9.1.4 Legacy mode configuration
- <Structure of this section>
(1) Basic settings for the local authentication method
The figure below describes the basic configuration required to use local authentication. In this case, you manually assign the pre-authentication and post-authentication IP addresses to the terminals (PC1 and PC2).
|
In this configuration, you configure Web authentication after you set up the pre-authentication and post-authentication VLANs and define the access lists. The access lists you define prohibit members of the pre-authentication VLAN from communicating with the post-authentication VLAN and permit communication from the post-authentication VLAN to the pre-authentication VLAN only by Web browser.
(a) Configuring Authentication Ports
- Points to note
-
Configure the port to be used for Web authentication.
Command examples
-
(config)# interface gigabitethernet 1/0/4
(config-if)# switchport mode mac-vlan
(config-if)# switchport mac vlan 50
(config-if)# switchport mac native vlan 10
(config-if)# exit
Specifies the pre-authentication VLAN and the post-authentication VLAN at a port where terminals will be authenticated.
-
(config)# interface gigabitethernet 1/0/9
(config-if)# switchport mode access
(config-if)# switchport access vlan 50
(config-if)# exit
Specifies a post-authentication VLAN for the port which server users access after authentication is connected.
(b) IP addressing for VLAN interfaces
- Points to note
-
Assign IP addresses to the pre-authentication and post-authentication VLANs.
Command examples
-
(config)# interface vlan 10
(config-if)# ip address 192.168.10.254 255.255.255.0
(config-if)# exit
(config)# interface vlan 50
(config-if)# ip address 192.168.50.254 255.255.255.0
(config-if)# exit
Assigns IP addresses to the pre-authentication VLAN and the post-authentication VLAN.
(c) Configuring Access Lists
- Points to note
-
Configure the access lists for the post-authentication VLAN and the pre-authentication VLAN.
Command examples
-
(config)# ip access-list extended 100
(config-ext-nacl)# permit ip 192.168.10.0 0.0.0.255 192.168.10.0 0.0.0.255
(config-ext-nacl)# deny ip any any
(config-ext-nacl)# exit
(config)# interface vlan 10
(config-if)# ip access-group 100 in
(config-if)# exit
Sets an access list that prohibits communication from the pre-authentication VLAN to the post-authentication VLAN.
-
(config)# ip access-list extended 150
(config-ext-nacl)# permit tcp 192.168.50.0 0.0.0.255 host 192.168.10.254 eq http
(config-ext-nacl)# permit ip 192.168.50.0 0.0.0.255 any
(config-ext-nacl)# deny ip any any
(config-ext-nacl)# exit
(config)# interface vlan 50
(config-if)# ip access-group 150 in
(config-if)# exit
Sets an access list that permits access by Web browser from the post-authentication VLAN to the pre-authentication VLAN.
(d) Configuration of Web authentication
- Points to note
-
Enable Web authentication by using configuration commands.
Command examples
-
(config)# web-authentication vlan 50
Specifies the VLAN IDs of the post-authentication VLANs used for Web authentication.
-
(config)# web-authentication system-auth-control
Starts Web authentication.
(2) Configuration When Using Local Authentication+Embedded DHCP Servers
The figure below describes an example configuration for Web authentication that uses local authentication with the DHCP server built in to the switch. In this case, the DHCP server functionality built in to the Switch assigns IP addresses to the terminals (PC1 and PC2).
|
In this configuration, you configure Web authentication after you have set up the pre-authentication and post-authentication VLANs, defined the access lists, and configured the DHCP server. The access lists you define prohibit members of the pre-authentication VLAN from communicating with the post-authentication VLAN and permit communication from the post-authentication VLAN to the pre-authentication VLAN only by Web browser.
(a) Configuring Authentication Ports
- Points to note
-
Configure the port to be used for Web authentication.
Command examples
-
(config)# interface gigabitethernet 1/0/4
(config-if)# switchport mode mac-vlan
(config-if)# switchport mac vlan 50
(config-if)# switchport mac native vlan 10
(config-if)# exit
Specifies the pre-authentication VLAN and the post-authentication VLAN at a port where terminals will be authenticated.
-
(config)# interface range gigabitethernet 1/0/9-10
(config-if-range)# switchport mode access
(config-if-range)# switchport access vlan 50
(config-if-range)# exit
Specifies a post-authentication VLAN for the port which server users access after authentication is connected.
(b) IP addressing for VLAN interfaces
- Points to note
-
Assign IP addresses to the pre-authentication and post-authentication VLANs.
Command examples
-
(config)# interface vlan 10
(config-if)# ip address 192.168.10.254 255.255.255.0
(config-if)# exit
(config)# interface vlan 50
(config-if)# ip address 192.168.50.254 255.255.255.0
(config-if)# exit
Assigns IP addresses to the pre-authentication VLAN and the post-authentication VLAN.
