11-2
Catalyst 2960 and 2960-S Switch Software Configuration Guide
OL-8603-09
Chapter 11 Configuring Web-Based Authentication
Understanding Web-Based Authentication
Web Authentication Customizable Web Pages, page 11-6
Web-based Authentication Interactions with Other Features, page 11-7
Device Roles
With web-based authentication, the devices in the network have these specific roles:
Client—The device (workstation) that requests access to the LAN and the services and respon ds to
requests from the switch. The workstation must be running an HTML browser with Java Script
enabled.
Authentication server—Authenticates the client. The authentication server validates the identity of
the client and notifies the switch that the client is authorized to access the LAN and the switch
services or that the client is denied.
Switch—Controls the physical access to the network based on the authentication status of the client.
The switch acts as an intermediary (pro xy) between the client and the authentica tion server,
requesting identity information from the client, verifying that information with the authentication
server, and relaying a response to the client.
Figure 11-1 shows the roles of these devices in a network:
Figure 11-1 Web-Based Authentication Device Roles
Host Detection
The switch maintains an IP device tracking table to store information about detected hosts.
Note By default, the IP device tracking feature is disabled on a switch. You must enable the IP device tracking
feature to use web-based authentication.
For Layer 2 interfaces, web-based authentication detects IP hosts by using these mechanisms:
ARP based trigger—ARP redirect ACL allows web-based authentication to detect hosts with a static
IP address or a dynamic IP address.
Dynamic ARP inspection
DHCP snooping—Web-based authentication is notified when the switch creates a DHCP-binding
entry for the host.
Workstations
(clients)
Catalyst switch
or
Cisco Router
Authentication
server
(RADIUS)
79549