Before sending traffic to an intended destination, an auth user initiates an HTTP session to the IP address that is hosting the WebAuth feature on the security device and authenticates himself or herself. After the security device authenticates the user, he or she can send traffic to the destination as permitted by a policy requiring authentication via WebAuth.
Some details about WebAuth:
You can leave the default WebAuth auth server as the local database or you can choose an external auth server for the role. The main requirement to be eligible as the WebAuth auth server is that the auth server must have auth user account-types.
The WebAuth address must be in the same subnet as the interface that users use to connect to the server. For example, if you want auth users to connect to WebAuth via ethernet3, which has IP address 210.1.1.1/24, then you must assign WebAuth an IP address in the 210.1.1.0/24 subnet.
You can put a WebAuth address in the same subnet as the IP address of any physical interface, sub-interface, or virtual security interface (VSI).
WebAuth Server: Select a default WebAuth server. The servers that appear in the drop-down list are servers that you previously configured (see Auth Server Configuration).
You can customize the message that appears to a user who tries to get authenticated through WebAuth. The Success Banner message appears when the user is successfully authenticated by the WebAuth server. Typically the message informs the user that the authentication was successful.
Success Banner: Enter the new message in the text field (the maximum number of characters is 220), and then click Apply to save your changes.