Web authentication using the local authentication server
Network requirements
As shown in Figure 167, the host is connected to the device through GigabitEthernet 1/0/1.
Configure Web authentication to meet the following requirements:
The device performs local Web authentication on users that access the network through GigabitEthernet 1/0/1.
The device pushes customized Web authentication pages to users and use HTTP to transfer the authentication data.
Figure 166: Network diagram
Configuration prerequisites
Assign IP addresses to the host and the device as shown in Figure 167, and make sure the host and the device can reach each other.
Customize the authentication pages, compress them to a file, and upload the file to the root directory of the storage medium of the switch. In this example, the file is abc.zip.
Configuration procedure
Create VLANs, assign IP addresses to the VLAN interfaces, and assign interfaces to the VLANs. (Details not shown.)
Configure a local user:
# Create a local network access user named localuser.
<Device>system-view
[Device] local-user localuser class network
# Set the password to localpass in plaintext form for user localuser.
[Device-luser-network-localuser] password simple localpass
# Authorize the user to use LAN access services.
[Device-luser-network-localuser] service-type lan-access
# Specify the user role for the user as network-admin.
[Device-luser-network-localuser] authorization-attribute user-role network-admin [Device-luser-network-localuser] quit
Configure an ISP domain:
# Create an ISP domain named local.
[Device] domain local
# Configure the ISP domain to perform local authentication, authorization, and accounting for LAN-access users.
[Device-isp-local] authentication lan-access local [Device-isp-local] authorization lan-access local [Device-isp-local] accounting lan-access local [Device-isp-local] quit
Configure a local portal Web server:
# Create a local portal Web server, and configure the server use HTTP to exchange authentication information with clients.
[Device] portal local-web-server http
# Specify file abc.zip as the default authentication page file for the local portal Web server. (This file must exist in the root directory of the device.)
[Device-portal-local-websvr-http] default-logon-page abc.zip
# Specify the HTTP listening port number as 80 for the portal Web server.
[Device–portal-local-websvr-http] tcp-port 80 [Device-portal-local-websvr-http] quit
Configure Web authentication:
# Create a Web authentication server named user.
[Device] web-auth server user
# Configure the redirection URL for the Web authentication server as http://20.20.0.1/portal/.
[Device-web-auth-server-user] url http://20.20.0.1/portal/
# Specify 20.20.0.1 as the IP address and 80 as the port number for the Web authentication server.
[Device-web-auth-server-user] ip 20.20.0.1 port 80 [Device-web-auth-server-user] quit
# Specify ISP domain local as the Web authentication domain.
[Device] interface gigabitethernet 1/0/1 [Device-GigabitEthernet1/0/1] web-auth domain local
# Enable Web authentication by using Web authentication server user.
[Device-GigabitEthernet1/0/1] web-auth enable apply server user [Device-GigabitEthernet1/0/1] quit
Verifying the configuration
# Display online Web authentication user information after user localuser passes Web authentication.
<Device> display web-auth user Online web-auth users: 1 User Name: localuser MAC address: acf1-df6c-f9ad Access interface: GigabitEthernet1/0/1 Initial VLAN: 1 Authorization VLAN: N/A Authorization ACL ID: N/A Authorization user profile: N/A