4-61
Web and MAC Authentication
Configuring MAC Authentication on the Switch
Caution Rogue clients can attempt to access any web pages on the web/registration
server via interface ports configured for MAC authentication.
The following steps are involved in HTTP registration.
1. When the redirect feature is enabled, a client that fails MAC authentica-
tion is moved into the unauthorized MAC authentication redirection
state.
2. A client in the redirect state (having failed MAC authentication) with a
web browser open sends a DHCP request. The switch responds with a
DHCP lease for an address in the switch’s configurable DHCP address
range. Additionally, the switch’s IP address becomes the client’s default
gateway. All ARP/DNS requests are handled by the switch and all requests
are directed to the switch. The switch replies to these requests with its
own address.
3. The client requests a web page. The switch takes this request and
responds to the client browser with an HTTP redirect to the configured
URL. The client MAC address and interface port are appended as HTTP
parameters.
4. Before returning the initial registration page to the client, the switch
enables NAT so that all subsequent requests will go to the web server
directly. The initial HTML page is returned to the switch and then proxied
to the client.
5. After the registration process completes, the registration server updates
the RADIUS server with the client’s username, password, and profile.
6. The client remains in the redirect state until the client’s time exceeds the
configured timeout or the switch receives an SNMP deauthentication
request from the registration server.
7. The registration server sends an SNMP request to the switch with the
MAC identification and interface port to reauthenticate or deauthenti-
cate the client.
8. The switch moves the client out of the special Web/MAC auth redirect
state and the client becomes unknown to the switch again. This sets the
stage for a new MAC authentication cycle.
To Next Page
Loading...
Need help?
General