Interaction With Other Features - Cisco WS-C6506 Software Manual

Chapter 42 Configuring Web-Based Proxy Authentication
•
•
•
•
•
•

Interaction with Other Features

Web-based proxy authentication interacts with these features as follows:
•
•
•
•
OL-8978-04
Authenticating—Occurs when the host response (HTTP POST message) is processed and you can
extract the credentials. The credentials are then authenticated with the external RADIUS server as
follows:
If the HTTP response fails, the state changes to the Parse-error state. For example, this state
–
could occur if the external login page specified does not conform to the variable/field names
that the switch is programmed to process.
If the authentication succeeds, the state changes to the Authenticated state. If the authentication
–
fails and the retry count is less than the maximum configured, the state changes to the
Authentication-Fail state or the Held state.
Authenticated—Occurs upon a successful authentication. In the Authenticated state, the RADIUS
attributes are processed and the policies are applied and returned to the host. No HTTP packets are
intercepted and redirected to the supervisor engine. The state changes to the session-timeout state
when the session timer expires.
Authentication-Fail—Occurs when RADIUS sends an accept-reject and a Login-Fail page with
authentication failure information embedded in it.
Parse-Error—Occurs upon a failure to extract user credentials from the HTTP Post message. A
standard login page that is stored internally in the network access device is sent to the client. The
state changes to the Authenticating state when the host receives a HTTP Post response.
Session-timeout—Occurs when the session timer expires. The user policies are removed and the
state changes to the Initialize state.
Held—Occurs when the authentication retry count exceeds the configured maximum number of
retry attempts. No HTTP packets are intercepted. Port initialize and DHCP binding removal removes
the Held state designation.
DHCP snooping—You can enable web-based proxy authentication and DHCP snooping on the same
port/VLAN. The default access control list (ACL) for web-based proxy authentication has an ACE
that allows DHCP snooping. The creation of DHCP snooping binding triggers web-based proxy
authentication.
Dynamic ARP inspection (DAI)—You can enable web-based proxy authentication and DAI on the
same port/VLAN. The default ACL requires an ACE to allow ARP inspection. A host has static IP
addresses configured. ARP inspection triggers web-based proxy authentication.
IP source guard (IPSG)—You can enable web-based proxy authentication and IPSG on the same
port. IPSG uses a PACL for access policy, and web-based proxy authentication uses a PBACL for
access policy. The port ACL mode must be in merge mode in order for IPSG to work with web-based
proxy authentication.
802.1X—Web-based proxy authentication and 802.1X are independent identity authentication
protocols with 802.1X at Layer 2 and web-based proxy authentication at Layer 3. You can enable
web-based proxy authentication with 802.1X. When you configure both web-based proxy
authentication and 802.1X on a port, the port attempts to authenticate using 802.1X. After successful
authentication, it receives policies from RADIUS. If a policy allows all web (HTTP/HTTPS) traffic,
then web-based proxy authentication does not occur. The host is not authenticated if the 802.1X
policies allow web traffic. If the 802.1X policies do not allow web traffic, then web-based proxy
authentication occurs when the host sends the first HTTP/HTTPS packet that is not allowed by the
policy. The packet is intercepted by the URL redirect ACE.
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
Interaction with Other Features
42-7