Web authentication configuration considerations

Web Authentication is modeled after other RADIUS-based authentication methods currently available on RUCKUS edge switches. However, Web Authentication requires a Layer 3 protocol (TCP/IP) between the host and the authenticator. Therefore, to implement Web Authentication, you must consider the following configuration and topology configuration requirements:

  • Web authentication works only when both the HTTP and HTTPS servers are enabled on the device.
  • Web Authentication works only on the default HTTP or HTTPS port.
  • The host must have an IP address prior to Web Authentication. This IP address can be configured statically on the host; however, DHCP addressing is also supported.
  • If you are using DHCP addressing, a DHCP server must be in the same broadcast domain as the host. This DHCP server does not have to be physically connected to the switch. Also, DHCP assist from a router may be used.
  • Web Authentication is not supported on a reserved VLAN.

The following applies to Web Authentication in the Layer 2 switch image:

  • If the management VLAN and Web Authentication VLAN are in different IP networks, make sure there is at least one routing element in the network topology that can route between these IP networks.

The following are required for Web Authentication in the base Layer 3 and full Layer 3 images:

  • Each Web Authentication VLAN must have a virtual interface (VE).
  • The VE must have at least one assigned IPv4 address.

Web Authentication is enabled on a VLAN. That VLAN becomes a Web Authentication VLAN that does the following:

  • Forwards traffic from authenticated hosts, just like a regular VLAN.
  • Blocks traffic from unauthenticated hosts except from ARP, DHCP, DNS, HTTP, and HTTPs that are required to perform Web Authentication.

The Basic topology for web authentication figure shows the basic components of a network topology where Web Authentication is used. You will need:

  • A RUCKUS FastIron switch running a software release that supports Web Authentication
  • DHCP server, if dynamic IP addressing is to be used
  • Computer/host with a web browser

Your configuration may also require a RADIUS server with some Trusted Source such as LDAP or Active Directory.

Note: The Web server, RADIUS server, and DHCP server can all be the same server.
Figure 1. Basic topology for web authentication