Restrictions and guidelines: Web authentication configuration

To access the resources in the authorization or Auth-Fail VLAN, a user must update the IP address of the client after being assigned to the authorization or Auth-Fail VLAN.

The device supports the following types of authorization ACLs:

• Basic ACLs (ACL 2000 to ACL 2999).

• Advanced ACLs (ACL 3000 to ACL 3999).

• Layer 2 ACLs (ACL 4000 to ACL 4999).

For an authorization ACL to take effect, make sure the following requirements are met:

• The ACL exists and has ACL rules.

• Basic ACL rules do not have the fragment or vpn-instance keyword configured.

• Layer 2 ACL rules do not have the cos, dest-mac, lsap, or source-mac keyword configured.

As a best practice, perform Web authentication on users directly connected to the device. As shown in Figure 88, if you enable Web authentication on Port B to authenticate non-directly connected users (the hosts), you must follow these restrictions and guidelines:

• If the RADIUS server assigns an authorization VLAN to the users, make sure the following conditions are met:

  • The link between Device A and Device B is a trunk link.

  • The PVIDs of Port A1 and Port B are the same as the authorization VLAN ID.

• If the RADIUS server does not assign an authorization VLAN to the users, make sure the PVIDs of Port A1 and Port B are the same.