Web-based authentication

When a client connects to a web-based authentication enabled port, communication is redirected to the switch. The switch assigns a temporary IP address and a login screen is presented for the client to enter their username and password.

The default User Login screen is shown in Default user login screen.

Default user login screen

When a client connects to the switch, it sends a DHCP request to receive an IP address to connect to the network. To avoid address conflicts in a secure network, you can specify a temporary IP address pool to be used by DHCP by configuring the dhcp-addr and dhcp-lease options when you enable web-based authentication with the aaa port-access web-based command.

The Secure Sockets Layer (SSLv3/TLSv1) feature provides remote web-based access to the network through authenticated transactions and encrypted paths between the switch and management station clients capable of SSL/TLS. If you have enabled SSL on the switch, you can specify the ssl-login option when you configure web-based authentication so that clients who log in to specified ports are redirected to a secure login page (https://...) to enter their credentials.

The switch passes the supplied username and password to the RADIUS server for authentication and displays the following progress message:

Progress message during authentication

If the client is authenticated and the maximum number of clients allowed on the port (client-limit) has not been reached, the port is assigned to a static, untagged VLAN for network access. After a successful login, a client can be redirected to a URL if you specify a URL value (redirect-url) when you configure web-based authentication.

Authentication completed