Configuring web-based authentication
Preparation for web-based authentication
If you have not already done so, configure a local user name and password pair on the switch.
Identify or create a redirect URL for use by authenticated clients. Hewlett Packard Enterprise recommends that you provide a redirect URL when using web authentication. If a redirect URL is not specified, web browser behavior following authentication can not be acceptable.
If you plan to use multiple VLANs with web authentication, ensure that these VLANs are configured on the switch and that the appropriate port assignments have been made. Confirm that the VLAN used by authorized clients can access the redirect URL.
Ping the switch console interface to ensure that the switch can communicate with the RADIUS server you have configured to support web-based authentication on the switch.
Configure the switch with the correct IP address and encryption key to access the RADIUS server.
(Optional) To use SSL encryption for web-based authentication login, configure and enable SSL on the switch.
Enable web-based authentication on the switch ports you want to use.
Configure the optional settings that you want to use for web-based authentication; for example:
To avoid address conflicts in a secure network, configure the base IP address and mask to be used by the switch for temporary DHCP addresses. You can also set the lease length for these temporary IP addresses.
To use SSL encryption for web-based authentication login, configure the SSL option.
o redirect authorized clients to a specified URL, configure the Redirect URL option.
Configure how web-based authenticator ports transmit traffic before they successfully authenticate a client and enter the authenticated state:
You can block incoming and outgoing traffic on a port before authentication occurs.
You can block only incoming traffic on a port before authentication occurs. Outgoing traffic with unknown destination addresses is flooded on unauthenticated ports configured for web-based authentication. For example, Wake-on-LAN traffic is transmitted on a web-based Authenticated egress port that has not yet transitioned to the authenticated state;
Test both authorized and unauthorized access to your system to ensure that web authentication works properly on the ports you have configured for port-access using web authentication.
NOTE: Client web browsers can not use a proxy server to access the network. | |
Configuration commands for web-based authentication
Controlled directions
Syntax
aaa port-access<port-list>
controlled-directions < both | in >After you enable web-based-based authentication on specified ports, you can use the
aaa port-access controlled-directions
command to configure how a port transmits traffic before it successfully authenticates a client and enters the authenticated state.
both
(default): Incoming and outgoing traffic is blocked on a port configured for web-based authentication before authentication occurs.
in
Incoming traffic is blocked on a port configured for web-based authentication before authentication occurs. Outgoing traffic with unknown destination addresses is flooded on unauthenticated ports configured for web-based authentication.
Prerequisites
As implemented in 802.1X authentication, the
disabling of incoming traffic and transmission of outgoing traffic
on a web-based Authenticated egress port in an unauthenticated state
(using the aaa portaccess controlled-directions in
command)
is supported only if:
The 802.1s Multiple Spanning Tree Protocol (MSTP) or 802.1w Rapid Spanning Tree Protocol (RSTP) is enabled on the switch. MSTP and RSTP improve resource utilization while maintaining a loop-free network.
The port is configured as an edge port in the network using the spanning-tree edge-port command.
For information on how to configure the prerequisites for using the
aaa port-access controlled-directions in
command, see “Multiple Instance Spanning-Tree Operation” in the advanced traffic management guide for your switch.To display the currently configured controlled directions value for web-based authenticated ports, enter the
show port-access web-based config
command.The
aaa port-access controlled-direction in
command allows Wake-on-LAN traffic to be transmitted on a web-based authenticated egress port that has not yet transitioned to the authenticated state; the controlled-direction both setting prevents Wake-on-LAN traffic to be transmitted on a web-based authenticated egress port until authentication occurs. The Wake-on-LAN feature is used by network administrators to remotely power on a sleeping workstation (for example, during early morning hours to perform routine maintenance operations, such as patch management and software updates.)Using the
aaa port-access controlled-directions in
command, you can enable the transmission of Wake-on-LAN traffic on unauthenticated egress ports that are configured for any of the following port-based security features:802.1X authentication
MAC authentication
Web-based authentication
Because a port can be configured for more than one type of authentication to protect the switch from unauthorized access, the last setting you configure with the
aaa port-access controlled-directions
command is applied to all authentication methods configured on the switch. For information about how to configure and use 802.1X authentication, see Port-Based and User-Based Access Control (802.1X).When a web-based authenticated port is configured with the controlled-directions in setting, eavesdrop prevention is not supported on the port.
Specifying the VLAN
Syntax
aaa port-access web-based<port-list>
[auth-vid<vid>
][no] aaa port-access web-based<port-list>
[auth-vid<vid>
]Specifies the VLAN to use for an authorized client. The Radius server can override the value (accept-response includes a vid). If
auth-vid
is0
, no VLAN changes occur unless the RADIUS server supplies one.Use the
no
form of the command to set theauth-vid
to0
. (Default:0
.)
