Authentication Process
When you enable web-based authentication, these events occur:
•
The user initiates an HTTP session.
•
The HTTP traffic is intercepted, and authorization is initiated. The switch sends the login page to the
user. The user enters a username and password, and the switch sends the entries to the authentication
server.
• If the authentication succeeds, the switch downloads and activates the user’s access policy from the
authentication server. The login success page is sent to the user.
•
If the authentication fails, the switch sends the login fail page. The user retries the login. If the maximum
number of attempts fails, the switch sends the login expired page, and the host is placed in a watch list.
After the watch list times out, the user can retry the authentication process.
•
If the authentication server does not respond to the switch, and if an AAA fail policy is configured, the
switch applies the failure access policy to the host. The login success page is sent to the user.
•
The switch reauthenticates a client when the host does not respond to an ARP probe on a Layer 2 interface,
or when the host does not send any traffic within the idle timeout on a Layer 3 interface.
•
The feature applies the downloaded timeout or the locally configured session timeout.
Beginning with Cisco IOS XE Denali 16.1.1 and later, the default session timeout value
for web-based authentication on WLC is 1800 seconds. The default session timeout
value was infinite seconds, prior to Cisco IOS XE Denali 16.1.1.
Note
•
If the terminate action is RADIUS, the feature sends a nonresponsive host (NRH) request to the server.
The terminate action is included in the response from the server.
•
If the terminate action is default, the session is dismantled, and the applied policy is removed.
Local Web Authentication Banner
With Web Authentication, you can create a default and customized web-browser banners that appears when
you log in to a switch.
The banner appears on both the login page and the authentication-result pop-up pages. The default banner
messages are as follows:
•
Authentication Successful
•
Authentication Failed
•
Authentication Expired
The Local Web Authentication Banner can be configured in legacy and new-style (Session-aware) CLIs as
follows:
• Legacy mode—Use the ip admission auth-proxy-banner http global configuration command.
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX
362 OL-29048-01
Configuring Web-Based Authentication
Authentication Process
To Next Page
Loading...
Need help?
General
Weight and Dimensions
