9.1.4 Legacy mode configuration

<Structure of this section>

(1) Basic settings for the local authentication method

The figure below describes the basic configuration required to use local authentication. In this case, you manually assign the pre-authentication and post-authentication IP addresses to the terminals (PC1 and PC2).

Figure 9-7: Example of local authentication configuration

In this configuration, you configure Web authentication after you set up the pre-authentication and post-authentication VLANs and define the access lists. The access lists you define prohibit members of the pre-authentication VLAN from communicating with the post-authentication VLAN and permit communication from the post-authentication VLAN to the pre-authentication VLAN only by Web browser.

(a) Configuring Authentication Ports

Points to note: Configure the port to be used for Web authentication.

Command examples

(config)# interface gigabitethernet 1/0/4

(config-if)# switchport mode mac-vlan

(config-if)# switchport mac vlan 50

(config-if)# switchport mac native vlan 10

(config-if)# exit

Specifies the pre-authentication VLAN and the post-authentication VLAN at a port where terminals will be authenticated.
(config)# interface gigabitethernet 1/0/9

(config-if)# switchport mode access

(config-if)# switchport access vlan 50

(config-if)# exit

Specifies a post-authentication VLAN for the port which server users access after authentication is connected.

(b) IP addressing for VLAN interfaces

Points to note: Assign IP addresses to the pre-authentication and post-authentication VLANs.

Command examples

(config)# interface vlan 10

(config-if)# ip address 192.168.10.254 255.255.255.0

(config-if)# exit

(config)# interface vlan 50

(config-if)# ip address 192.168.50.254 255.255.255.0

(config-if)# exit

Assigns IP addresses to the pre-authentication VLAN and the post-authentication VLAN.

(c) Configuring Access Lists

Points to note: Configure the access lists for the post-authentication VLAN and the pre-authentication VLAN.

Command examples

(config)# ip access-list extended 100

(config-ext-nacl)# permit ip 192.168.10.0 0.0.0.255 192.168.10.0 0.0.0.255

(config-ext-nacl)# deny ip any any

(config-ext-nacl)# exit

(config)# interface vlan 10

(config-if)# ip access-group 100 in

(config-if)# exit

Sets an access list that prohibits communication from the pre-authentication VLAN to the post-authentication VLAN.
(config)# ip access-list extended 150

(config-ext-nacl)# permit tcp 192.168.50.0 0.0.0.255 host 192.168.10.254 eq http

(config-ext-nacl)# permit ip 192.168.50.0 0.0.0.255 any

(config-ext-nacl)# deny ip any any

(config-ext-nacl)# exit

(config)# interface vlan 50

(config-if)# ip access-group 150 in

(config-if)# exit

Sets an access list that permits access by Web browser from the post-authentication VLAN to the pre-authentication VLAN.

(d) Configuration of Web authentication

Points to note: Enable Web authentication by using configuration commands.

Command examples

(config)# web-authentication vlan 50

Specifies the VLAN IDs of the post-authentication VLANs used for Web authentication.
(config)# web-authentication system-auth-control

Starts Web authentication.

(2) Configuration When Using Local Authentication+Embedded DHCP Servers

The figure below describes an example configuration for Web authentication that uses local authentication with the DHCP server built in to the switch. In this case, the DHCP server functionality built in to the Switch assigns IP addresses to the terminals (PC1 and PC2).

Figure 9-8: Configuration when using the local authentication method and built-in DHCP

In this configuration, you configure Web authentication after you have set up the pre-authentication and post-authentication VLANs, defined the access lists, and configured the DHCP server. The access lists you define prohibit members of the pre-authentication VLAN from communicating with the post-authentication VLAN and permit communication from the post-authentication VLAN to the pre-authentication VLAN only by Web browser.

(a) Configuring Authentication Ports

Points to note: Configure the port to be used for Web authentication.

Command examples

(config)# interface gigabitethernet 1/0/4

(config-if)# switchport mode mac-vlan

(config-if)# switchport mac vlan 50

(config-if)# switchport mac native vlan 10

(config-if)# exit

Specifies the pre-authentication VLAN and the post-authentication VLAN at a port where terminals will be authenticated.
(config)# interface range gigabitethernet 1/0/9-10

(config-if-range)# switchport mode access

(config-if-range)# switchport access vlan 50

(config-if-range)# exit

Specifies a post-authentication VLAN for the port which server users access after authentication is connected.

(b) IP addressing for VLAN interfaces

Points to note: Assign IP addresses to the pre-authentication and post-authentication VLANs.

