Network login, Web-based and 802.1x authentication – Extreme Networks 200 Series User Manual

Network Login

Summit 200 Series Switch Installation and User Guide

71

Network Login

Network login is a feature designed to control the admission of user packets into a network by giving
addresses only to users that are properly authenticated. Network login is controlled by an administrator
on a per port, per VLAN basis. When network login is enabled on a port in a VLAN, that port does not
forward any packets until authentication takes place.

After network login is enabled on a switch port, that port is placed in a non-forwarding state until
authentication takes place. To authenticate, a user (supplicant) must open a web browser and provide
the appropriate credentials. These credentials are either approved, in which case the port is placed in
forwarding mode, or not approved, and the port remains blocked. Three failed login attempts disables
the port for some configured length of time. The user logout can either be initiated by submitting a
logout request or closing the logout window.

There are two choices for types of authentication to use with network login, web-based and 802.1x, and
there are two different modes of operation, Campus mode and ISP mode. The authentication types and
modes of operation can be used in any combination. The following sections describe these choices.

Web-Based and 802.1x Authentication

Authentication is handled either as a web-based process, or as described in the IEEE 802.1x
specification. The initial release of network login by Extreme Networks supported only web-based
authentication, but now supports both types of authentication.

Although somewhat similar in design and purpose, web-based and 802.1x authentication of network
login can be considered complementary, with Extreme Networks offering a smooth transition from
web-based to 802.1x authentication. In fact, both web-based and 802.1x can be configured on the same
switch port. 802.1x authentication currently requires software installed on the client workstation,
making it less suitable for a user walk-up scenario, such as a cyber-café or coffee shop. 802.1x
authentication also requires an Extensible Authentication Protocol (EAP) capable RADIUS server.
Web-based network login does not require any specific client software and can work with any HTTP
compliant web browser.

A workstation running Windows XP supports 802.1x natively, and does not require additional
authentication software.

The switch can play the role of the authentication server and authenticate based on its local database of
username and password for web-based authentication, or a RADIUS server can be used as the
authentication server for web-based and 802.1x authentication.

DHCP is needed for web-based network login because the underlying protocol used to carry
authentication request-response is HTTP. The client needs an IP address to send and receive HTTP
packets. However, before the client is authenticated, there is no connection to anywhere else except the
authenticator itself. As a result, the authenticator must be furnished with a temporary DHCP server to
distribute the IP address.

The switch responds to DHCP requests for unauthenticated clients when DHCP parameters are
configured on the Netlogin VLAN such as

dhcp-address-range

and

dhcp-options

. The switch can

also answer DHCP requests after authentication if DHCP is enabled on the specified port. If you require
Netlogin clients to obtain DHCP leases from an external DHCP server elsewhere on the network, then
you should not enable DHCP on the switch ports.

The DHCP allocation for network login has short time duration of 20 seconds. It is intended to perform
web-based network login only. As soon as the client is authenticated, it is deprived of this address. Then