(c) Configuring Access Lists
- Points to note
-
Configure the access lists for the post-authentication VLAN and the pre-authentication VLAN.
Command examples
-
(config)# ip access-list extended 100
(config-ext-nacl)# permit udp 0.0.0.0 0.0.0.0 host 255.255.255.255 eq bootps
(config-ext-nacl)# permit ip 192.168.10.0 0.0.0.255 192.168.10.0 0.0.0.255
(config-ext-nacl)# deny ip any any
(config-ext-nacl)# exit
(config)# interface vlan 10
(config-if)# ip access-group 100 in
(config-if)# exit
Sets an access list that prohibits communication from the pre-authentication VLAN to the post-authentication VLAN.
-
(config)# ip access-list extended 150
(config-ext-nacl)# permit tcp 192.168.50.0 0.0.0.255 host 192.168.10.254 eq http
(config-ext-nacl)# permit udp 0.0.0.0 0.0.0.0 host 255.255.255.255
(config-ext-nacl)# permit udp 0.0.0.0 0.0.0.0 host 192.168.10.254
(config-ext-nacl)# permit udp 0.0.0.0 0.0.0.0 host 192.168.50.254
(config-ext-nacl)# permit ip 192.168.50.0 0.0.0.255 any
(config-ext-nacl)# deny ip any any
(config-ext-nacl)# exit
(config)# interface vlan 50
(config-if)# ip access-group 150 in
(config-if)# exit
Sets an access list that permits the switch to only relay traffic generated by a Web browser from the post-authentication VLAN to the pre-authentication VLAN.
(d) Configuracion de un servidor DHCP
- Points to note
-
Configure the DHCP server to distribute IP addresses to terminals.
Command examples
-
(config)# service dhcp vlan 10
(config)# ip dhcp excluded-address 192.168.10.1
(config)# ip dhcp excluded-address 192.168.10.254
(config)# ip dhcp pool POOL10
(dhcp-config)# network 192.168.10.0/24
(dhcp-config)# lease 0 0 1
(dhcp-config)# default-router 192.168.10.1
(dhcp-config)# exit
Performs DHCP server configuration for the pre-authentication VLAN. These commands configure the allocation of IP addresses to terminals seeking authentication and define 192.168.10.1 as the IP address of the default router.
-
(config)# service dhcp vlan 50
(config)# ip dhcp excluded-address 192.168.50.1
(config)# ip dhcp excluded-address 192.168.50.254
(config)# ip dhcp pool POOL50
(dhcp-config)# network 192.168.50.0/24
(dhcp-config)# lease 0 0 1
(dhcp-config)# default-router 192.168.50.1
(dhcp-config)# exit
Performs DHCP server configuration for the post-authentication VLAN. These commands configure the allocation of IP addresses to authenticated terminals Sets the default router IP 192.168.50.1. )
(e) Configuration of Web authentication
- Points to note
-
Enable Web authentication by using configuration commands.
Command examples
-
(config)# web-authentication vlan 50
Specifies the VLAN IDs of the post-authentication VLANs used for Web authentication.
-
(config)# web-authentication system-auth-control
Starts Web authentication.
(3) Configuration When Using RADIUS Authentication+Embedded DHCP Servers
The figure below describes an example configuration for Web authentication that uses RADIUS authentication with the DHCP server built in to the switch. In this case, the DHCP server functionality built in to the Switch assigns IP addresses to the terminals (PC1 and PC2).
|
In this configuration, you configure Web authentication after you have set up the pre-authentication and post-authentication VLANs, defined the access lists, and configured the DHCP server. The access lists you define prohibit members of the pre-authentication VLAN from communicating with the post-authentication VLAN and permit communication from the post-authentication VLAN to the pre-authentication VLAN only by Web browser.
(a) Configuring Authentication Ports
- Points to note
-
Configure the port to be used for Web authentication.
Command examples
-
(config)# interface gigabitethernet 1/0/4
(config-if)# switchport mode mac-vlan
(config-if)# switchport mac vlan 50
(config-if)# switchport mac native vlan 10
(config-if)# exit
Specifies the pre-authentication VLAN and the post-authentication VLAN at a port where terminals will be authenticated.
-
(config)# interface range gigabitethernet 1/0/9-10
(config-if-range)# switchport mode access
(config-if-range)# switchport access vlan 50
(config-if-range)# exit
Specifies a post-authentication VLAN for the port which server users access after authentication is connected.
(b) IP addressing for VLAN interfaces
- Points to note
-
Assign IP addresses to the pre-authentication and post-authentication VLANs.
Command examples
-
(config)# interface vlan 10
(config-if)# ip address 192.168.10.254 255.255.255.0
(config-if)# exit
(config)# interface vlan 50
(config-if)# ip address 192.168.50.254 255.255.255.0
(config-if)# exit
Assigns IP addresses to the pre-authentication VLAN and the post-authentication VLAN.
