As shown in Figure 1, the terminals in the visitor area are connected to the company's internal network through the Switch. Unauthorized access to the internal network can damage the company's service system and cause leakage of key information assets. Therefore, the administrator employs the CWA on the Switch and on the Web Authentication Server of the AAA to control the users' network access rights to ensure internal network security.
Ensure that PICA8 Switch is properly connected to the AAA server. In this example, the switch uses the management port Eth0 to connect to the AAA server.
Configuration on the AAA Server
The configuration roadmap on the Web Authentication Server is as follows. For details, refer to the solution document Configuring Pica8 Switches with ClearPass Guest Central Web Authentication in Typical Configuration of NAC.
- Configure the Eth0 IP address of the switch to establish a connection to the switch.
- Configure the username and password on the AAA server for Web authentication.
- Configure a dynamic VLAN which is used to access the network normally after the user successfully authenticates.
- Configure other Web authentication attributes for Web authentication.
Configuration on the Switch
- Configure the 802.1X authentication server and Web authentication server on the Switch.
- The Web authentication process relies on MAB authentication. If you want to deploy Web authentication, enable MAB authentication on the switch first.
- Configure block VLAN and dynamic VLAN.
- Configure CoA authorization client.
Figure 1. Networking Diagram for Configuring CWA Authentication
Step1 Configure the access port to trunk mode.
Step2 Configure the MAB and Web authentication modes. The Web authentication process relies on MAB authentication. If you want to deploy Web authentication, enable MAB authentication on the switch first.
Step3 Configure IP address of RADIUS server and the Web authentication server.
Step4 Configure the NAS IP address to the IP address of Eth0 interface which is connected to the AAA server.
This command is used to set the nas-ip field in RADIUS access-request message. If you use the management interface eth0/eth1 to connect to the RADIUS server, the IP address of the management interface eth0/eth1 should be used for the NAS IP address configured here.
Step5 Configure block VLAN. This step is required for Web authentication.
Step6 Configure a RADIUS dynamic authorization client from which the switch accepts Change of Authorization (CoA) messages. This step is required for CoA and Web authentication.
Step7 Configure the host mode for NAC authentication interface.
Step8 Commit the configuration.
Step9 Verify the configuration.
a) Run the run show dot1x interface or run show dot1x interface gigabit-ethernet <interface-name> to check the CWA authentication configurations. The command output (WEB = enable) shows that the CWA authentication has been enabled on the interface ge-1/1/1 and MAC address 10:11:01:39:1a:00 is successfully authenticated.
b) After starting the browser and entering any Web address, the user is redirected to the Web authentication login page. The user then enters the user name and password for authentication.
c) If the user name and password are correct, an authentication success message is displayed on the Web authentication page. The user can then access the network.