Configuring Web-Based Proxy Authentication - Cisco WS-C6506 Software Manual

Chapter 42

Configuring Web-Based Proxy Authentication

•
•
This example shows how to configure a typical ACL with these ACEs:
permit dhcp-snooping
permit arp-inspection <ip_addr> <hwaddr>
permit udp any eq dns any
permit tcp any eq domain any
<Policy configuration>
permit ip group Exception ExpServers
permit ip group Engineer EngServers
permit ip group Manager MgrServers
permit ip group Admin any
permit url-redirect
deny ip any any
When the host first comes up, there are no policies configured for the host IP and all host traffic, except
for the HTTP traffic that is controlled by the default policy and configured in the PBACL. The HTTP
traffic is redirected to the supervisor engine. Web-based proxy authentication registers this IP with URL
redirection when it receives a trigger from DHCP or ARP. The URL redirection module on the supervisor
engine receives the packet and passes it to web-based proxy authentication.
After successful authentication, web-based proxy authentication adds the host IP to the groups that are
received from RADIUS, expands the PBACL, and updates the Ternary Content Addressable Memory
(TCAM). The host traffic is controlled by the policy configuration. Because the HTTP redirection ACE
is at the end, it will not be affected if the host policies are in place. Once the host policies are removed
(after the session timeout has been exceeded), the host traffic is again subjected to the default policy and
HTTP traffic gets redirected to the supervisor engine.
Configuring Web-Based Proxy Authentication
This section describes how to configure web-based proxy authentication:
•
•
•
•
•
•
OL-8978-04
Before you enable web-based proxy authentication on a port, you must map a PBACL with the
following ACEs to the VLAN:
DHCP snooping
–
– ARP inspection
Allow DNS
–
Policy config
–
URL Redirect
–
Default policy
–
Before you enable web-based proxy authentication on a port, you must enable ARP inspection for
the static IP hosts and configure the static ARP inspection rules.
Enabling or Disabling Web-Based Proxy Authentication Globally, page 42-10
Enabling or Disabling Web-Based Proxy Authentication on a Port, page 42-10
Initializing Web-Based Proxy Authentication on a Port, page 42-11
Configuring the Login Page URL, page 42-11
Configuring the Login-Fail Page URL, page 42-12
Specifying the Session Timeout Period, page 42-12
[permit DNS]
[permit DNS w/TCP]
[permit URL redirection]
[Default policy]
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
Configuring Web-Based Proxy Authentication
42-9