Network Authentication: WebAuth, FlexAuth, IBNS

Web Authentication (WebAuth) is used as a fallback network authentication method for 802.1x most common authentication protocols, just like MAB. When both WebAuth and MAB user authentication are configured as fallbacks, the device first tries to authenticate using MAB, and if that fails, the switch tries to authenticate via WebAuth.

Before allowing network access, WebAuth displays a web portal for the end user to read and interact with. It can show an Acceptable Usage Policy (AUP) that the user must approve before connecting to the network. It may also ask for user credentials, display enterprise information, etc.

The user must use a web browser to gain access to the WebAuth content. WebAuth may be used in conjunction with Open Authentication, Pre-Shared Key (PSK), and Extensible Authentication Protocol (EAP) based authentication as an additional layer. WebAuth, in contrast to MAB, is exclusively for users because it involves manually entering a username and password on a web browser to prevent unauthorized users.


WebAuth Types

There are two types of Web Authentication: Local Web Authentication (LWA) and Centralized Web Authentication (CWA) with Cisco ISE.

WebAuth may be managed locally on the Wireless LAN Controller (WLC) for smaller environments using LWA. LWA can be set up in the following ways:

  • LWA with internal database on the WLC
  • LWA with external database on RADIUS or LDAP server
  • LWA with external redirect after the authentication
  • LWA with external splash page redirect, using WLC internal database
  • LWA with passthrough, requiring user acknowledgement

Central Web Authentication (CWA) is used when several WLCs provide Web Authentication, LWA, with an external database on a RADIUS server, like Cisco Identity Services Engine (ISE), for a centralized user database. The WebAuth page is moved to the central server as well.


Local Web Authentication

With LWA, the switch or WLC redirects web traffic to a locally hosted web portal where the user identity is confirmed by entering a username and a password.

When the login credentials are entered via the web portal, the switch sends a RADIUS access-request message and the user’s login credentials to the RADIUS server. LWA occurs when the switch submits the login credentials on the user’s behalf.

The LWA web portals on Cisco switches are not customizable. Therefore, it is unsuitable for some organizations that want web portals to be modified to reflect their branding. Advanced services such as AUP acceptance pages, password-changing, device registration, and self-registration are not also supported by LWA.

LWA supports ACL assignments but not VLAN assignments. It also does not support the Change of Authorization (CoA) functionality required to implement new policies. As a result, access policies cannot be adjusted based on profiling state or posture, and administrative modifications can’t be done because of malware to quarantine the endpoint.


Central Web Authentication with Cisco ISE

Cisco developed CWA to address the shortcomings of LWA. CWA supports CoA as well as dACL and VLAN assignments. CWA also supports advanced services.

Like LWA, CWA is used by endpoints with a web browser where the user may manually input a username and password. WebAuth and guest VLAN features stay mutually exclusive with CWA.  The steps involved in CWA authentication are as follows:

  1. The endpoint accessing the network lacks a configured supplicant, or the supplicant is incorrectly configured.
  2. MAB is performed by the switch, which sends the RADIUS access request to the authentication server, Cisco ISE.
  3. The authentication server forwards the RADIUS result, which includes a URL redirection, to the ISE server’s centralized portal.
  4. DHCP assigns the endpoint an IP address, DNS server, and default gateway.
  5. The end user launches a browser and logs into the centralized web portal. Unlike LWA, the credentials are saved in ISE and are linked to the MAB from the switch.
  6. ISE sends to the switch a Change of Authorization re-authentication (CoA-reauth).
  7. The switch sends a new MAB request to ISE with the same session ID. The final authorization result is delivered to the switch for the user, along with authorization options, such as dACL.


Enhanced Flexible Authentication (FlexAuth)

A Cisco switch configured with 802.1x, MAB, and WebAuth authentication protocols will always try 802.1x common network authentication methods first, then MAB, and then WebAuth. When a user’s device does not support 802.1x common authentication protocols, it attempts to connect to the network and must wait a while before WebAuth is provided as an authentication method.

Enhanced FlexAuth, also known as Access Session Manager, overcomes this issue by enabling different authentication methods to be used simultaneously. This way, the endpoints can be authenticated and get online more promptly. It also provides authentication, access control, and user policy enforcement.


Cisco Identity-Based Networking Services (IBNS) 2.0

Cisco IBNS 2.0 is a unified system that provides network security through authentication, access control, and user policy enforcement with a single end-to-end access policy that works across wired and wireless networks. It combines the following features and authentication technologies:

  • Enhanced FlexAuth
  • Cisco Common Classification Policy Language (C3PL)
  • Cisco Identity Services Engine (ISE)

Download our Free CCNA Study Guide PDF for complete notes on all the CCNA 200-301 exam topics in one book.

We recommend the Cisco CCNA Gold Bootcamp as your main CCNA training course. It’s the highest rated Cisco course online with an average rating of 4.8 from over 30,000 public reviews and is the gold standard in CCNA training: