWLC3-GUEST 3 EWLC3-GUEST

Step 9

Disable adaptive 11r.

Example:

Device(config-wlan)# no security ft adaptive

Step 10

Disable WPA security.

Example:

Device(config-wlan)# no security wpa

Step 11

Disable WPA2 security.

Example:

Device(config-wlan)# no security wpa wpa2

Step 12

Disable WPA2 ciphers for AES.

Example:

Device(config-wlan)# no security wpa wpa2 ciphers aes

Step 13

Disable security AKM for dot1x.

Example:

Device(config-wlan)# no security wpa akm dot1x

Step 14

Enable web authentication for WLAN.

Example:

Device(config-wlan)# security web-auth

Step 15

Enable authentication list for dot1x security using the security web-auth authentication-list authenticate-list-name command.

Example:

Device(config-wlan)# security web-auth authentication-list WEBAUTH

Step 16

Configure the parameter map using the security web-auth parameter-map parameter-map-name command.

Example:

Device(config-wlan)# security web-auth parameter-map ISE-Ext-Webauth_IP

Note

If parameter map is not associated with a WLAN, the configuration is considered from the global parameter map.

Step 17

Return to privileged EXEC mode.

Example:

Device(config-wlan)# end

Web authentication is enabled for the configured WLAN, redirecting clients to the specified WebAuth portal using default ports.

Configure EWA with multiple web servers and/or ports different than default (80/443)

Configure an External Web Authentication (EWA) workflow to support multiple web servers and custom port numbers using CLI commands

You need to enable guest access using EWA when multiple external web servers are present or non-default ports (other than 80 or 443) are required for web authentication.

Procedure

Step 1	Enter global configuration mode. Example: `Device# configure terminal`
Step 2	Define an extended IPv4 access list using a name, and enters access-list configuration mode. Example: `Device(config)# ip access-list extended preauth_ISE_Ext_WA`
Step 3	Permit access from any host to the external web server port number 8443 using the `access-list-number` permit tcp any host `external_web_server_ip_address1` eq `port-number` command. Example: `Device(config)# 10 permit tcp any host 192.168.0.98 eq 8443`
Step 4	Permit access from any host to the external web server port number 8443 using the `access-list-number` permit tcp any host `external_web_server_ip_address2` eq `port-number` command. Example: `Device(config)# 10 permit tcp any host 192.168.0.99 eq 8443`
Step 5	Permit DNS UDP traffic using the `access-list-number` permit udp any any eq domain command. Example: `Device(config)# 20 permit udp any any eq domain`
Step 6	Permit DHCP traffic using the `access-list-number` permit udp any any eq bootpc command. Example: `Device(config)# 30 permit udp any any eq bootpc`
Step 7	Permit DHCP traffic using the `access-list-number` permit udp any any eq bootps command. Example: `Device(config)# 40 permit udp any any eq bootps`
Step 8	Permit the access from the external web server port 8443 to any host using the `access-list-number` permit tcp host `external_web_server_ip_address1` eq `port_number` any command. Example: `Device(config)# 50 permit tcp host 192.168.0.98 eq 8443 any`
Step 9	Permit the access from the external web server port 8443 to any host using the `access-list-number` permit tcp host `external_web_server_ip_address2` eq `port_number` any command. Example: `Device(config)# 50 permit tcp host 192.168.0.99 eq 8443 any`
Step 10	Permit the DNS TCP traffic using the `access-list-number` permit tcp any any eq domain command. Example: `Device(config)# 60 permit tcp any any eq domain`
Step 11	Deny all the other traffic using the `access-list-number` deny ip any any command. Example: `Device(config)# 70 deny ip any any`
Step 12	Create the WLAN using the wlan `wlan-name wlan-id ssid` command. Example: `Device(config)# wlan EWLC3-GUEST 3 EWLC3-GUEST`
Step 13	Configure the IPv4 WLAN web ACL using the ip access-group web `name` command. Example: `Device(config-wlan)# ip access-group web preauth_ISE_Ext_WA` The variable `name` specifies the user-defined IPv4 ACL name
Step 14	Return to privileged EXEC mode. Example: `Device(config-wlan)# end`

The device is configured to allow EWA using multiple external web servers and ports, supporting DNS or DHCP traffic, while blocking other unauthorized traffic.

