Web Authentication configuration tasks

Complete the following steps to configure Web Authentication on a device.

  1. Set up any global configuration required for the FastIron switch, RADIUS server, Web server and other servers.
    • On a Layer 2 FastIron switch, make sure the FastIron switch has an IP address.
    
    device# configure terminal
    device(config)# ip address 10.1.1.101/24
    
    • On a Layer 3 FastIron switch, assign an IP address to a virtual interface (VE) for each VLAN on which Web Authentication will be enabled.
    
    device#configure terminal
    device(config)# vlan 10
    device(config-vlan-10)# router-interface ve1
    device(config-vlan-10)# untagged e 1/1/1 to 1/1/10
    device(config-vlan-10)# interface ve1
    device(config-vif-1)# ip address 10.1.1.101/24
  2. Configure the RADIUS server and other servers if Web Authentication will use a RADIUS server. By default, Web Authentication uses a RADIUS server to authenticate host usernames and passwords, unless it is configured to use a local user database.
    
    device(config)# radius-server host 10.1.1.8 auth-port 1812 acct-port 1813 default key 2 $d3NpZ0BVXFpJ web-auth 
    
    
    Note: Remember the RADIUS key you entered. You will need this key when you configure your RADIUS server.
  3. Configure Web Authentication to use secure (HTTPS) or non-secure (HTTP) login and logout pages. By default, HTTPS is used.

    To enable the non-secure web server on the FastIron switch, enter the following commands.

    device(config)# web-management HTTP
    device(config# vlan 10
    device(config-vlan-10# webauth
    device(config-vlan-10-webauth# no secure-login
    

    To enable the secure web server on the FastIron switch, enter the following commands.

    device(config)# web-management HTTPS
    device(config# vlan 10
    device(config-vlan-10# webauth
    device(config-vlan-10-webauth)# secure-login
  4. Provide the switch with a certificate to enable Web Authentication using one of the following methods:
    If the secure Web server is used, in order to access a secure Web page, the Web server needs to provide a key. This key is exchanged using a certificate. A certificate is a digital document that is issued by a trusted source that can validate the authenticity of the certificate and the Web server that is presenting it. Therefore the switch must have a certificate for web authentication to work.
    • Upload a certificate using the following global configuration command.
      
      device(config)# ip ssl private-key-file tftp ip-addr key-filename
      
    • Generate a certificate using the following global configuration command.
      
      device(config)# crypto-ssl certificate generate
  5. Create a Web Authentication VLAN and enable Web Authentication on that VLAN.
    
    device(config)# vlan 10
    device(config-vlan-10)# webauth
    device(config-vlan-10-webauth)# enable
    

    When the Web Authentication is enabled, the CLI changes to the Web Authentication configuration mode. In the example, VLAN 10 requires hosts to be authenticated using Web Authentication before they can forward traffic.

  6. Configure the Web Authentication mode:
    • Username and password: Blocks users from accessing the switch until they enter a valid username and password on a web login page.
    • Passcode: Blocks users from accessing the switch until they enter a valid passcode on a web login page.
    • captive-portal: Authenticates the users in a VLAN through external Web Authentication (Captive Portal user authentication) mode.
    • None: Blocks users from accessing the switch until they press the Login button. A username and password or passcode is not required.

    Refer to Web Authentication mode configuration.

  7. Configure other Web Authentication options (refer to Web Authentication options configuration).