42-3
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
OL-8978-04
Chapter 42 Configuring Web-Based Proxy Authentication
Understanding How Web-Based Proxy Authentication Works
Host (Supplicant)—Once you enable web-based proxy authentication, the host can request access to the
LAN and switch services and respond to requests from the switch.
Switch—The network access device (NAD), or the Catalyst 6500 series switch, hosts all the HTML
pages when the host is connected to the switch port that is enabled for web-based authentication. The
login web page is hosted on an external web server. When the host receives an IP address, the web
browser is opened. When an HTTP packet is intercepted, the URL redirects the client to the location of
the external login web page URL. You can directly download the login page from the external web
server. If an external login page is not configured, a default login page is sent.
The credentials, which include the username, password, and any other options, are input at the host. The
host then submits the page. The Catalyst 6500 series switch intercepts this HTTP POST request,
establishes the connection, and retrieves the POST request. Once the POST request is retrieved, the
Catalyst 6500 series switch processes the web page and extracts the credentials.
Authentication server—The server validates the identity of the host and notifies the switch if the host is
authorized to access the LAN and switch services. Because the switch acts as the proxy, the
authentication service is transparent to the host. The Remote Authentication Dial-In User Service
(RADIUS) security system with Extensible Authentication Protocol (EAP) extensions is the only
supported authentication server; it is available in Cisco Secure Access Control Server version 3.0.
RADIUS operates in a client/server model in which secure authentication information is exchanged
between the RADIUS server and one or more RADIUS clients.
Authentication Initiation and Message Exchange
The host is connected to the switch port that needs to perform web authentication. When the host
receives an IP address, a web browser is opened. When an HTTP packet is intercepted, the network
access device (NAD) establishes the TCP connection with the host and sends the login page if it is stored
locally on the switch, or the URL redirects the client to the location of the external login page URL so
that the client directly downloads the login page from the external web server.
You can enter the credentials including the username, the password, and any other options and submit
the page from the host. The NAD intercepts this information, establishes a connection, and retrieves the
request. The NAD then processes the web page information and extracts the credentials, which are
authenticated using an external AAA server (RADIUS). Based on the results of the authentication, the
NAD sends an authentication success or an authentication failure page to the client as follows:
•
If the authentication succeeds, NAD updates the policy-based ACLs (PBACLs) with the new policy
groups that are received from RADIUS for this host. The URL redirects the client to the URL that
the client initially tried to access.
•
If the authentication fails, the NAD sends a Login-fail web page to the host, that lists the login-fail
and input fields. If an external login-fail page is specified, the NAD URL redirects the client to the
location of the login-fail page.
If the login or login-fail page points to an external web server, then the default policy allows HTTP
access to this web server even before the host is authenticated.
Note
If the default policy does not allow HTTP access and external pages, the client cannot download these
web pages and web-based proxy authentication does not work.
The login/login-fail page contains the same variable names and types for the username, passwords, and
any other fields that the NAD is programmed to process. A default page is used in the absence of a
configured login file on the NAD.