Configure wired guest EWA with multiple web servers and/or ports different than default (80/443)

Configure Wired Guest External Web Authentication (EWA) when using multiple web servers or ports other than the default (80 or 443), using CLI commands.

Wired Guest LAN profiles do not allow manual ACL assignment directly. To support multiple web servers or custom ports, you must use the bypass ACL in the global parameter map.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Define an extended IPv4 access list using a name, and enters access-list configuration mode.

Example:

Device(config)# ip access-list extended BYPASS_ACL

Step 3

Allow the traffic to switch centrally.

Example:

Device(config)# 10 deny ip any host 192.168.0.45

Step 4

Allow the traffic to switch centrally using the access-list-number deny ip any host hostname command.

Example:

Device(config)# 20 deny ip any host 4.0.0.1

Step 5

Creates a parameter map and enters parameter-map webauth configuration mode.

Example:

Device(config)# parameter-map type webauth global

Step 6

Create a WebAuth bypass intercept using the ACL name.

Example:

Device(config-params-parameter-map)# webauth-bypass-intercept BYPASS_ACL

Note

You cannot apply a manual ACL to the wired guest profile and configure an external web authentication with multiple IP addresses or different ports. The workaround is to use the bypass ACL for wired guest profile.

Step 7

Return to privileged EXEC mode.

Example:

Device(config-params-parameter-map)# end

The wired guest profile uses the bypass ACL, enabling external web authentication with multiple web servers or custom ports.

Authenticating sleeping clients

A sleeping client is a wireless device that

has completed web authentication and been granted guest access
is allowed to enter sleep mode and wake up without reauthenticating through the login page, and
the controller stores sleeping client information for a configurable duration before requiring reauthentication.

The valid range is 10 minutes to 43200 minutes, with the default being 720 minutes. You can also configure this duration on WebAuth parameter map that is mapped to a WLAN. The sleeping client timer is activated when conditions such as idle timeout, session timeout, WLAN disabling, or AP nonoperational status occur.

Caution

If the MAC address of a client in sleep mode is spoofed, a fake device, such as a laptop, can be mistakenly authenticated.

Feature History


Feature Name	Release	Description
Webauth Sleeping Client Support	Cisco IOS XE 17.1.1s	The web authentication sleeping clients feature supports multiple combinations of authenticationsfor a given client, which are configured on the WLAN profile.

Scenarios where sleeping clients do not need reauthentication

Suppose there are two controller s in a mobility group. A client that is associated with one controller goes to sleep and then wakes up and gets associated with the other controller .
Suppose there are three controller s in a mobility group. A client that is associated with the second controller that is anchored to the first controller goes to sleep, wakes up, and gets associated with the third controller .
A client sleeps, wakes up and gets associated with the same or different export foreign controller that is anchored to the export anchor.

Guidelines for mobility scenarios

This feature is supported on the FlexConnect scenario with local switching and central authentication.
L2 roaming in the same subnet is supported.
Anchor sleeping timer is applicable.
The sleeping client information is shared between multiple autoanchors when a sleeping client moves from one anchor to another.

Restrictions on authenticating sleeping clients

If the MAC address of a client in sleep mode is spoofed, a fake device, such as a laptop, can be mistakenly authenticated.
The sleep client feature works only for WLAN configured with WebAuth security.
You can configure the sleeping clients only on a per WebAuth parameter-map basis.
The authentication of sleeping clients feature is supported only on WLANs that have Layer 3 security enabled.
When Layer 3 security is enabled, the Authentication, Passthrough, and On MAC Filter failure web policies are supported. The Splash Page Web Redirect web policy is not supported.
The central web authentication of sleeping clients is not supported.
The authentication of sleeping clients feature is not supported on guest LANs and remote LANs.
A guest access sleeping client that has a local user policy is not supported. In this case, the WLAN-specific timer is applied.

