Default SettingFeature
•
None specified
•
1645
•
None specified
RADIUS server
•
IP address
•
UDP authentication port
•
Key
3600 secondsDefault value of inactivity timeout
EnabledInactivity timeout
Web-Based Authentication Configuration Guidelines and Restrictions
•
Web-based authentication is an ingress-only feature.
•
You can configure web-based authentication only on access ports. Web-based authentication is not
supported on trunk ports, EtherChannel member ports, or dynamic trunk ports.
•
You must configure the default ACL on the interface before configuring web-based authentication.
Configure a port ACL for a Layer 2 interface or a Cisco IOS ACL for a Layer 3 interface.
•
You cannot authenticate hosts on Layer 2 interfaces with static ARP cache assignment. These hosts are
not detected by the web-based authentication feature because they do not send ARP messages.
•
By default, the IP device tracking feature is disabled on a switch. You must enable the IP device tracking
feature to use web-based authentication.
•
You must configure at least one IP address to run the switch HTTP server. You must also configure
routes to reach each host IP address. The HTTP server sends the HTTP login page to the host.
•
Hosts that are more than one hop away might experience traffic disruption if an STP topology change
results in the host traffic arriving on a different port. This occurs because the ARP and DHCP updates
might not be sent after a Layer 2 (STP) topology change.
•
Web-based authentication does not support VLAN assignment as a downloadable-host policy.
•
Web-based authentication supports IPv6 in Session-aware policy mode. IPv6 Web-authentication requires
at least one IPv6 address configured on the switch and IPv6 Snooping configured on the switchport.
•
Web-based authentication and Network Edge Access Topology (NEAT) are mutually exclusive. You
cannot use web-based authentication when NEAT is enabled on an interface, and you cannot use NEAT
when web-based authentication is running on an interface.
•
Only the Password Authentication Protocol (PAP) is supported for web-based RADIUS authentication
on controllers. The Challenge Handshake Authentication Protocol (CHAP) is not supported for web-based
RADIUS authentication on controllers.
•
Identify the following RADIUS security server settings that will be used while configuring
switch-to-RADIUS-server communication:
◦
Host name
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX
370 OL-29048-01
Configuring Web-Based Authentication
Web-Based Authentication Configuration Guidelines and Restrictions
To Next Page
Loading...
