Web-based authentication

When a client connects to a web-based authentication enabled port, communication is redirected to the switch. A temporary IP address is assigned by the switch and a login screen is presented for the client to enter their user name and password.

The default User Login screen is shown in Default User Login screen. You can also prepare customized webpages to use for web-based authentication login and present them to clients who try to connect to the network, see Customizing user login web pages.

Default User Login screen

When a client connects to the switch, it sends a DHCP request to receive an IP address to connect to the network. To avoid address conflicts in a secure network, you can specify a temporary IP address pool to be used by DHCP by configuring the dhcp-addr and dhcp-lease options when you enable web-based authentication with the aaa port-access web-based command.

The Secure Sockets Layer (SSLv3/TLSv1) feature provides remote web-based access to the network through authenticated transactions and encrypted paths between the switch and management station clients capable of SSL/TLS. If you have enabled SSL on the switch, you can specify the ssl-login option when you configure web-based authentication so that clients who log in to specified ports are redirected to a secure login page (https://...) to enter their credentials.

The switch passes the supplied user name and password to the RADIUS server for authentication and displays the following progress message:

Progress message during authentication

If the client is authenticated and the maximum number of clients allowed on the port (client-limit) has not been reached, the port is assigned to a static, untagged VLAN for network access. After a successful login, a client can be redirected to a URL if you specify a URL value (redirect-url) when you configure web-based authentication.

Authentication completed