Configuring web-based authentication

Preparation for web-based authentication

  1. If you have not already done so, configure a local user name and password pair on the switch.

  2. Identify or create a redirect URL for use by authenticated clients. Hewlett Packard Enterprise recommends that you provide a redirect URL when using web authentication. If a redirect URL is not specified, web browser behavior following authentication can not be acceptable.

  3. If you plan to use multiple VLANs with web authentication, ensure that these VLANs are configured on the switch and that the appropriate port assignments have been made. Confirm that the VLAN used by authorized clients can access the redirect URL.

  4. Ping the switch console interface to ensure that the switch can communicate with the RADIUS server you have configured to support web-based authentication on the switch.

  5. Configure the switch with the correct IP address and encryption key to access the RADIUS server.

  6. (Optional) To use SSL encryption for web-based authentication login, configure and enable SSL on the switch.

  7. Enable web-based authentication on the switch ports you want to use.

  8. Configure the optional settings that you want to use for web-based authentication; for example:

    • To avoid address conflicts in a secure network, configure the base IP address and mask to be used by the switch for temporary DHCP addresses. You can also set the lease length for these temporary IP addresses.

    • To use SSL encryption for web-based authentication login, configure the SSL option.

    • o redirect authorized clients to a specified URL, configure the Redirect URL option.

  9. Configure how web-based authenticator ports transmit traffic before they successfully authenticate a client and enter the authenticated state:

    • You can block incoming and outgoing traffic on a port before authentication occurs.

    • You can block only incoming traffic on a port before authentication occurs. Outgoing traffic with unknown destination addresses is flooded on unauthenticated ports configured for web-based authentication. For example, Wake-on-LAN traffic is transmitted on a web-based Authenticated egress port that has not yet transitioned to the authenticated state;

  10. Test both authorized and unauthorized access to your system to ensure that web authentication works properly on the ports you have configured for port-access using web authentication.


[NOTE: ]

NOTE: Client web browsers can not use a proxy server to access the network.


Configuration commands for web-based authentication

Controlled directions

Syntax
aaa port-access <port-list> controlled-directions < both | in >

After you enable web-based-based authentication on specified ports, you can use the aaa port-access controlled-directions command to configure how a port transmits traffic before it successfully authenticates a client and enters the authenticated state.

both

(default): Incoming and outgoing traffic is blocked on a port configured for web-based authentication before authentication occurs.

in

Incoming traffic is blocked on a port configured for web-based authentication before authentication occurs. Outgoing traffic with unknown destination addresses is flooded on unauthenticated ports configured for web-based authentication.

Prerequisites

As implemented in 802.1X authentication, the disabling of incoming traffic and transmission of outgoing traffic on a web-based Authenticated egress port in an unauthenticated state (using the aaa portaccess controlled-directions in command) is supported only if:

  • The 802.1s Multiple Spanning Tree Protocol (MSTP) or 802.1w Rapid Spanning Tree Protocol (RSTP) is enabled on the switch. MSTP and RSTP improve resource utilization while maintaining a loop-free network.

The port is configured as an edge port in the network using the spanning-tree edge-port command.

  • For information on how to configure the prerequisites for using the aaa port-access controlled-directions in command, see “Multiple Instance Spanning-Tree Operation” in the advanced traffic management guide for your switch.

  • To display the currently configured controlled directions value for web-based authenticated ports, enter the show port-access web-based config command.

  • The aaa port-access controlled-direction in command allows Wake-on-LAN traffic to be transmitted on a web-based authenticated egress port that has not yet transitioned to the authenticated state; the controlled-direction both setting prevents Wake-on-LAN traffic to be transmitted on a web-based authenticated egress port until authentication occurs. The Wake-on-LAN feature is used by network administrators to remotely power on a sleeping workstation (for example, during early morning hours to perform routine maintenance operations, such as patch management and software updates.)

  • Using the aaa port-access controlled-directions in command, you can enable the transmission of Wake-on-LAN traffic on unauthenticated egress ports that are configured for any of the following port-based security features:

    • 802.1X authentication

    • MAC authentication

    • Web-based authentication

    Because a port can be configured for more than one type of authentication to protect the switch from unauthorized access, the last setting you configure with the aaa port-access controlled-directions command is applied to all authentication methods configured on the switch. For information about how to configure and use 802.1X authentication, see Port-Based and User-Based Access Control (802.1X).

