Web Authentication configuration tasks

Set up any global configuration required for the FastIron switch, RADIUS server, Web server and other servers.

On a Layer 2 FastIron switch, make sure the FastIron switch has an IP address.

device# configure terminal
device(config)# ip address 10.1.1.101/24

On a Layer 3 FastIron switch, assign an IP address to a virtual interface (VE) for each VLAN on which Web Authentication will be enabled.

device#configure terminal
device(config)# vlan 10
device(config-vlan-10)# router-interface ve1
device(config-vlan-10)# untagged e 1/1/1 to 1/1/10
device(config-vlan-10)# interface ve1
device(config-vif-1)# ip address 10.1.1.101/24

Configure the RADIUS server and other servers if Web Authentication will use a RADIUS server. By default, Web Authentication uses a RADIUS server to authenticate host usernames and passwords, unless it is configured to use a local user database.

device(config)# radius-server host 10.1.1.8
device(config)# radius-server key $GSig@U\

NOTE

Remember the RADIUS key you entered. You will need this key when you configure your RADIUS server.

Configure Web Authentication to use secure (HTTPS) or non-secure (HTTP) login and logout pages. By default, HTTPS is used.

To enable the non-secure web server on the FastIron switch, enter the following commands.

device(config)# web-management HTTP
device(config# vlan 10
device(config-vlan-10# webauth
device(config-vlan-10-webauth# no secure-login

To enable the secure web server on the FastIron switch, enter the following commands.

device(config)# web-management HTTPS
device(config# vlan 10
device(config-vlan-10# webauth
device(config-vlan-10-webauth)# secure-login

Provide the switch with a certificate to enable Web Authentication using one of the following methods:

If the secure Web server is used, in order to access a secure Web page, the Web server needs to provide a key. This key is exchanged using a certificate. A certificate is a digital document that is issued by a trusted source that can validate the authenticity of the certificate and the Web server that is presenting it. Therefore the switch must have a certificate for web authentication to work.

Upload a certificate using the following global configuration command.
```
device(config)# ip ssl private-key-file tftp ip-addr key-filename
```

Generate a certificate using the following global configuration command.
```
device(config)# crypto-ssl certificate generate
```

Create a Web Authentication VLAN and enable Web Authentication on that VLAN.

device(config)# vlan 10
device(config-vlan-10)# webauth
device(config-vlan-10-webauth)# enable

When the Web Authentication is enabled, the CLI changes to the Web Authentication configuration mode. In the example, VLAN 10 requires hosts to be authenticated using Web Authentication before they can forward traffic.

Configure the Web Authentication mode:

Username and password: Blocks users from accessing the switch until they enter a valid username and password on a web login page.
Passcode: Blocks users from accessing the switch until they enter a valid passcode on a web login page.
captive-portal: Authenticates the users in a VLAN through external Web Authentication (Captive Portal user authentication) mode.
None: Blocks users from accessing the switch until they press the Login button. A username and password or passcode is not required.

Refer to Web Authentication mode configuration.

Configure other Web Authentication options (refer to Web Authentication options configuration).

Contents

Web Authentication configuration tasks