Web-Based Access Control; Conditions And Limitations - D-Link xStack DES-3800 Series User Manual

Web-based Access Control

Web-based Access Control is another port based
access control method implemented similarily to
the 802.1x port based access control method
previously stated. This function will allow user
authentication through a RADIUS server or
through the local authentication set on the Switch
when a user is trying to access the network via the
switch, if the port connected to the user is enabled
for this feature.
The user attempting to gain web access will be
prompted for a username and password before
being allowed to accept HTTP packets from the
Switch. When a client attempts to access a
website, that port is placed in the authentication
VLAN set by the user. All clients in this
authentication VLAN will be queried for
authentication by the local method or through a
RADIUS server. Once accepted, the user will be
placed in a target VLAN on the Switch where it
will have rights and privileges to openly access
the Internet. If denied access, no packets will pass
through to the user and thus, that user will be
returned to the authentication VLAN from where
it came and the authentication procedure will
have to be reattempted by the user.
Once a client has been authenticated on a
particular port, that port will be placed in the pre-
configured VLAN and any other clients on that
port will be automatically authenticated to access
the specified Redirection Path URL, as well as the
authenticated client.
To the right there is an example of the basic six
step process all parties of the authentication go
through for a successful Web-based Access
Control process.

Conditions and Limitations

1. The subnet of the authentication VLAN's IP interface must be the same as that of the client. If not configured properly,
the authentication will be permanently denied by the authenticator.
2. If the client is utilizing DHCP to attain an IP address, the authentication VLAN must provide a DHCP server or a DHCP
relay function so that client may obtain an IP address.
3. The authentication VLAN of this function must be configured to access a DNS server to improve CPU performance, and
allow the processing of DNS, UDP and HTTP packets.
4. Certain functions exist on the Switch that will filter HTTP packets, such as the Access Profile function. The user needs to
be very careful when setting filter functions for the target VLAN, so that these HTTP packets are not denied by the
Switch.
5. The Redirection Path must be set before the Web-based Access Control can be enabled. If not, the user will be prompted
with an error message and the Web-based Access Control will not be enabled.
6. If a RADIUS server is to be used for authentication, the user must first establish a RADIUS Server with the appropriate
parameters, including the target VLAN, before enabling the Web-based Access Control on the Switch.
xStack DES-3800 Series Layer 3 Stackable Fast Ethernet Managed Switch
242