Command examples

(config)# interface vlan 10

(config-if)# ip address 192.168.10.254 255.255.255.0

(config-if)# exit

(config)# interface vlan 50

(config-if)# ip address 192.168.50.254 255.255.255.0

(config-if)# exit

Assigns IP addresses to the pre-authentication VLAN and the post-authentication VLAN.

(c) Configuring Access Lists

Points to note: Configure the access lists for the post-authentication VLAN and the pre-authentication VLAN.

Command examples

(config)# ip access-list extended 100

(config-ext-nacl)# permit udp 0.0.0.0 0.0.0.0 host 255.255.255.255 eq bootps

(config-ext-nacl)# permit ip 192.168.10.0 0.0.0.255 192.168.10.0 0.0.0.255

(config-ext-nacl)# deny ip any any

(config-ext-nacl)# exit

(config)# interface vlan 10

(config-if)# ip access-group 100 in

(config-if)# exit

Sets an access list that prohibits communication from the pre-authentication VLAN to the post-authentication VLAN.
(config)# ip access-list extended 150

(config-ext-nacl)# permit tcp 192.168.50.0 0.0.0.255 host 192.168.10.254 eq http

(config-ext-nacl)# permit udp 0.0.0.0 0.0.0.0 host 255.255.255.255

(config-ext-nacl)# permit udp 0.0.0.0 0.0.0.0 host 192.168.10.254

(config-ext-nacl)# permit udp 0.0.0.0 0.0.0.0 host 192.168.50.254

(config-ext-nacl)# permit ip 192.168.50.0 0.0.0.255 any

(config-ext-nacl)# deny ip any any

(config-ext-nacl)# exit

(config)# interface vlan 50

(config-if)# ip access-group 150 in

(config-if)# exit

Sets an access list that permits the switch to only relay traffic generated by a Web browser from the post-authentication VLAN to the pre-authentication VLAN.

(d) Configuracion de un servidor DHCP

Points to note: Configure the DHCP server to distribute IP addresses to terminals.

Command examples

(config)# service dhcp vlan 10

(config)# ip dhcp excluded-address 192.168.10.1

(config)# ip dhcp excluded-address 192.168.10.254

(config)# ip dhcp pool POOL10

(dhcp-config)# network 192.168.10.0/24

(dhcp-config)# lease 0 0 1

(dhcp-config)# default-router 192.168.10.1

(dhcp-config)# exit

Performs DHCP server configuration for the pre-authentication VLAN. These commands configure the allocation of IP addresses to terminals seeking authentication and define 192.168.10.1 as the IP address of the default router.
(config)# service dhcp vlan 50

(config)# ip dhcp excluded-address 192.168.50.1

(config)# ip dhcp excluded-address 192.168.50.254

(config)# ip dhcp pool POOL50

(dhcp-config)# network 192.168.50.0/24

(dhcp-config)# lease 0 0 1

(dhcp-config)# default-router 192.168.50.1

(dhcp-config)# exit

Performs DHCP server configuration for the post-authentication VLAN. These commands configure the allocation of IP addresses to authenticated terminals Sets the default router IP 192.168.50.1. )

(e) Configuration of Web authentication

Points to note: Enable Web authentication by using configuration commands.

Command examples

(config)# web-authentication vlan 50

Specifies the VLAN IDs of the post-authentication VLANs used for Web authentication.
(config)# web-authentication system-auth-control

Starts Web authentication.

(3) Configuration When Using RADIUS Authentication+Embedded DHCP Servers

The figure below describes an example configuration for Web authentication that uses RADIUS authentication with the DHCP server built in to the switch. In this case, the DHCP server functionality built in to the Switch assigns IP addresses to the terminals (PC1 and PC2).

Figure 9-9: Sample Configuration When Using Web Authentication RADIUS Authentication Method + Built-in DHCP

(a) Configuring Authentication Ports

Points to note: Configure the port to be used for Web authentication.

Command examples

(config)# interface gigabitethernet 1/0/4

(config-if)# switchport mode mac-vlan

(config-if)# switchport mac vlan 50

(config-if)# switchport mac native vlan 10

(config-if)# exit

Specifies the pre-authentication VLAN and the post-authentication VLAN at a port where terminals will be authenticated.
(config)# interface range gigabitethernet 1/0/9-10

(config-if-range)# switchport mode access

(config-if-range)# switchport access vlan 50

(config-if-range)# exit

Specifies a post-authentication VLAN for the port which server users access after authentication is connected.

(b) IP addressing for VLAN interfaces

Points to note: Assign IP addresses to the pre-authentication and post-authentication VLANs.

Command examples

(config)# interface vlan 10

(config-if)# ip address 192.168.10.254 255.255.255.0

(config-if)# exit

(config)# interface vlan 50

(config-if)# ip address 192.168.50.254 255.255.255.0

(config-if)# exit

Assigns IP addresses to the pre-authentication VLAN and the post-authentication VLAN.