Maximum authenticated clients
Syntax
aaa port-access web-based<port-list>
[client-limit<1-256>
]Specifies the maximum number of authenticated clients to allow on the port. (Default: 1)
NOTE: On switches where Web-based authentication and 802.1X can operate concurrently, this limit includes the total number of clients authenticated through both methods. The limit of 256 clients only applies when there are fewer than 16,384 authentication clients on the entire switch. After the limit of 16, 384 clients is reached, no additional authentication clients are allowed on any port for any method.
Configures web server connection
Syntax
aaa port-access web-based [ewa-server < ipv4-addr | hostname > [<page-path>
]]Configures a connection with the web server at the specified IPv4 address (ipv4-addr) or host name (ipv4- addr) on which customized login web pages used for web authentication are stored. A maximum of 3 web servers can be configured on the switch.
The optional <page-path> parameter defines the directory path on the server where all customized login web pages (graphics, HTML frames, and HTML files) are stored. (Default: The default <page-path> value is “/” for root directory. If the web server is also used for other purposes, you can wish to group the HTML files in their own directory, for example in “/EWA/”.)
Specifying the period
Syntax
aaa port-access web-based<port-list>
[logoff-period]<60-9999999>
]Specifies the period, in seconds, that the switch enforces for an implicit logoff. This parameter is equivalent to the MAC age interval in a traditional switch sense. If the switch does not see activity after a logoff-period interval, the client is returned to its pre-authentication state. (Default: 300 seconds)
Specifying the URL
Syntax
aaa port-access web-based<port-list>
[redirect-url<url>
][no] aaa port-access web-based<port-list>
[redirect-url]Specifies the URL that a user is redirected to after a successful login. Any valid, fully-formed URL can be used, for example, http://welcome-server/welcome.htm or http://192.22.17.5. Hewlett Packard Enterprise recommends that you provide a redirect URL when using web authentication.
NOTE: The
redirect-url
command accepts only the first 103 characters of the allowed 127 characters.Use the
[no]
form of the command to remove a specified redirect URL.(Default: There is no default URL. Browser behavior for authenticated clients can not be acceptable.)
Specifying the timeout
Syntax
aaa port-access web-based [e]<port-list>
[server-timeout<1-300>
]Specifies the period, in seconds, the switch waits for a server response to an authentication request. Depending on the current max-requests value, the switch sends a new attempt or ends the authentication session. (Default: 30 seconds)
Configuring the RADIUS server to support MAC authentication
On the RADIUS server, configure the client device authentication in the same way that you would any other client, except:
Configure the client device’s (hexadecimal) MAC address as both user name and password. Be careful to configure the switch to use the same format that the RADIUS server uses. Otherwise, the server denies access. The switch provides four format options:
aabbccddeeff (the default format)
aabbcc-ddeeff
aa-bb-cc-dd-ee-ff
aa:bb:cc:dd:ee:ff
AABBCCDDEEFF
AABBCC-DDEEFF
AA-BB-CC-DD-EE-FF
AA:BB:CC:DD:EE:FF
If the device is a switch or other VLAN capable device, use the base MAC address assigned to the device, and not the MAC address assigned to the VLAN through which the device communicates with the authenticator switch. The switch applies a single MAC address to all VLANs configured in the switch. Thus, for a given switch, the MAC address is the same for all VLANs configured on the switch. (See “Static Virtual LANs (VLANs)” in the advanced traffic management guide for your switch.)
Configuring the switch to access a RADIUS server
Configuring a RADIUS server to support web-based authentication and MAC Authentication require the following minimal commands.
(See RADIUS Authentication, Authorization, and Accounting for information on other RADIUS command options.)
Syntax
[no] radius-server
Adds a server to the RADIUS configuration or, when [no] is used, deletes a server from the configuration. You can configure up to three RADIUS server addresses. The switch uses the first server it successfully accesses. (See RADIUS Authentication, Authorization, and Accounting).
host<ip-address>
[oobm]For switches that have a separate out-of-band management port, the OOBM parameter specifies that the RADIUS traffic goes through the out-of-band management (OOBM) port.
[key<global-key-string>
]Specifies the global encryption key the switch uses with servers for which the switch does not have a server specific key assignment (below). This key is optional if all RADIUS server addresses configured in the switch include a server-specific encryption key. The tilde (~) character is allowed in the string, for example, radius server key hp~switch. It is not backward compatible; the “~” character is lost if you use a software version that does not support the “~” character.
(Default: Null.)
NOTE: For the 3800, 5400zl, and 8200zl switches, when the switch is in enhanced secure mode, commands that take a secret key as a parameter have the echo of the secret typing replaced with asterisks. The input for <key-string>is prompted for interactively. See Secure Mode (3800, 3810, 5400zl, and 8200zl Switches).
Syntax
radius-server host<ip-address>
key<server-specific key-string>
[no] radius-server host<ip-address>
keyOptional
Specifies an encryption key for use during authentication (or accounting) sessions with the specified server. This key must match the encryption key used on the RADIUS server. Use this command only if the specified server requires a different encryption key than configured for the global encryption key, above. The tilde (~) character is allowed in the string. It is not backward compatible; the “~” character is lost if you use a software version that does not support the “~” character.
The
[no]
form of the command removes the key configured for a specific server.