Customizing web-authentication HTML files (optional)

The web-based authentication process displays a series of web pages and status messages to the user during login. The web pages that are displayed can be:

Generic — default pages generated directly by the switch software
Customized — pages hosted on a local web server.

By creating customized login web pages, you can improve the "look and feel" of the web authentication process to correspond more closely with your network and business needs. For example, you can:

Identify the network that a client is trying to log into.
Provide contact information if a client has difficulty connecting to the network.
Incorporate CSS styles consistent with the appearance of your network.

Implementing customized web-based authentication pages

To implement enhanced web-based authentication pages, you need to:

Configure and start a web server on your local network.
Customize the HTML template files and make them accessible to the web server.
Configure the switch to display the customized files by using the aaa port-access web-based ewa-server command to specify the server's IP address or host name and the path to the customized HTML files on the server.

Operating notes and guidelines

Customized web authentication pages are configured per switch, so that each web-auth enabled port displays the same customized pages at client login.
The customized web pages you create can be hosted on up to three web servers in your network. Implementing multiple web servers provides redundancy in case access to any of the other servers fail.
To configure a web server on your network, follow the instructions in the documentation provided with the server.
Before you enable custom web authentication pages, you should:
- Determine the IP address or host name of the web server(s) that will host your custom pages.
- Determine the path on the server(s) where the HTML files (including all graphics) used for the login pages are stored.
- Configure and start the web server(s).
- Create the customized web pages as described in Customizing HTML templates, and store them in the document path on the designated servers.
- Test that they are accessible at the designated URL(s).

Customizing HTML templates

Follow these guidelines when you are customizing an HTML template:

Do not change the name of any of the HTML files (index.html, accept.html, and so on).
Some template pages use Embedded Switch Includes (ESIs) or Active Server Pages. These should not be modified when customizing HTML files. ESIs behave as follows:
1. A client's web browser sends a request for an HTML file. The switch passes the request to a configured web server.
2. The web server responds by sending a customized HTML page to the switch. Each ESI call in the HTML page is replaced with the value (in plain text) retrieved by the call.
3. The switch sends the final version of the HTML page to the client's web browser.
Store all customized login web pages (including any graphics) that you create for client login on each web server at the path you will configure with the aaa port-access web-based ewa-server command.

See Customizable HTML templates for details on page templates available.

Customizable HTML templates

To help you create your own set of HTML files, use the templates found on the download page for 'RA' software.

User Login page (index.html)

User Login page

The index.html file is the first login page displayed, in which a client requesting access to the network enters a username and password. In the index.html Template file, you can customize any part of the source code except for the form that processes the username and password entered by a client.

HTML code for User Login page template

Access Granted page (accept.html)

Access Granted page

The accept.html file is the web page used to confirm a valid client login. This web page is displayed after a valid username and password are entered and accepted.

The client device is then granted access to the network. To configure the VLAN used by authorized clients, specify a VLAN ID with the aaa port-access web-based auth-vid command parameter when you enable web authentication.

The accept.html file contains the following ESIs, which should not be modified:

The GETWAUTHREDIRECTTIME ESI inserts the value for the waiting time used by the switch to redirect an authenticated client while the client renews its IP address and gains access to the network.
The GETWAUTHREDIRECTURL ESI inserts the URL configured with the redirect-url parameter to redirect a client login or the first web page requested by the client.

HTML code for Access Granted page template

Authenticating page (authen.html)

Authenticating page

The authen.html file is the web page used to process a client login and is refreshed while user credentials are checked and verified.

HTML code for Authenticating page template

Invalid Credentials page (reject_unauthvlan.html)

Invalid Credentials page

The reject_unauthvlan.html file is the web page used to display login failures in which an unauthenticated client is assigned to the VLAN configured for unauthorized client sessions. You can configure the VLAN used by unauthorized clients with the aaa port-access web-based unauth-vid command when you enable web authentication.

The GETWAUTHREDIRECTTIME ESI inserts the value for the waiting time used by the switch to redirect an unauthenticated client while the client renews its IP address and gains access to the VLAN for unauthorized clients. This ESI should not be modified.

HTML code for Invalid Credentials page template

Timeout page (timeout.html)

Timeout page

The timeout.html file is the web page used to return an error message if the RADIUS server is not reachable. You can configure the time period (in seconds) that the switch waits for a response from the RADIUS server used to verify client credentials with the aaa port-access web-based server-timeout command when you enable web authentication.

HTML code for Timeout page template

Retry Login page (retry_login.html)

Retry Login page

The retry_login.html file is the web page displayed to a client that has entered an invalid username and/or password, and is given another opportunity to log in.

The GETWAUTHRETRIESLEFT ESI displays the number of login retries that remain for a client that entered invalid login credentials. You can configure the number of times that a client can enter their user name and password before authentication fails with the aaa port-access web-based max-retries commands when you enable web authentication. This ESI should not be modified.

HTML code for Retry Login page template

SSL Redirect page (sslredirect.html)

SSL Redirect page

The sslredirect file is the web page displayed when a client is redirected to an SSL server to enter credentials for web authentication. If you have enabled SSL on the switch, you can enable secure SSL-based web authentication by entering the aaa port-access web-based ssl-login command when you enable web authentication .

The GETWAUTHSSLSRV ESI inserts the URL that redirects a client to an SSL-enabled port on a server to verify the client's username and password. This ESI should not be modified.

HTML code for SSL redirect page template

Access Denied page (reject_novlan.html)

Access Denied page

The reject_novlan file is the web page displayed after a client login fails and no VLAN is configured for unauthorized clients.

The GETWAUTHQUIETTIME ESI inserts the time period used to block an unauthorized client from attempting another login. To specify the time period before a new authentication request can be received by the switch, configure a value for the aaa port-access web-based quiet-period command when you enable web authentication. This ESI should not be modified.

HTML code for Access Denied page template

prev	up	next
Configuring web-based authentication	home	Configuring MAC authentication