Configure authentication for sleeping clients (GUI)

Enable authentication for sleeping clients to ensure devices can maintain secure network access even after entering sleep mode.

Sleeping clients, such as laptops or mobile devices, periodically enter low-power states. You configure authentication to ensure they reconnect securely and seamlessly when they wake.

Procedure

Step 1	Choose Configuration > Security > Web Auth.
Step 2	In the Webauth Parameter Map tab, click the parameter map name. The Edit WebAuth Parameter window is displayed.
Step 3	Check Sleeping Client Status check box.
Step 4	Click Update & Apply to Device.

Authentication for sleeping clients is now enabled. Devices entering sleep mode will reconnect securely without manual intervention.

Configure authentication for sleeping clients (CLI)

Configure authentication parameters to manage sleeping wireless clients and control their session persistence on the device.

Sleeping clients are wireless devices that temporarily disconnect due to power-saving or roaming behaviors. Configuring authentication for sleeping clients ensures they are recognized and handled appropriately during these periods.

Procedure

Step 1

Create a parameter map and enters parameter-map webauth configuration mode.

Example:

Device(config)# parameter-map type webauth global

Step 2

Configure the sleeping client timeout to 100 minutes.

Example:

Device(config-params-parameter-map)# sleeping-client timeout 100

Valid range is between 10 minutes and 43200 minutes.

Note

If you do not use the timeout keyword, the sleeping client is configured with the default timeout value of 720 minutes.

Step 3

Exit parameter-map webauth configuration mode and returns to privileged EXEC mode.

Example:

Device# end

Step 4

(Optional) Show the MAC address of the clients and the time remaining in their respective sessions.

Example:

Device# show wireless client sleeping-client

Step 5

(Optional) Delete sleeping client entries from the sleeping client cache.

clear wireless client sleeping-client —Deletes all sleeping client entries from the sleeping client cache.
clear wireless client sleeping-client mac-address mac-addr —Deletes the specific MAC entry from the sleeping client cache.

Example:

Device# clear wireless client sleeping-client 
mac-address 00e1.e1e1.0001

The device displays the global configuration prompt, allowing you to make configuration changes.

Mobility support for sleeping clients


Feature Name	Release	Description
Mobility support for guest and nonguest sleeping clients.	Cisco IOS XE 17.1.1s	Mobility support for guest and nonguest sleeping clients.

Supported combinations of multiple authentications

Multiple authentication feature supports sleeping clients configured in the WLAN profile.

The table outlines the supported combination of multiple authentications.

Table 2. Supported combinations of multiple authentications
Layer 2	Layer 3	Supported
MAB	LWA	Yes
MAB Failure	LWA	Yes
Dot1x	LWA	Yes
PSK	LWA	Yes

Configure WLAN for dot1x and local web authentication

Configure a WLAN with both 802.1X (dot1x) authentication and local web authentication on a controller using CLI.

Use this procedure when you need to secure a WLAN such that users can authenticate with their credentials (dot1x) or are redirected to a local web authentication portal. This scenario is common in enterprise or campus environments where both secure and user-friendly authentication methods are required.

Before you begin

Enter the global configuration mode.

Procedure

Step 1

Enter WLAN configuration submode.

Example:

Device(config)# wlan wlan-test 3 ssid-test

profile-name: Profile name of the configured WLAN.
wlan-id: Wireless LAN identifier. Range is from one to 512.
SSID_Name: SSID, which can contain up to 32 alphanumeric characters.

Step 2

Enable security authentication list for dot1x security. The configuration is similar for all dot1x security WLANs.

Example:

Device(config-wlan)#  security dot1x authentication-list default

Step 3

Configure web authentication.

Example:

Device(config-wlan)#  security web-auth

Step 4

Enable authentication list for dot1x security.

