Session Creation - Cisco IE-4000 Software Configuration Manual

Configuring Web-Based Authentication
Information About Configuring Web-Based Authentication
For Layer 2 interfaces, web-based authentication detects IP hosts by using these mechanisms:

ARP-based trigger—ARP redirect ACL allows web-based authentication to detect hosts with a static IP address or a
dynamic IP address.

Dynamic ARP inspection

DHCP snooping—Web-based authentication is notified when the switch creates a DHCP-binding entry for the host.

Session Creation

When web-based authentication detects a new host, it creates a session as follows:

Reviews the exception list.
If the host IP is included in the exception list, the policy from the exception list entry is applied, and the session is
established.

Reviews for authorization bypass.
If the host IP is not on the exception list, web-based authentication sends a nonresponsive-host (NRH) request to
the server.
If the server response is access accepted, authorization is bypassed for this host. The session is established.

Sets up the HTTP intercept ACL.
If the server response to the NRH request is access rejected, the HTTP intercept ACL is activated, and the session
waits for HTTP traffic from the host.
Authentication Process
When you enable web-based authentication, these events occur:

The user initiates an HTTP session.

The HTTP traffic is intercepted, and authorization is initiated. The switch sends the login page to the user. The user
enters a username and password, and the switch sends the entries to the authentication server.

If the authentication succeeds, the switch downloads and activates the user's access policy from the authentication
server. The login success page is sent to the user.

If the authentication fails, the switch sends the login fail page. The user retries the login. If the maximum number of
attempts fails, the switch sends the login expired page, and the host is placed in a watch list. After the watch list
times out, the user can retry the authentication process.

If the authentication server does not respond to the switch, and if an AAA fail policy is configured, the switch applies
the failure access policy to the host. The login success page is sent to the user. (See
Banner, page 244.)

The switch reauthenticates a client when the host does not respond to an ARP probe on a Layer 2 interface, or when
the host does not send any traffic within the idle timeout on a Layer 3 interface.

The feature applies the downloaded timeout or the locally configured session timeout.

If the terminate action is RADIUS, the feature sends a nonresponsive host (NRH) request to the server. The terminate
action is included in the response from the server.

If the terminate action is default, the session is dismantled, and the applied policy is removed.
243
Local Web Authentication