Authentication is handled as a web-based process, MAC-based process, or as described in the IEEE 802.1X specification.
Note
When both HTTP and HTTPS are enabled on the switch and sending HTTP requests from the Netlogin client, HTTPS takes preference and the switch responds with a HTTPS response.MAC-based authentication is used for supplicants that do not support a network login mode, or supplicants that are not aware of the existence of such security measures, for example an IP phone.
If a MAC address is detected on a MAC-based enabled network login port, an authentication request is sent once to the AAA application. AAA tries to authenticate the MAC address against the configured Remote Authentication Dial In User Server (RADIUS (Remote Authentication Dial In User Service)) server and its configured parameters (timeout, retries, and so on) or the configured local database.
The credentials used for this are the supplicant‘s MAC address in ASCII representation and a locally configured password on the switch. If no password is configured, the MAC address is also used as the password. You can also group MAC addresses together using a mask (configure netlogin add mac-list [mac {mask} | default] {encrypted {encrypted_password | password} {ports port_list} ).
DHCP (Dynamic Host Configuration Protocol) is required for web-based network login because the underlying protocol used to carry authentication request-response is HTTP. The client requires an IP address to send and receive HTTP packets before the client is authenticated; however, the only connection that exists is to the authenticator. As a result, the authenticator must be furnished with a temporary DHCP server to distribute the IP address.
The switch responds to DHCP requests for unauthenticated clients when DHCP parameters such as dhcp-address-range and dhcp-options are configured on the network login VLAN (Virtual LAN). The switch can also answer DHCP requests following authentication if DHCP is enabled on the specified VLAN. If network login clients are required to obtain DHCP leases from an external DHCP server elsewhere on the network, DHCP should not be enabled on the VLAN.
Warning: DHCP server configuration will not be saved for netlogin-enabled ports: 1 After reboot/port removal the dhcp config should be reconfigured again
The DHCP allocation for network login has a short time duration of 10 seconds and is intended to perform web-based network login only. The Netlogin lease timer can be extended using the command: configure vlan vlan_name netlogin-lease-timer seconds . As soon as the client is authenticated, it is deprived of this address. The client must obtain an operational address from another DHCP server in the network. DHCP is not required for 802.1X, because 802.1X uses only Layer 2 frames (EAPOL) or MAC-based network login.
URL redirection (applicable to web-based mode only) is a mechanism to redirect any HTTP request to the base URL of the authenticator when the port is in unauthenticated mode. In other words, when the user tries to log in to the network using the browser, the user is first redirected to the network login page. Only after a successful login is the user connected to the network. URL redirection requires that the switch is configured with a DNS client.
Web-based, MAC-based, and 802.1X authentication each have advantages and disadvantages, as summarized in Advantages of Web-Based Authentication.
Works with any operating system that is capable of obtaining an IP address using DHCP. There is no need for special client side software; only a web browser is needed.
802.1X native support is available only on newer operating systems, such as Windows 7 or Windows 8.
Print
this page
Email this topic
Feedback
View PDF
Download EPUB