Example:

Device(config-wlan)#  security web-auth authentication-list default

Step 5

Map the parameter map.

Example:

Device(config-wlan)# security web-auth parameter-map global

Note

If the parameter map is not associated with a WLAN, the configuration is considered from the global parameter map.

Step 6

Enable WLAN.

Example:

Device(config-wlan)# no shutdown

The new WLAN is configured with both dot1x and local web authentication enabled. Users connecting to this SSID can authenticate using their credentials or via the local web portal, according to controller policies.

Configure a WLAN for MAC authentication bypass and LWA

Set up a WLAN so that client devices are authenticated using MAC authentication bypass and provided local web authentication.

Use this task to configure a secure SSID that allows MAC-based device authentication followed by a web portal login, ensuring flexible and layered network access control.

Before you begin

Prepare the list name for MAC filtering and ensure the web authentication parameter map is defined (or note that the global map will be used).

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Enter WLAN configuration submode.

Example:

Device(config)# wlan wlan-test 3 ssid-test

profile-name: Profile name of the configured WLAN.
wlan-id: Wireless LAN identifier. Range is from 1 to 512.
SSID_Name: SSID, which can contain up to 32 alphanumeric characters.

Step 3

Set the MAC filtering parameters using the mac-filtering list-name

Example:

Device(config-wlan)#  mac-filtering cat-radius

Step 4

Disable security AKM for dot1x.

Example:

Device(config-wlan)#  no security wpa akm dot1x

Step 5

Disable the WPA2 cipher.

Example:

Device(config-wlan)# no security wpa wpa2 ciphers aes

aes—Excryption type that specifies WPA/AES support.

Step 6

Map the parameter map.

Example:

Device(config-wlan)# security web-auth parameter-map global

Note

If parameter map is not associated with a WLAN, the configuration is considered from the global parameter map.

Step 7

Enable WLAN.

Example:

Device(config-wlan)# no shutdown

The WLAN is configured to use MAC Authentication Bypass with Local Web Authentication.

Configure a WLAN for local web authentication and MAC filtering

Establish a WLAN profile with local web authentication, including MAC address filtering for enhanced security.

Use this task to set up a WLAN on your Cisco device that requires users to authenticate via a local web portal and applies MAC address filtering as an additional security measure.

Before you begin

Know the desired SSID name, WLAN ID, and profile name.
Prepare the MAC filter list name.
Confirm availability of an authentication parameter map (if needed).

Procedure

Step 1

Enters WLAN configuration submode using the wlan profile-name wlan-id SSID_name command.

Example:

Device(config)# wlan wlan-test 3 ssid-test

profile-name: Profile name of the configured WLAN.
wlan-id: Wireless LAN identifier. Range is from one to 512.
SSID_Name: SSID, which can contain up to 32 alphanumeric characters.

Step 2

Set the MAC filtering parameters.

Example:

Device(config-wlan)#  mac-filtering cat-radius

Step 3

Disable security Authenticated Key Management (AKM) for dot1x.

Example:

Device(config-wlan)#  no security wpa akm dot1x

Step 4

Disable the WPA2 cipher.

Example:

Device(config-wlan)# no security wpa wpa2 ciphers aes

aes: Excryption type that specifies WPA/AES support.

Step 5

Configure the fallback policy with MAC filtering and web authentication.

Example:

Device(config-wlan)# security web-auth on-macfilter-failure wlan-id

Step 6

Map the parameter map.

Example:

Device(config-wlan)# security web-auth parameter-map global

Note

If the parameter map is not associated with a WLAN, the configuration is considered from the global parameter map

Step 7

Enable WLAN.

Example:

Device(config-wlan)# no shutdown

The WLAN is now configured for local web authentication with MAC filtering, ready for users to connect and authenticate through the portal.

Configure a PSK + LWA in a WLAN

Set up a WLAN with both a preshared key (PSK) and local web authentication (LWA) using CLI commands.

Use this task to enable secure access for clients on a WLAN using both a PSK and web authentication mechanisms.