(c) Configuring Access Lists
- Points to note
-
Configure the access lists for the post-authentication VLAN and the pre-authentication VLAN.
Command examples
-
(config)# ip access-list extended 100
(config-ext-nacl)# permit udp 0.0.0.0 0.0.0.0 host 255.255.255.255 eq bootps
(config-ext-nacl)# permit ip 192.168.10.0 0.0.0.255 192.168.10.0 0.0.0.255
(config-ext-nacl)# deny ip any any
(config-ext-nacl)# exit
(config)# interface vlan 10
(config-if)# ip access-group 100 in
(config-if)# exit
Sets an access list that prohibits communication from the pre-authentication VLAN to the post-authentication VLAN.
-
(config)# ip access-list extended 150
(config-ext-nacl)# permit tcp 192.168.50.0 0.0.0.255 host 192.168.10.254 eq http
(config-ext-nacl)# permit udp 0.0.0.0 0.0.0.0 host 255.255.255.255
(config-ext-nacl)# permit udp 0.0.0.0 0.0.0.0 host 192.168.10.254
(config-ext-nacl)# permit udp 0.0.0.0 0.0.0.0 host 192.168.50.254
(config-ext-nacl)# permit ip 192.168.50.0 0.0.0.255 any
(config-ext-nacl)# deny ip any any
(config-ext-nacl)# exit
(config)# interface vlan 50
(config-if)# ip access-group 150 in
(config-if)# exit
Sets an access list that permits the switch to only relay traffic generated by a Web browser from the post-authentication VLAN to the pre-authentication VLAN.
(d) Configuracion de un servidor DHCP
- Points to note
-
Configure the DHCP server to distribute IP addresses to terminals.
Command examples
-
(config)# service dhcp vlan 10
(config)# ip dhcp excluded-address 192.168.10.1
(config)# ip dhcp excluded-address 192.168.10.254
(config)# ip dhcp pool POOL10
(dhcp-config)# network 192.168.10.0/24
(dhcp-config)# lease 0 0 1
(dhcp-config)# default-router 192.168.10.1
(dhcp-config)# exit
Performs DHCP server configuration for the pre-authentication VLAN. These commands configure the allocation of IP addresses to terminals seeking authentication and define 192.168.10.1 as the IP address of the default router.
-
(config)# service dhcp vlan 50
(config)# ip dhcp excluded-address 192.168.50.1
(config)# ip dhcp excluded-address 192.168.50.254
(config)# ip dhcp pool POOL50
(dhcp-config)# network 192.168.50.0/24
(dhcp-config)# lease 0 0 1
(dhcp-config)# default-router 192.168.50.1
(dhcp-config)# exit
Performs DHCP server configuration for the post-authentication VLAN. These commands configure the allocation of IP addresses to authenticated terminals and define 192.168.50.1 as the IP address of the default router.
(e) Configuration of Web authentication
- Points to note
-
Enable Web authentication by using configuration commands.
Command examples
-
(config)# web-authentication vlan 50
Specifies the VLAN IDs of the post-authentication VLANs used for Web authentication.
-
(config)# aaa authentication web-authentication default group radius
(config)# radius-server host 192.168.10.200 key "webauth"
Specifies the IP address and RADIUS key used to access the RADIUS server to perform user authentication.
-
(config)# web-authentication system-auth-control
Starts Web authentication.
(4) Configuration with RADIUS authentication method + external DHCP servers + multiple post-authentication VLAN
The figure below describes an example configuration for Web authentication that uses RADIUS authentication and an external DHCP server in an environment where multiple post-authentication VLANs are configured. In this case, the external DHCP server assigns IP addresses to the terminals (PC1 and PC2).
|
In this configuration, you configure Web authentication after you set up the pre-authentication and post-authentication VLANs and define the access lists. The access lists you define prohibit members of the pre-authentication VLAN from communicating with the post-authentication VLAN and permit communication from the post-authentication VLAN to the pre-authentication VLAN only by Web browser.
The access lists you define also prohibit communication between post-authentication VLANs.
(a) Configuring Authentication Ports
- Points to note
-
Configure the port to be used for Web authentication.
Command examples
-
(config)# interface gigabitethernet 1/0/4
(config-if)# switchport mode mac-vlan
(config-if)# switchport mac vlan 50,60
(config-if)# switchport mac native vlan 10
(config-if)# exit
Specifies the pre-authentication VLAN and the post-authentication VLAN at a port where terminals will be authenticated.
-
(config)# interface gigabitethernet 1/0/9
(config-if)# switchport mode access
(config-if)# switchport access vlan 50
(config-if)# exit
Specifies a post-authentication VLAN for the port which server users access after authentication is connected.
