Web-Based Access Control - D-Link DXS-3600 Series Reference Manual

DXS-3600 Series Layer 3 Managed 10Gigabit Ethernet Switch Web UI Reference Guide
The fields that can be configured in MAC Authentication Port Settings are described below:
Parameter
Unit
From Port ~ To Port
State
Click the Apply button to accept the changes made.

Web-based Access Control

Web-based Access Control (WAC) is a feature designed to authenticate a user when the user is trying to
access the Internet via the Switch. The authentication process uses the HTTP or HTTPS protocol. The
Switch enters the authenticating stage when users attempt to browse Web pages (e.g.,
http://www.dlink.com) through a Web browser. When the Switch detects HTTP or HTTPS packets and
this port is unauthenticated, the Switch will launch a pop-up user name and password window to query
users. Users are not able to access the Internet until the authentication process is passed.
The Switch can be the authentication server itself and do the authentication based on a local database, or
be a RADIUS client and perform the authentication process via the RADIUS protocol with a remote
RADIUS server. The client user initiates the authentication process of WAC by attempting to gain Web
access.
D-Link's implementation of WAC uses a virtual IP that is exclusively used by the WAC function and is not
known by any other modules of the Switch. In fact, to avoid affecting a Switch's other features, WAC will
only use a virtual IP address to communicate with hosts. Thus, all authentication requests must be sent to
a virtual IP address but not to the IP address of the Switch's physical interface.
Virtual IP works like this, when a host PC communicates with the WAC Switch through a virtual IP, the
virtual IP is transformed into the physical IPIF (IP interface) address of the Switch to make the
communication possible. The host PC and other servers' IP configurations do not depend on the virtual IP
of WAC. The virtual IP does not respond to any ICMP packets or ARP requests, which means it is not
allowed to configure a virtual IP on the same subnet as the Switch's IPIF (IP interface) or the same
subnet as the host PCs' subnet.
As all packets to a virtual IP from authenticated and authenticating hosts will be trapped to the Switch's
CPU, if the virtual IP is the same as other servers or PCs, the hosts on the WAC-enabled ports cannot
communicate with the server or PC which really own the IP address. If the hosts need to access the
server or PC, the virtual IP cannot be the same as the one of the server or PC. If a host PC uses a proxy
to access the Web, to make the authentication work properly the user of the PC should add the virtual IP
to the exception of the proxy configuration. Whether or not a virtual IP is specified, users can access the
WAC pages through the Switch's system IP. When a virtual IP is not specified, the authenticating Web
request will be redirected to the Switch's system IP.
The Switch's implementation of WAC features a user-defined port number that allows the configuration of
the TCP port for either the HTTP or HTTPS protocols. This TCP port for HTTP or HTTPs is used to
identify the HTTP or HTTPs packets that will be trapped to the CPU for authentication processing, or to
access the login page. If not specified, the default port number for HTTP is 80 and the default port
number for HTTPS is 443. If no protocol is specified, the default protocol is HTTP.
The following diagram illustrates the basic six steps all parties go through in a successful Web
Authentication process:
Description
Select the switch unit that will be used for this configuration here.
Select the appropriate port range used for the configuration here.
Select to enable or disable MAC authentication for the port(s) specified
here.
512