Before you begin

Decide the profile name, WLAN ID, and SSID for the new WLAN.
Create required authentication lists and parameter maps if not already present.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Enter WLAN configuration submode using the wlanprofile-namewlan-idSSID_name command.

Example:

Device(config)# wlan wlan-test 3 ssid-test

profile-name: Profile name of the configured WLAN.
wlan-id: Wireless LAN identifier. Range is from 1 to 512.
SSID_Name: SSID, which can contain up to 32 alphanumeric characters.

Step 3

Disables security AKM for dot1x.

Example:

Device(config-wlan)#  no security wpa akm dot1x

Step 4

Enables web authentication for a WLAN.

Example:

Device(config-wlan)#  security web-auth

Step 5

Disable the WPA2 cipher.

Example:

Device(config-wlan)# no security wpa wpa2 ciphers aes

aes: Excryption type that specifies WPA/AES support.

Step 6

Configure the preshared key on a WLAN.

Example:

Device(config-wlan)# security wpa psk set-key ascii 0 1234567

Step 7

Configure PSK support.

Example:

Device(config-wlan)#security wpa akm psk

Step 8

Enable the authentication list for dot1x security.

Example:

Device(config-wlan)#  security web-auth authentication-list default

Step 9

Map the parameter map.

Example:

Device(config-wlan)# security web-auth parameter-map global

Note

If the parameter map is not associated with a WLAN, the configuration is considered from the global parameter map.

The WLAN is configured to use both a preshared key and local web authentication for client access.

Configure a sleeping client

Configure parameters that determine how long a client device remains in "sleeping" state before timing out, using CLI.

Sleeping clients are devices that temporarily disconnect from the network but retain their association for a defined period, allowing smooth reconnection. You may wish to adjust the sleeping client timeout to optimize performance or manage resource use.

Before you begin

Identify the parameter map (by name or use the global map) you wish to modify.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Create a parameter map and enters parameter-map-name configuration mode using the parameter-map type webauth {parameter-map-name | global} command.

Example:

Device(config)# parameter-map type webauth MAP-2

The specific configuration commands supported for a global parameter map defined with the global keyword differ from the commands supported for a named parameter map defined with the parameter-map-name argument.

Step 3

Configure the sleeping client timeout, in minutes using the sleeping client [timeout time] command.

Example:

Device(config-params-parameter-map)#  sleeping-client timeout 60

The available range for the time argument is from 10 to 43200.

Note

If you do not use the timeout keyword, the sleeping client is configured with the default timeout value of 720 minutes.

The sleeping client timeout is configured for the specified parameter map.

Verify a sleeping client configuration

To verify a sleeping client configuration, use the command:

Device# show wireless client sleeping-client
Total number of sleeping-client entries: 1

MAC Address                    Remaining time (mm:ss)    
--------------------------------------------------------
2477.031b.aa18                 59:56

Multiauthentication combinations with 802.1X authentication and local web authentication

A multiauthentication combination is a network access control strategy that

allows multiple authentication methods (such as 802.1X and web authentication) to be used in sequence
enables enforcement of security and user consent policies in wireless networks, and
supports policy merging to maintain consistent access controls throughout device connections.

Expanded Explanation

In a wireless setup, for example, in a university, clients authenticate through 802.1X authentication. Because the 802.1X (dot1X) authentication process is secure and does not require user intervention, the end-users are unaware of the network that their devices are connected to. This could lead to serious concerns if they connect to the university's wireless network and post inappropriate content or access restricted content.

To avoid this situation, web authentication (webauth) and 802.1X authentication are configured in the network. End-user consent is used as a part of webauth to inform users that they are connected to the university's Wi-Fi network.

When the end-users accept the credentials for consent, AAA policies are not applied. The AAA policies that were applied earlier are deleted, resulting in a VLAN change and client disconnection.