-
(config)# interface gigabitethernet 1/0/10
(config-if)# switchport mode access
(config-if)# switchport access vlan 60
(config-if)# exit
Specifies a post-authentication VLAN for the port which server users access after authentication is connected.
(b) IP addressing for VLAN interfaces
- Points to note
-
Assign IP addresses to the pre-authentication and post-authentication VLANs.
Command examples
-
(config)# interface vlan 10
(config-if)# ip address 192.168.10.254 255.255.255.0
(config-if)# exit
(config)# interface vlan 50
(config-if)# ip address 192.168.50.254 255.255.255.0
(config-if)# exit
(config)# interface vlan 60
(config-if)# ip address 192.168.60.254 255.255.255.0
(config-if)# exit
Assigns IP addresses to the pre-authentication VLAN and the post-authentication VLAN.
(c) Configuring Access Lists
- Points to note
-
Configure the access lists for the post-authentication VLAN and the pre-authentication VLAN.
Command examples
-
(config)# ip access-list extended 100
(config-ext-nacl)# permit udp 0.0.0.0 0.0.0.0 host 255.255.255.255 eq bootps
(config-ext-nacl)# permit ip 192.168.10.0 0.0.0.255 192.168.10.0 0.0.0.255
(config-ext-nacl)# deny ip any any
(config-ext-nacl)# exit
(config)# interface vlan 10
(config-if)# ip access-group 100 in
(config-if)# exit
Sets an access list that prohibits communication from the pre-authentication VLAN to the post-authentication VLAN.
-
(config)# ip access-list extended 150
(config-ext-nacl)# permit tcp 192.168.50.0 0.0.0.255 host 192.168.10.254 eq http
(config-ext-nacl)# permit udp 0.0.0.0 0.0.0.0 host 255.255.255.255
(config-ext-nacl)# permit udp 0.0.0.0 0.0.0.0 host 192.168.10.254
(config-ext-nacl)# permit udp 0.0.0.0 0.0.0.0 host 192.168.50.254
(config-ext-nacl)# permit ip 192.168.50.0 0.0.0.255 any
(config-ext-nacl)# deny ip any any
(config-ext-nacl)# exit
(config)# interface vlan 50
(config-if)# ip access-group 150 in
(config-if)# exit
Sets an access list that permits communication by Web browser from the post authentication VLAN (VLAN ID 50) to the pre-authentication VLAN, and prohibits all access to the other post-authentication VLAN (VLAN ID 60).
-
(config)# ip access-list extended 160
(config-ext-nacl)# permit tcp 192.168.60.0 0.0.0.255 host 192.168.10.254 eq http
(config-ext-nacl)# permit udp 0.0.0.0 0.0.0.0 host 255.255.255.255
(config-ext-nacl)# permit udp 0.0.0.0 0.0.0.0 host 192.168.10.254
(config-ext-nacl)# permit udp 0.0.0.0 0.0.0.0 host 192.168.60.254
(config-ext-nacl)# permit ip 192.168.60.0 0.0.0.255 any
(config-ext-nacl)# deny ip any any
(config-ext-nacl)# exit
(config)# interface vlan 60
(config-if)# ip access-group 160 in
(config-if)# exit
Sets an access list that permits communication by Web browser from the post authentication VLAN (VLAN ID 60) to the pre-authentication VLAN, and prohibits all access to the other post-authentication VLAN (VLAN ID 50).
(d) Configuring DHCP Relay Agent
- Points to note
-
Configure the DHCP relay agent for IP address distribution to terminals.
Command examples
-
(config)# interface vlan 10
(config-if)# ip address 192.168.10.254 255.255.255.0
(config-if)# ip helper-address 192.168.10.100
(config-if)# exit
Configures the DHCP relay agent for the pre-authentication VLAN.
-
(config)# interface vlan 50
(config-if)# ip address 192.168.50.254 255.255.255.0
(config-if)# ip helper-address 192.168.10.100
(config-if)# exit
Configures the DHCP relay agent for the post-authentication VLAN (VLAN ID 50).
-
(config)# interface vlan 60
(config-if)# ip address 192.168.60.254 255.255.255.0
(config-if)# ip helper-address 192.168.10.100
(config-if)# exit
Configure DHCP relay agent for the post-authentication VLAN(VLAN ID 60).
(e) Configuration of Web authentication
- Points to note
-
Enable Web authentication by using configuration commands.
Command examples
-
(config)# web-authentication vlan 50
(config)# web-authentication vlan 60
Specifies the VLAN IDs of the post-authentication VLANs used for Web authentication.
-
(config)# aaa authentication web-authentication default group radius
(config)# radius-server host 192.168.10.200 key "webauth"
Specifies the IP address and RADIUS key used to access the RADIUS server to perform user authentication.
-
(config)# web-authentication system-auth-control
Starts Web authentication.