  • When a web-based authenticated port is configured with the controlled-directions in setting, eavesdrop prevention is not supported on the port.

Disable web-based authentication

Syntax
[no] aaa port-access web-based <port-list>

Enables web-based authentication on the specified ports. Use the no form of the command to disable web-based authentication on the specified ports.

Specifying the VLAN

Syntax
aaa port-access web-based <port-list> [auth-vid <vid>]
[no] aaa port-access web-based <port-list> [auth-vid <vid>]

Specifies the VLAN to use for an authorized client. The Radius server can override the value (accept-response includes a vid). If auth-vidis 0, no VLAN changes occur unless the RADIUS server supplies one.

Use the no form of the command to set the auth-vid to 0. (Default: 0.)

Clearing statistics

Syntax
aaa port-access web-based [clear-statistics]

Clears (resets to 0) all counters used to monitor the CEI, HTTP, Web-based authenticated control traffic generated in web-based authentication session. (To display Web-Auth traffic statistics, enter the show port-access web-based statistics command.)

Maximum authenticated clients

Syntax
aaa port-access web-based <port-list> [client-limit <1-256>]

Specifies the maximum number of authenticated clients to allow on the port. (Default: 1)


[NOTE: ]

NOTE: On switches where Web-based authentication and 802.1X can operate concurrently, this limit includes the total number of clients authenticated through both methods. The limit of 256 clients only applies when there are fewer than 16,384 authentication clients on the entire switch. After the limit of 16, 384 clients is reached, no additional authentication clients are allowed on any port for any method.


Specifies base address

Syntax
aaa port-access web-based [dhcp-addr <ip-address/mask>]

Specifies the base address/mask for the temporary IP pool used by DHCP. The base address can be any valid IP address (not a multicast address). Valid mask range value is <255.255.240.0 - 255.255.255.0>. (Default: 192.168.0.0/255.255.255.0)

Specifies lease length

Syntax
aaa port-access web-based [dhcp-lease <5-25>]

Specifies the lease length, in seconds, of the temporary IP address issued for Web-Auth login purposes. (Default: 10 seconds)

Configures web server connection

Syntax
aaa port-access web-based [ewa-server < ipv4-addr | hostname > [ <page-path> ]]

Configures a connection with the web server at the specified IPv4 address (ipv4-addr) or host name (ipv4- addr) on which customized login web pages used for web authentication are stored. A maximum of 3 web servers can be configured on the switch.

The optional <page-path> parameter defines the directory path on the server where all customized login web pages (graphics, HTML frames, and HTML files) are stored. (Default: The default <page-path> value is “/” for root directory. If the web server is also used for other purposes, you can wish to group the HTML files in their own directory, for example in “/EWA/”.)

Adding web servers with the aaa port-access web-based ews-server command

Removing a web server with the aaa port-access web-based ews-server command

Specifying the period

Syntax
aaa port-access web-based <port-list> [logoff-period] <60-9999999>]

Specifies the period, in seconds, that the switch enforces for an implicit logoff. This parameter is equivalent to the MAC age interval in a traditional switch sense. If the switch does not see activity after a logoff-period interval, the client is returned to its pre-authentication state. (Default: 300 seconds)

Specifying the number of authentication attempts

Syntax
aaa port-access web-based <port-list> [max-requests] <1-10>]

Specifies the number of authentication attempts that must time-out before authentication fails. (Default: 2)

Specifying maximum retries

Syntax
aaa port-access web-based <port-list> [max-retries] <1-10>]

Specifies the number of times a client can enter their user name and password before authentication fails. This allows the reentry of the user name and password if necessary. (Default: 3)

Specifying the time period

Syntax
aaa port-access web-based <port-list> [quiet-period] <1-65535>]

Specifies the time period (in seconds) the switch uses before sending an authentication request for a client that failed authentication. (Default: 60 seconds)

Specifying the re-authentication period

Syntax
aaa port-access web-based <port-list> [reauth-period] <0-9999999>]

Specifies the time period, in seconds, the switch enforces on a client to re-authenticate. When set to 0, reauthentication is disabled. (Default: 300 seconds)

Specifying a forced reauthentication

Syntax
aaa port-access web-based <port-list> [reauthenticate]

Forces a re-authentication of all attached clients on the port.

