Session Creation - Cisco Catalyst 4500 Series Software Configuration Manual
Cisco ios xe release 3.9.xe and cisco ios release 15.2(5)ex
Hide thumbs
Also See for Catalyst 4500 Series:
- Administration manual (1814 pages) ,
- Configuration manual (1610 pages) ,
- Command reference manual (1230 pages)
Table of Contents
Advertisement
Chapter 52
Configuring Web-Based Authentication
•
Session Creation
When web-based authentication detects a new host, it creates a session as follows:
•
•
Authentication Process
When you enable web-based authentication, the following events occur:
•
•
•
•
•
•
•
•
•
•
DHCP snooping—Web-based authentication is notified when the switch creates a DHCP binding
entry for the host.
Checks for Auth bypass
If the host IP is not on the exception list, web-based authentication sends a nonresponsive host
(NRH) request to the server.
If the server response is Access Accepted, authorization is bypassed for this host. The session is
established.
Sets up the HTTP Intercept ACL
If the server response to the NRH request is Access Rejected, the HTTP intercept ACL is activated
and the session waits for HTTP traffic from the host.
The user initiates an HTTP session.
The HTTP traffic is intercepted, and authorization is initiated. The switch sends the login page to
the user. The user enters a username and password on the login page, and the switch sends the entries
to the authentication server.
If the client identity is valid and the authentication succeeds, the switch downloads and activates the
user's access policy from the authentication server. The login success page is sent to the user.
If the authentication fails, the switch sends the login fail page. The user retries the login. If the
maximum number of attempts fails, the switch sends the login expired page and the host is placed
in a watch list, using the following commands:
ip admission watch-list enable
ip admission watch-list expiry-time <milliseconds>
After the watch list times out, the user can retry the authentication process.
If the authentication server does not respond to the switch, and if an AAA fail policy is configured,
the switch applies the failure access policy to the host. The login success page is sent to the user.
See the
"Customization of the Authentication Proxy Web Pages" section on page
The switch reauthenticates a client when the host does not respond to an ARP probe on a Layer 2
interface, or the host does not send any traffic within the idle timeout on a Layer 3 interface.
The feature applies the downloaded timeout or the locally configured session timeout.
If the terminate action is RADIUS, the feature sends a nonresponsive host (NRH) request to the
server. The terminate action is included in the response from the server.
If the terminate action is default, the session is dismantled and the applied policy is removed.
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
About Web-Based Authentication
52-4.
52-3
Advertisement
Chapters
Table of Contents
Troubleshooting
