Web Authentication using HTTP or HTTPS services
Authentication is important in enterprise networks because the network is considered a secure area: it contains sensitive data and a finite amount of resources. Unauthorized users must be prevented from accessing the network to protect the sensitive data and prevent the unnecessary consumption of resources.
The ideal authentication method blocks unauthorized users at the earliest possible opportunity. For internal enterprise networks, this can be controlled at the edge switch port. Two popular forms of port-based security authentication used at the edge switch are MAC authentication and 802.1x authentication. MAC authentication authenticates the MAC addresses of hosts or users that are attempting to access the network. This type of authentication requires no intervention from the host or user who is attempting to be authenticated. It is easy to use, but it can only authorize hosts; it cannot be used to authorize users. 802.1x authentication can authorize users or hosts. It is more flexible than the MAC authentication method; however, it requires more support, configuration, maintenance, and user intervention than MAC authentication.
The Ruckus Web Authentication using HTTP or HTTPS services method provides an ideal port-based authentication alternative to MAC authentication without the complexities and cost of 802.1x authentication. Hosts gain access to the network by opening a web browser and entering a valid URL address using HTTP or HTTPS services. Instead of being routed to the URL, the host browser is directed to an authentication web page on the FastIron switch. The web page prompts the host to enter a username and password or a passcode. The credentials a host enters are used by a trusted source to authenticate the host MAC address. (Multiple MAC addresses can be authenticated with the same username and password.)
If the authentication is unsuccessful, you are asked to try again or call for assistance, depending on what message is configured on the web page. If the host MAC address is authenticated by the trusted source, a web page is displayed with a hyperlink to the URL the host originally entered. If the user clicks on the link, a new window is opened and the user is directed to the requested URL.
While a MAC address is in the authenticated state, the host can forward data through the FastIron switch. The MAC address remains authenticated until one of the following events occurs:
- The host MAC address is removed from a list of MAC addresses that are automatically authenticated. (Refer to the “Specifying hosts that are permanently authenticated” section.)
- The re-authentication timer expires and the host is required to re-authenticate (Refer to the “Configuring the re-authentication period” section).
- The host has remained inactive for a period of time and the inactive period timer has expired. (Refer to the “Forcing re-authentication after an inactive period” section.)
- All the ports on the VLAN on which Web Authentication has been configured are in a down state. All MAC addresses that are currently authenticated are de-authenticated (Refer to the “Forcing re-authentication when ports are down” section.)
- The authenticated client is cleared from the Web Authentication table. (Refer to the Clearing authenticated hosts from the web authentication table” section.)
The FastIron switch can be configured to automatically authenticate a host MAC address. The host will not be required to log in or re-authenticate (depending on the re-authentication period) once the MAC address passes authentication.
A host that is logged in and authenticated remains logged in indefinitely, unless a re-authentication period is configured. When the re-authentication period ends, the host is logged out. A host can log out at any time by pressing the Logout button in the Web Authentication Success page.
The basic topology of a network in which Web Authentication is used requires the following components:
- A Ruckus FastIron switch running a software release that supports Web Authentication
- A DHCP server, if dynamic IP addressing is to be used
- A computer or host with a web browser
Your configuration may also require a RADIUS server with a trusted source such as LDAP or Active Directory.
