Typically, users submit credentials for authentication into an ECP. The credentials are submitted in an HTTP “post”. The post invokes a script on the ECP web server passing the user‘s credentials to the script as arguments. Write the script that is adapted to your specific requirements.
The script file can have any name. For this example, the script is named “login.php”. The script can be written in any programming language that supports web development. For this example, the script is written in PHP.
The main job of the “login.php” script is to co-ordinate the client‘s browser, the back-end authentication server, and the appliance. The “login.php” script takes the submitted credentials, sends them to an authentication server, and waits for the server‘s reply. The exact steps taken here depend on the selected programming language, operating system, and the type of authentication server selected.
After the authentication server has verified the user and potentially returned an access control role to assign to the user, the script needs to tell the appliance that the user is authenticated and indicate the role to assign to the user. The ECP informs the appliance by putting the information in the query string of a redirection response. The redirection response sends the client‘s browser to a web server running on a specific interface and port of the appliance that hosts the client‘s session. The client‘s browser normally sends a redirected request immediately and automatically.
The redirection response does not need to be signed. If it is not signed, the appliance does not use the session attributes that are included in the redirected request. Instead, the appliance expects the redirected request to include a user ID and password. These credentials are sent to a RADIUS server in a standard RADIUS Access-Request. The redirected request is considered invalid if:
An invalid redirected request is sent to a standard error page. The error page cannot be configured at this time.