Information About Web-Based Authentication
You can configure web-based authentication on Layer 2 and Layer 3 interfaces.
Note
When you initiate an HTTP session, web-based authentication intercepts ingress HTTP packets from the host
and sends an HTML login page to the users. The users enter their credentials, which the web-based
authentication feature sends to the authentication, authorization, and accounting (AAA) server for authentication.
If authentication succeeds, web-based authentication sends a Login-Successful HTML page to the host and
applies the access policies returned by the AAA server.
If authentication fails, web-based authentication forwards a Login-Fail HTML page to the user, prompting
the user to retry the login. If the user exceeds the maximum number of attempts, web-based authentication
forwards a Login-Expired HTML page to the host, and the user is placed on a watch list for a waiting period.
HTTPS traffic interception for central web authentication redirect is not supported.
Note
You should use global parameter-map (for method-type, custom, and redirect) only for using the same
Note
web authentication methods like consent, web consent, and webauth, for all the clients and SSIDs. This
ensures that all the clients have the same web-authentication method.
If the requirement is to use Consent for one SSID and Web-authentication for another SSID, then you
should use two named parameter-maps. You should configure Consent in first parameter-map and configure
webauth in second parameter-map.
Device Roles
With web-based authentication, the devices in the network have these specific roles:
• Client—The device (workstation) that requests access to the LAN and the services and responds to
requests from the switch. The workstation must be running an HTML browser with Java Script enabled.
• Authentication server—Authenticates the client. The authentication server validates the identity of the
client and notifies the switch that the client is authorized to access the LAN and the switch services or
that the client is denied.
• Switch—Controls the physical access to the network based on the authentication status of the client. The
switch acts as an intermediary (proxy) between the client and the authentication server, requesting
identity information from the client, verifying that information with the authentication server, and relaying
a response to the client.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(4)E (Catalyst 2960-X Switches)
1416