A new command is introduced in Cisco IOS XE Dublin 17.11.1 to fix this issue. When you run the consent activation-mode merge command, the policy that is applied through consent is merged with the policy applied for 802.1X or MAC Authentication Bypass (MAB) authentication, thereby allowing clients to access the network. This command is available in parameter-map mode, which is configured with type consent command.

Feature History


Release	Feature	Feature Information
Cisco IOS XE Dublin 17.11.1	Multiauthentication Combination of 802.1X and Local Web Authentication	This feature supports the merging of applied policies during multiauthentication of 802.1X or MAC authentication bypass (MAB) and local web authentication (LWA).

Limitations for multi authentication combination of 802.1X and local web authentication

It is not possible to configure this feature on the controller GUI.
SNMP is not supported.
When the consent activation-mode merge command is not configured on the webauth parameter map, the default activation mode is Replace. This means that the user profile for consent replaces all the user profile policies that were previously applied.

Enable the multiauthentication combinations of 802.1X authentication and local web authentication (CLI)

Configure multiauthentication by combining 802.1X authentication and local web authentication (LWA) on the device using CLI commands.

Use this procedure when you want to allow users to authenticate through both 802.1X and browser-based local web authentication. This is commonly needed for networks supporting multiple authentication types on a single interface.

Before you begin

Ensure that you have working knowledge of multiauthentication concepts, LWA (consent), and AAA override.

Procedure

Step 1	Enter global configuration mode. Example: `Device# configure terminal`
Step 2	Configure the webauth type parameter. Enters the parameter map configuration mode. Example: `Device(config)# parameter-map type webauth parameter-map1`
Step 3	Configure the type as consent . Example: `Device(config-params-parameter-map)# type consent`
Step 4	Enable policy activation mode and merges the previous policy using the [no] consent {activation-mode merge \| email} command. Example: `Device(config-params-parameter-map)# consent activation-mode merge` Run the no form of this command to disable the feature.

Multiauthentication combining 802.1X authentication and local web authentication is enabled on the device.

Verify multiauthentication combination with 802.1X authentication and local web authentication

To verify the multiauthentication combination with 802.1X authentication and LWA, run the command:

Device# show parameter-map type webauth lwa-consent
Parameter Map Name               : lwa_consent
  Banner Title                   : Consent Title
  Banner Text                    : Please accept the consent
  Type                           : consent
  Auth-proxy Init State time     : 300 sec
  Webauth max-http connection    : 200
  Webauth logout-window          : Enabled
  Webauth success-window         : Enabled
  Consent Email                  : Disabled
  Activation Mode                : Merge
  Sleeping-Client                : Disabled
  Webauth login-auth-bypass:

Device

Bias-Free Language

Results

Chapter: Web-Based Authentication

Web-Based Authentication

Local web authentication

Feature history

Presentation options for local web authentication web pages

Web authentication modes

Additional reference information

How local web authentication works

Summary

Workflow

Result

Restrictions

Roles of devices in local web authentication

Banner messages for local web authentication

Default banner messages

Commands to configure local web authentication banner

Banner examples

Banner usage and behavior

Authentication states in customized local web authentication

Banner examples

Best practices for customizing web authentication pages

Restrictions for customizing web authentication pages

Guidelines for configuring a redirection URL for Successful Login page

Configure default local web authentication

Configure AAA settings using the wizard

Before you begin

Procedure

Configure AAA authentication (GUI)

Before you begin

Procedure

Configure AAA authentication (CLI)

Before you begin

Procedure

Example:

Example:

Example:

Example:

Example:

Example:

Configure the HTTP or HTTPS server (GUI)

Before you begin

Procedure

Configure the HTTP server (CLI)

Procedure

Example:

Example:

Example:

Allow special characters for serial port

Procedure

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Allow special characters for VTY port

Before you begin

Procedure

Example:

Example:

Example:

Example:

HTTP and HTTPS access modes for web authentication

CLI combinations

Limitations

Configuring HTTP and HTTPS Requests for Web Authentication (CLI)

Procedure

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Create a parameter map (GUI)

Before you begin