(c) Configuring Access Lists

Points to note: Configure the access lists for the post-authentication VLAN and the pre-authentication VLAN.

Command examples

(config)# ip access-list extended 100

(config-ext-nacl)# permit udp 0.0.0.0 0.0.0.0 host 255.255.255.255 eq bootps

(config-ext-nacl)# permit ip 192.168.10.0 0.0.0.255 192.168.10.0 0.0.0.255

(config-ext-nacl)# deny ip any any

(config-ext-nacl)# exit

(config)# interface vlan 10

(config-if)# ip access-group 100 in

(config-if)# exit

Sets an access list that prohibits communication from the pre-authentication VLAN to the post-authentication VLAN.
(config)# ip access-list extended 150

(config-ext-nacl)# permit tcp 192.168.50.0 0.0.0.255 host 192.168.10.254 eq http

(config-ext-nacl)# permit udp 0.0.0.0 0.0.0.0 host 255.255.255.255

(config-ext-nacl)# permit udp 0.0.0.0 0.0.0.0 host 192.168.10.254

(config-ext-nacl)# permit udp 0.0.0.0 0.0.0.0 host 192.168.50.254

(config-ext-nacl)# permit ip 192.168.50.0 0.0.0.255 any

(config-ext-nacl)# deny ip any any

(config-ext-nacl)# exit

(config)# interface vlan 50

(config-if)# ip access-group 150 in

(config-if)# exit

Sets an access list that permits the switch to only relay traffic generated by a Web browser from the post-authentication VLAN to the pre-authentication VLAN.

(d) Configuracion de un servidor DHCP

Points to note: Configure the DHCP server to distribute IP addresses to terminals.

Command examples

(config)# service dhcp vlan 10

(config)# ip dhcp excluded-address 192.168.10.1

(config)# ip dhcp excluded-address 192.168.10.254

(config)# ip dhcp pool POOL10

(dhcp-config)# network 192.168.10.0/24

(dhcp-config)# lease 0 0 1

(dhcp-config)# default-router 192.168.10.1

(dhcp-config)# exit

Performs DHCP server configuration for the pre-authentication VLAN. These commands configure the allocation of IP addresses to terminals seeking authentication and define 192.168.10.1 as the IP address of the default router.
(config)# service dhcp vlan 50

(config)# ip dhcp excluded-address 192.168.50.1

(config)# ip dhcp excluded-address 192.168.50.254

(config)# ip dhcp pool POOL50

(dhcp-config)# network 192.168.50.0/24

(dhcp-config)# lease 0 0 1

(dhcp-config)# default-router 192.168.50.1

(dhcp-config)# exit

Performs DHCP server configuration for the post-authentication VLAN. These commands configure the allocation of IP addresses to authenticated terminals and define 192.168.50.1 as the IP address of the default router.

(e) Configuration of Web authentication

Points to note: Enable Web authentication by using configuration commands.

Command examples

(config)# web-authentication vlan 50

Specifies the VLAN IDs of the post-authentication VLANs used for Web authentication.
(config)# aaa authentication web-authentication default group radius

(config)# radius-server host 192.168.10.200 key "webauth"

Specifies the IP address and RADIUS key used to access the RADIUS server to perform user authentication.
(config)# web-authentication system-auth-control

Starts Web authentication.

(4) Configuration with RADIUS authentication method + external DHCP servers + multiple post-authentication VLAN

The figure below describes an example configuration for Web authentication that uses RADIUS authentication and an external DHCP server in an environment where multiple post-authentication VLANs are configured. In this case, the external DHCP server assigns IP addresses to the terminals (PC1 and PC2).

Figure 9-10: Sample Configuration When Using RADIUS Authentication Method for Web Authentication + External DHCP Servers + Post-Authentication VLAN

The access lists you define also prohibit communication between post-authentication VLANs.

(a) Configuring Authentication Ports

Points to note: Configure the port to be used for Web authentication.

Command examples

(config)# interface gigabitethernet 1/0/4

(config-if)# switchport mode mac-vlan

(config-if)# switchport mac vlan 50,60

(config-if)# switchport mac native vlan 10

(config-if)# exit

Specifies the pre-authentication VLAN and the post-authentication VLAN at a port where terminals will be authenticated.
(config)# interface gigabitethernet 1/0/9

(config-if)# switchport mode access

(config-if)# switchport access vlan 50

(config-if)# exit

Specifies a post-authentication VLAN for the port which server users access after authentication is connected.
(config)# interface gigabitethernet 1/0/10

(config-if)# switchport mode access

(config-if)# switchport access vlan 60

(config-if)# exit

Specifies a post-authentication VLAN for the port which server users access after authentication is connected.

