WebAuth (Web Authentication)


In this lesson, we will focus on one of the important authentication methods covered in CCNP ENCOR Exam. This is WebAuth (Web Authentication). Here, we will learn what is WebAuth, why we use it and what are the types of WebAuth. Now, let’s start with what is WebAuth first.



What is WebAuth?

WebAuth (Web Authentication) is an authentication method generally used as fallback authentication method. This authentication method needs a interactive user to enter the user credentials to the web browser. So, this authentication type is usable for the end devices which has user. It is not an authentication method for a printer, a security cam or any other device which has no user.


In the system which uses WebAuth, users need to be authenticated first to access the network. Before this authentication, only DNS/DHCP traffic is passed.


With this authentication method, user must use a browser to access WebAuth content. After accessing this content, user enters his/her username and password to access the system. User credentials are sent from the authenticator switch or WLC to the  RADIUS Server via RADIUS Access-Request Message. These credentials can be the existing user credentials stored in Active Directory or they can be guest user credentials. WebAuth is generally used for guest authentication for Wi-Fi access.


WebAuth (Web Authentication) can be used with other authentication methods like PSK (Pre-Shared Key), EAP (Extensible Authentication Protocol) etc.



Web Authentication Types

There are two different types of WebAuth. These types are given below:

  • LWA (Local Web Authentication)
  • CWA (Centralized Web Authentication) with Cisco ISE


For small networks, WebAuth can be locally managed, LWA (Local Web Authentication) can be used.


For large networks with several WLCs, WebAuth uses a centralized database on an external database on a RADIUS server, like Cisco Identity Services Engine (ISE).


Let’s learn each of these WebAuth types detailly.



LWA (Local Web Authentication)

LWA (Local Web Authentication) is the first authentication type of WebAuth. In other words, firstly, LWA (Local Web Authentication) was developed. In Web Authentication type, WLC or the switch redirects web traffic to the locally hosted web portal where users can enter their username and password to authenticate on the system. After this process, the user credentials are sent to the RADIUS Server with an Access-Request Message.




LWA (Local Web Authentication) is ideal for small networks.


There are different ways of LWA setup. These are given below:

  • LWA with internal database on the WLC
  • LWA with external database on RADIUS or LDAP server
  • LWA with external redirect after the authentication
  • LWA with external splash page redirect, using WLC internal database
  • LWA with passthrough, requiring user acknowledgement



CWA (Centralised Web Authentication) with ISE

CWA (Centralised Web Authentication) with ISE, is the second Web Authentication type. CWA was developed to overcome the limitations of LWA. Centralised Web Authentication provides some advance services like below:

  • Client provisioning
  • Posture assessments
  • Acceptable use policies (AUPs)
  • Password changing
  • Self-registration
  • Device registration
  • BYOD onboarding


CWA (Centralised Web Authentication) is ideal for large networks which uses a centralized database on an external database on a RADIUS server, like Cisco Identity Services Engine (ISE).


There are some common steps for CWA (Centralised Web Authentication). These steps are given below:

  1. The endpoint does not have a configured supplicant
  2. The switch performs MAC Authentication Bypass, sends RADIUS access-request to Cisco ISE
  3. The authentication server sends the RADIUS result, including the URL redirection
  4. The endpoint is assigned an IP address, DNS server, and default gateway using DHCP
  5. The end user enters credentials on browser. The credentials are stored in ISE.
  6. ISE sends an re-authentication change of authorization (CoA-reauth) to the switch
  7. The switch sends a new MAB request with the same session ID to ISE. ISE will return the final authorization result to the switch for the end user.



Benefits of Webauth

Using Web Authentication has several benefits. So, what are the benefits of WebAuth?These benefits are given below:

  • Web Authentication is very user friendly. It is easy to use and users know how to use this authentication.
  • WebAuth works on browsers. So, there is no need for additional software for authentication.
  • Web Authentication is mostly used by guests to access to the network. And guest can do this with only their identity.
  • WebAuth supports identity-based access.
  • Web Authentication pages are customizable.


These are some benefits of this WebAuth authentication type. It is very important especially for todays’s network access.


Lesson tags: WebAuth
Back to: CCNP Enterprise 350-401 ENCOR > Security

Leave a Reply

Your email address will not be published. Required fields are marked *

CCNP Enterprise 350-401 ENCOR