10-2
Catalyst 2928 Switch Software Configuration Guide
OL-23389-01
Chapter 10 Configuring Web-Based Authentication
Understanding Web-Based Authentication
•
Web Authentication Customizable Web Pages, page 10-6
•
Web-based Authentication Interactions with Other Features, page 10-7
Device Roles
With web-based authentication, the devices in the network have these specific roles:
•
Client
—The device (workstation) that requests access to the LAN and the services and responds to
requests from the switch. The workstation must be running an HTML browser with Java Script
enabled.
•
Authentication server
—Authenticates the client. The authentication server validates the identity of
the client and notifies the switch that the client is authorized to access the LAN and the switch
services or that the client is denied.
•
Switch
—Controls the physical access to the network based on the authentication status of the client.
The switch acts as an intermediary (proxy) between the client and the authentication server,
requesting identity information from the client, verifying that information with the authentication
server, and relaying a response to the client.
shows the roles of these devices in a network:
Figure 10-1
Web-Based Authentication Device Roles
Host Detection
The switch maintains an IP device tracking table to store information about detected hosts.
Note
By default, the IP device tracking feature is disabled on a switch. You must enable the IP device tracking
feature to use web-based authentication.
For Layer 2 interfaces, web-based authentication detects IP hosts by using these mechanisms:
•
ARP based trigger—ARP redirect ACL allows web-based authentication to detect hosts with a static
IP address or a dynamic IP address.
•
Dynamic ARP inspection
•
DHCP snooping—Web-based authentication is notified when the switch creates a DHCP-binding
entry for the host.
Workstations
(clients)
Catalyst switch
or
Cisco Router
Authentication
server
(RADIUS)
79549