Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Technical Overview

 

Web authentication uses a Web browser as a means for authenticating network users. When a user connects to the network and attempts to open a webpage, Web authentication redirects the webpage request to a login page that requires the user to enter a username and password or to agree to an acceptable use policy. Upon successful authentication, the user is allowed access to the network. Web authentication is useful for providing limited network access to temporary users, such as visitors to an enterprise, who try to access the network using devices that are not 802.1X-enabled. Web authentication can also be used as a fallback authentication method for regular network users who have 802.1X-enabled devices, but fail authentication because of other issues, such as expired network credentials.

Web authentication can be done locally on the switch, but this requires that the Web authentication login pages be configured on each switch used as a network access device. Central Web authentication (CWA) provides efficiency and scaling benefits by redirecting the client’s Web browser to a central Web authentication server (CWA server), which handles the complete login process.

An example of a CWA server is Aruba ClearPass Guest. ClearPass Guest is a scalable, easy-to-use guest management solution that delivers secure, automated guest access workflows for enterprise wireless and wired networks and any type of mobile device. As a module within the ClearPass Policy Management platform, ClearPass Guest is fully integrated with the Aruba ClearPass core set of authentication, authorization, accounting, profiling of devices, reporting, and policy enforcement capabilities.

EX Series switches enable the central Web authentication workflow by providing the following features that are fully integrated with Aruba ClearPass Guest and Aruba ClearPass Policy Manager:

  • Redirect URL support. EX Series switches can automatically redirect a user’s browser to the CWA server login page. The redirect URL can be be statically configured on the switch port or it can be dynamically configured on the switch port as part of the authentication process. EX Series switches support a Juniper Networks RADIUS vendor-specific attribute (VSA), Juniper-CWA-Redirect-URL, that enables Aruba ClearPass to pass the dynamic redirect URL to the switch.

  • Dynamic firewall filters. EX Series switches provide a built-in firewall filter, JNPR_RSVD_FILTER_CWA. This filter is designed to be applied to guest endpoints before they go through Web authentication. It allows the guest endpoint to access DHCP, DNS, and other essential services required for central Web authentication, while blocking all other access. You can configure Aruba ClearPass to pass the name of this filter to the switch using the standard RADIUS Filter-ID attribute. If you use the JNPR_RSVD_FILTER_CWA filter, the redirect URL must contain the IP address of the CWA server, such as Aruba ClearPass Guest.

    Alternatively, you can configure a firewall filter on Aruba ClearPass itself and use the Juniper Networks RADIUS VSA Juniper-Switching-Filter to pass the firewall filter to the switch. The firewall filter must allow traffic to the IP address of the Aruba ClearPass server.

  • RADIUS change of authorization (CoA) support. This enables Aruba ClearPass to send a RADIUS CoA to the switch, which instructs the switch to change the dynamic firewall filter or VLAN in use after the endpoint passes central Web authentication.

Central Web authentication is a two-step process in which an endpoint first undergoes MAC RADIUS authentication and then Web authentication as follows:

  1. MAC RADIUS authentication—This step allows the guest endpoint to receive an IP address and to access the CWA server while being blocked from most of the network.

    By default, EX Series switches automatically attempt MAC RADIUS authentication after 802.1X authentication fails. To support CWA authentication, you must configure Aruba ClearPass to send an access-accept message to the switch if ClearPass is unable to authenticate the endpoint with MAC RADIUS authentication, along with a dynamic firewall filter that permits the endpoint to access required services for CWA authentication. You must also configure Aruba ClearPass to send the redirect URL to the switch, unless you configured the redirect URL locally on the switch.

  2. Web authentication—This step allows the guest’s credentials to be authenticated and appropriate network access to be granted to the guest.

    After MAC RADIUS authentication, the switch automatically starts Web authentication, providing that it has been given a redirect URL and the appropriate firewall filter. When the user opens a Web browser, the switch redirects the Web browser to the Web authentication login page, where the user enters the guest credentials. To enable the guest to access appropriate network resources after successful authentication, you configure Aruba ClearPass to send a RADIUS CoA message that changes the firewall filter applied to the port.