Cisco 300 Series Administration Manual page 425

19
Security: 802.1X Authentication
Authenticator Overview
WEB-Based Authentication
WEB-based authentication is used to authenticate end users who request access
to a network through a switch. It enables clients directly connected to the switch to
be authenticated using a captive-portal mechanism before the client is given
access to the network. Web-based authentication is client-based authentication
and is supported in the multi-sessions mode in both Layer 2 and Layer 3.
This method of authentication is enabled per port, and when a port is enabled,
each host must authenticate itself in order to access the network. So on an
enabled port, you can have authenticated and unauthenticated hosts.
When web-based authentication is enabled on a port, the switch drops all traffic
coming onto the port from unauthorized clients, except for ARP, DHCP, DNS and
NETBIOS packets. These packets are allowed to be forwarded by the switch so
that even unauthorized clients can get an IP address and be able to resolve the
host or domain names.
All HTTP/HTTPS over IPv4 packets from unauthorized clients are trapped to the
CPU on the switch. When an end user requests access to the network, if Web-
based authentication is enabled on the port, a login page is displayed, before the
requested page is displayed. The user must enter his username/password, which
is authenticated by a RADIUS server using the EAP protocol. If authentication is
successful, the user is informed.
The user now has an authenticated session. The session remains open while it is
being used. If it is not used for a specific time interval, the session is closed . This
time interval is configured by the system administrator and is called Quiet Time.
When the session is timed-out, the username/password is discarded, and the
guest must re-enter them to open a new session.
See Table 1 Port Modes and Authentication Methods.
388 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version)