Specifying the URL

Syntax
aaa port-access web-based <port-list> [redirect-url <url>]
[no] aaa port-access web-based <port-list> [redirect-url]

Specifies the URL that a user is redirected to after a successful login. Any valid, fully-formed URL can be used, for example, http://welcome-server/welcome.htm or http://192.22.17.5. Hewlett Packard Enterprise recommends that you provide a redirect URL when using web authentication.


[NOTE: ]

NOTE: The redirect-url command accepts only the first 103 characters of the allowed 127 characters.


Use the [no] form of the command to remove a specified redirect URL.

(Default: There is no default URL. Browser behavior for authenticated clients can not be acceptable.)

Specifying the timeout

Syntax
aaa port-access web-based [e] <port-list> [server-timeout <1-300>]

Specifies the period, in seconds, the switch waits for a server response to an authentication request. Depending on the current max-requests value, the switch sends a new attempt or ends the authentication session. (Default: 30 seconds)

Configuring the RADIUS server to support MAC authentication

On the RADIUS server, configure the client device authentication in the same way that you would any other client, except:

  • Configure the client device’s (hexadecimal) MAC address as both user name and password. Be careful to configure the switch to use the same format that the RADIUS server uses. Otherwise, the server denies access. The switch provides four format options:

    • aabbccddeeff (the default format)

    • aabbcc-ddeeff

    • aa-bb-cc-dd-ee-ff

    • aa:bb:cc:dd:ee:ff

    • AABBCCDDEEFF

    • AABBCC-DDEEFF

    • AA-BB-CC-DD-EE-FF

    • AA:BB:CC:DD:EE:FF

  • If the device is a switch or other VLAN capable device, use the base MAC address assigned to the device, and not the MAC address assigned to the VLAN through which the device communicates with the authenticator switch. The switch applies a single MAC address to all VLANs configured in the switch. Thus, for a given switch, the MAC address is the same for all VLANs configured on the switch. (See “Static Virtual LANs (VLANs)” in the advanced traffic management guide for your switch.)

Configuring the switch to access a RADIUS server

Configuring a RADIUS server to support web-based authentication and MAC Authentication require the following minimal commands.

(See RADIUS Authentication, Authorization, and Accounting for information on other RADIUS command options.)

Syntax

[no] radius-server

Adds a server to the RADIUS configuration or, when [no] is used, deletes a server from the configuration. You can configure up to three RADIUS server addresses. The switch uses the first server it successfully accesses. (See RADIUS Authentication, Authorization, and Accounting).

host <ip-address> [oobm]

For switches that have a separate out-of-band management port, the OOBM parameter specifies that the RADIUS traffic goes through the out-of-band management (OOBM) port.

[key <global-key-string>]

Specifies the global encryption key the switch uses with servers for which the switch does not have a server specific key assignment (below). This key is optional if all RADIUS server addresses configured in the switch include a server-specific encryption key. The tilde (~) character is allowed in the string, for example, radius server key hp~switch. It is not backward compatible; the “~” character is lost if you use a software version that does not support the “~” character.

(Default: Null.)


[NOTE: ]

NOTE: For the 3800, 5400zl, and 8200zl switches, when the switch is in enhanced secure mode, commands that take a secret key as a parameter have the echo of the secret typing replaced with asterisks. The input for <key-string>is prompted for interactively. See Secure Mode (3800, 3810, 5400zl, and 8200zl Switches).


Syntax

radius-server host <ip-address> key <server-specific key-string>
[no] radius-server host <ip-address> key

Optional

Specifies an encryption key for use during authentication (or accounting) sessions with the specified server. This key must match the encryption key used on the RADIUS server. Use this command only if the specified server requires a different encryption key than configured for the global encryption key, above. The tilde (~) character is allowed in the string. It is not backward compatible; the “~” character is lost if you use a software version that does not support the “~” character.

The [no] form of the command removes the key configured for a specific server.

Configure the switch to access a RADIUS server

To configure the switch to access a RADIUS server at IP address 192.168.32.11 using a server specific shared secret key of ‘1A7rd’:

Configuring a switch to access RADIUS server

Configuring a switch to access RADIUS server