Web-Based Authentication
ExtremeWare XOS 11.3 Concepts Guide
363
Modifying the Supplicant Response Timer
To modify the supplicant response timer, use the following command and specify the supp-resp-
timeout
parameter:
configure netlogin dot1x timers [{server-timeout <server_timeout>} {quiet-period
<quiet_period>} {reauth-period <reauth_period>} {supp-resp-timeout
<supp_resp_timeout>}]
The default supplicant response timeout is 30 seconds. The number of authentication attempts is not a
user-configured parameter.
Disabling a Guest VLAN
To disable the guest VLAN, use the following command:
disable netlogin dot1x guest-vlan ports [all | <portlist>]
Post-authentication VLAN Movement
Once the client has been successfully authenticated and the port has been moved to a VLAN, the client
can move to a VLAN other than the one it was authenticated on. This occurs when the RADIUS server
sends a message to the client telling it of the new VLAN during 802.1x re-authentication. The client
remains authenticated during this transition. This occurs on both untagged and tagged VLANs.
For example, suppose a client submits the required credentials for network access; however, the client is
not running the current, approved anti-virus software or the client has not installed the appropriate
software updates. If this occurs, the client is authenticated but has limited network access until the
problem is resolved. After you update the client’s anti-virus software, or install the software updates,
the RADIUS server re-authenticates the client by sending ACCESS-ACCEPT messages with the
accompanying VLAN attributes, thereby allowing the client to enter its permanent VLAN with full
network access.
This is normal and expected behavior; no configuration is necessary.
Web-Based Authentication
This section describes web-based network login. For web-based authentication, you need to configure
the switch DNS name, default redirect page, session refresh, and logout-privilege. URL redirection
requires the switch to be assigned a DNS name. The default name is
network-access.net. Any DNS
query coming to the switch to resolve switch DNS name in unauthenticated mode is resolved by the
DNS server on the switch in terms of the interface (to which the network login port is connected to) IP-
address.
This section describes the following topics:
â—Ź Enabling and Disabling Web-Based Network Login on page 364
â—Ź Configuring the Base URL on page 364
â—Ź Configuring the Redirect Page on page 364
â—Ź Configuring Session Refresh on page 365
â—Ź Configuring Logout Privilege on page 365