Web Authentication - Part 1 (Local Web Authentication)

Keep in mind that web authentication is only an effective method for devices that have an interactive user.

Web authentication is a Layer 3 security solution that provides easy and secure guest access to hosts on a WLAN, utilizing open authentication or appropriate Layer 2 security methods. This process allows users to authenticate via a web browser on a wireless client, requiring minimal configuration on the client side. Users can associate with an open SSID without needing to set up a user profile. Although the host receives an IP address and DNS information from the DHCP server, access to network resources is restricted until successful authentication occurs.

When a host connects to the guest network, the Wireless LAN Controller (WLC) redirects the host to an authentication web page where the user must enter valid credentials. These credentials are authenticated either by the WLC or an external authentication server. If authentication is successful, the host is granted full access to the network. Additionally, hosts can be given limited access to specific network resources prior to authentication, which requires the configuration of pre-authentication Access Control List (ACL) functionality.

The following are the different types of web authentication methods:

• Local Web Authentication (LWA). Configured as Layer 3 security on the controller, the web authentication page and the pre-authentication ACL are locally configured on the controller. The controller intercepts HTTP(S) traffic and redirects the client to the internal web page for authentication. The credentials entered by the client on the login page is authenticated by the controller locally or through a RADIUS or LDAP server.

To determine the data requests that are allowed or blocked for a guest user, you need to configure pre-authentication ACLs on the controller. With Pre-authentication ACLs configured, the client when in registration phase is allowed to connect to the configured URL. When using an external web server for web authentication, you must configure a pre-authentication ACL for permitting the clients to access the external web server. For local web authentication, configuring pre-authentication ACL is not mandatory. However, it is a good practice to configure a pre-authentication ACL if you want to give the client access to any non-HTTP resources before authentication.

On a Catalyst switch or Cisco WLC, the locally hosted web pages are not very customizable. In addition, when using Local Web Authentication, there is no native support for advanced services such as the following:

• Client provisioning
• Password-changing capabilities
• Self-registration
• Device registration
• BYOD onboarding

For advanced capabilities like these, a company truly needs to consider using Centralized Web Authentication (CWA).

Consider the following special scenarios when using Local Web Authentication:

• The LWA traffic flow with Cisco FlexConnect Mode APs:

• The LWA traffic flow with Cisco SD-Access implementation:

In Part 2, I will continue my definition regarding to External Web Authentication.

I hope this is useful for you.