(b) IP addressing for VLAN interfaces

Points to note: Assign IP addresses to the pre-authentication and post-authentication VLANs.

Command examples

(config)# interface vlan 10

(config-if)# ip address 192.168.10.254 255.255.255.0

(config-if)# exit

(config)# interface vlan 50

(config-if)# ip address 192.168.50.254 255.255.255.0

(config-if)# exit

(config)# interface vlan 60

(config-if)# ip address 192.168.60.254 255.255.255.0

(config-if)# exit

Assigns IP addresses to the pre-authentication VLAN and the post-authentication VLAN.

(c) Configuring Access Lists

Points to note: Configure the access lists for the post-authentication VLAN and the pre-authentication VLAN.

Command examples

(config)# ip access-list extended 100

(config-ext-nacl)# permit udp 0.0.0.0 0.0.0.0 host 255.255.255.255 eq bootps

(config-ext-nacl)# permit ip 192.168.10.0 0.0.0.255 192.168.10.0 0.0.0.255

(config-ext-nacl)# deny ip any any

(config-ext-nacl)# exit

(config)# interface vlan 10

(config-if)# ip access-group 100 in

(config-if)# exit

Sets an access list that prohibits communication from the pre-authentication VLAN to the post-authentication VLAN.
(config)# ip access-list extended 150

(config-ext-nacl)# permit tcp 192.168.50.0 0.0.0.255 host 192.168.10.254 eq http

(config-ext-nacl)# permit udp 0.0.0.0 0.0.0.0 host 255.255.255.255

(config-ext-nacl)# permit udp 0.0.0.0 0.0.0.0 host 192.168.10.254

(config-ext-nacl)# permit udp 0.0.0.0 0.0.0.0 host 192.168.50.254

(config-ext-nacl)# permit ip 192.168.50.0 0.0.0.255 any

(config-ext-nacl)# deny ip any any

(config-ext-nacl)# exit

(config)# interface vlan 50

(config-if)# ip access-group 150 in

(config-if)# exit

Sets an access list that permits communication by Web browser from the post authentication VLAN (VLAN ID 50) to the pre-authentication VLAN, and prohibits all access to the other post-authentication VLAN (VLAN ID 60).
(config)# ip access-list extended 160

(config-ext-nacl)# permit tcp 192.168.60.0 0.0.0.255 host 192.168.10.254 eq http

(config-ext-nacl)# permit udp 0.0.0.0 0.0.0.0 host 255.255.255.255

(config-ext-nacl)# permit udp 0.0.0.0 0.0.0.0 host 192.168.10.254

(config-ext-nacl)# permit udp 0.0.0.0 0.0.0.0 host 192.168.60.254

(config-ext-nacl)# permit ip 192.168.60.0 0.0.0.255 any

(config-ext-nacl)# deny ip any any

(config-ext-nacl)# exit

(config)# interface vlan 60

(config-if)# ip access-group 160 in

(config-if)# exit

Sets an access list that permits communication by Web browser from the post authentication VLAN (VLAN ID 60) to the pre-authentication VLAN, and prohibits all access to the other post-authentication VLAN (VLAN ID 50).

(d) Configuring DHCP Relay Agent

Points to note: Configure the DHCP relay agent for IP address distribution to terminals.

Command examples

(config)# interface vlan 10

(config-if)# ip address 192.168.10.254 255.255.255.0

(config-if)# ip helper-address 192.168.10.100

(config-if)# exit

Configures the DHCP relay agent for the pre-authentication VLAN.
(config)# interface vlan 50

(config-if)# ip address 192.168.50.254 255.255.255.0

(config-if)# ip helper-address 192.168.10.100

(config-if)# exit

Configures the DHCP relay agent for the post-authentication VLAN (VLAN ID 50).
(config)# interface vlan 60

(config-if)# ip address 192.168.60.254 255.255.255.0

(config-if)# ip helper-address 192.168.10.100

(config-if)# exit

Configure DHCP relay agent for the post-authentication VLAN(VLAN ID 60).

(e) Configuration of Web authentication

Points to note: Enable Web authentication by using configuration commands.

Command examples

(config)# web-authentication vlan 50

(config)# web-authentication vlan 60

Specifies the VLAN IDs of the post-authentication VLANs used for Web authentication.
(config)# aaa authentication web-authentication default group radius

(config)# radius-server host 192.168.10.200 key "webauth"

Specifies the IP address and RADIUS key used to access the RADIUS server to perform user authentication.
(config)# web-authentication system-auth-control

Starts Web authentication.