Network Login
Summit 300-48 Switch Software User Guide 97
When web-based network login is enabled on a switch port, that port is placed into a non-forwarding
state until authentication takes place. To authenticate, a user (supplicant) must open a web browser and
provide the appropriate credentials. These credentials are either approved, in which case the port is
placed in forwarding mode, or not approved, in which case the port remains blocked. Three failed login
attempts disables the port for a configured length of time. User logout can be initiated by submitting a
logout request or closing the logout window.
The following capabilities are included in network login:
• Web-based login using http and https available on each wired and wireless port
• 802.1x and web based network login supported on the same wired ports
• Multiple supplicants on each wired 10/100 and wireless port
• Single VLAN assignment for all users authenticated on a wired port
• Per-user VLAN support for all users authenticated on a wireless port
Web-Based and 802.1x Authentication
Authentication is handled as a web-based process, or as described in the IEEE 802.1x specification.
Web-based network login does not require any specific client software and can work with any
HTTP-compliant web browser. By contrast, 802.1x authentication may require additional software
installed on the client workstation, making it less suitable for a user walk-up situation, such as a
cyber-café or coffee shop.
1
Extreme Networks supports a smooth transition from web-based to 802.1x
authentication.
DHCP is required for web-based network login because the underlying protocol used to carry
authentication request-response is HTTP. The client requires an IP address to send and receive HTTP
packets. Before the client is authenticated, however, the only connection exists is to the authenticator. As
a result, the authenticator must be furnished with a temporary DHCP server to distribute the IP
address.
The switch responds to DHCP requests for unauthenticated clients when DHCP parameters such as
dhcp-address-range and dhcp-options are configured on the Netlogin VLAN. The switch can also
answer DHCP requests following authentication if DHCP is enabled on the specified VLAN. If netlogin
clients are required to obtain DHCP leases from an external DHCP server elsewhere on the network,
DHCP should not be enabled on the VLAN.
The DHCP allocation for network login has a short time duration of 20 seconds and is intended to
perform web-based network login only. As soon as the client is authenticated, it is deprived of this
address. The client must obtain a operational address from another DHCP server in the network. DHCP
is not required for 802.1x, because 802.1x uses only Layer 2 frames (EAPOL).
URL redirection (applicable to web-based mode only) is a mechanism to redirect any HTTP request to
the base URL of the authenticator when the port is in unauthenticated mode. In other words, when the
user tries to log in to the network using the browser, the user is first redirected to the network login
page. Only after a successful login is the user connected to the network.
1. A workstation running Windows XP supports 802.1x natively and does not require additional authentica-
tion software.
To Next Page
Loading...
