D-Link DIS-200G Emulator - Page 110

Web-based Access Control, Conditions and Limitations

Get D-Link DIS-200G PDF manuals and user guides View all D-Link DIS-200G manuals
Add to My Manuals
Save this manual to your list of manuals

Page 110 highlights

DIS-200G Series Industrial Gigabit Ethernet Smart Managed Switch Web-based Access Control Web-based Access Control (WAC) is a feature designed to authenticate a user when the user is trying to access the Internet via the Switch. The authentication process uses the HTTP or HTTPS protocol. The Switch enters the authenticating stage when users attempt to browse Web pages (e.g., http://www.dlink.com) through a Web browser. When the Switch detects HTTP or HTTPS packets and this port is unauthenticated, the Switch will launch a pop-up user name and password window to query users. Users are not able to access the Internet until the authentication process is passed. The Switch can be the authentication server itself and be a RADIUS client and perform the authentication process via the RADIUS protocol with a remote RADIUS server. The client user initiates the authentication process of WAC by attempting to gain Web access. D-L ink's implementation of WAC uses a virtual IP that is exclusively used by the WAC function and is not known by any other modules of the Switch. In fact, to avoid affecting a Switch's other features, WAC will only use a virtual IP address to communicate with hosts. Thus, all authentication requests must be sent to a virtual IP address but not to the IP address of the Switch's physical interface. Virtual IP works like this, when a host PC communicates with the WAC Switch through a virtual IP, the virtual IP is transformed into the physical IPIF (IP interface) address of the Switch to make the communication possible. The host PC and other servers' IP configurations do not depend on the virtual IP of WAC. The virtual IP does not respond to any ICMP packets or ARP requests, which means it is not allowed to configure a virtual IP on the same subnet as the Switch's IPIF (IP interface) or the same subnet as the host PCs' subnet. As all packets to a virtual IP from authenticated and authenticating hosts will be trapped to the Switch's CPU, if the virtual IP is the same as other servers or PCs, the hosts on the WAC-enabled ports cannot communicate with the server or PC which really own the IP address. If the hosts need to access the server or PC, the virtual IP cannot be the same as the one of the server or PC. If a host PC uses a proxy to access the Web, to make the authentication work properly the user of the PC should add the virtual IP to the exception of the proxy configuration. By default, the authentication web page is running on HTTP but not HTTPs protocol. To doing authentication with HTTPs, please change the web server configuration to HTTPs. Conditions and Limitations •Certain functions exist on the Switch that will filter HTTP packets, such as the Access Profile function. The user needs to be very careful when setting filter functions for the target VLAN, so that these HTTP packets are not denied by the Switch. •If a RADIUS server is to be used for authentication, the user must first establish a RADIUS Server with the appropriate parameters, including the target VLAN, before enabling Web Authentication on the Switch. 100

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
DIS-200G Series Industrial Gigabit Ethernet Smart Managed Switch
100
Web-based Access Control
Web-based Access Control (WAC) is a feature designed to authenticate a user when the user is trying to
access the Internet via the Switch. The authentication process uses the HTTP or HTTPS protocol. The
Switch enters the authenticating stage when users attempt to browse Web pages (e.g.,
http://www.dlink.com) through a Web browser. When the Switch detects HTTP or HTTPS packets and this
port is unauthenticated, the Switch will launch a pop-up user name and password window to query users.
Users are not able to access the Internet until the authentication process is passed.
The Switch can be the authentication server itself and be a RADIUS client and perform the authentication
process via the RADIUS protocol with a remote RADIUS server. The client user initiates the authentication
process of WAC by attempting to gain Web access.
D-L ink’s implementation of WAC uses a virtual IP that is exclusively used by the WAC function and is not
known by any other modules of the Switch. In fact, to avoid affecting a Switch’s other features, WAC will
only use a virtual IP address to communicate with hosts. Thus, all authentication requests must be sent to
a virtual IP address but not to the IP address of the Switch’s physical interface.
Virtual IP works like this, when a host PC communicates with the WAC Switch through a virtual IP, the
virtual IP is transformed into the physical IPIF (IP interface) address of the Switch to make the
communication possible. The host PC and other servers’ IP configurations do not depend on the virtual IP
of WAC. The virtual IP does not respond to any ICMP packets or ARP requests, which means it is not
allowed to configure a virtual IP on the same subnet as the Switch’s IPIF (IP interface) or the same subnet
as the host PCs’ subnet.
As all packets to a virtual IP from authenticated and authenticating hosts will be trapped to the Switch’s
CPU, if the virtual IP is the same as other servers or PCs, the hosts on the WAC-enabled ports cannot
communicate with the server or PC which really own the IP address. If the hosts need to access the
server or PC, the virtual IP cannot be the same as the one of the server or PC. If a host PC uses a proxy
to access the Web, to make the authentication work properly the user of the PC should add the virtual IP
to the exception of the proxy configuration.
By default, the authentication web page is running on HTTP but not HTTPs protocol. To doing
authentication with HTTPs, please change the web server configuration to HTTPs.
Conditions and Limitations
Certain functions exist on the Switch that will filter HTTP packets, such as the Access Profile function.
The user needs to be very careful when setting filter functions for the target VLAN, so that these
HTTP packets are not denied by the Switch.
If a RADIUS server is to be used for authentication, the user must first establish a RADIUS Server
with the appropriate parameters, including the target VLAN, before enabling Web Authentication on
the Switch.