EasyManua.ls Logo

Cisco Catalyst 2960-X - Web-Based Authentication Configuration Guidelines and Restrictions

Cisco Catalyst 2960-X
498 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Loading...
Default SettingFeature
None specified
1645
None specified
RADIUS server
IP address
UDP authentication port
Key
3600 secondsDefault value of inactivity timeout
EnabledInactivity timeout
Web-Based Authentication Configuration Guidelines and Restrictions
Web-based authentication is an ingress-only feature.
You can configure web-based authentication only on access ports. Web-based authentication is not
supported on trunk ports, EtherChannel member ports, or dynamic trunk ports.
You must configure the default ACL on the interface before configuring web-based authentication.
Configure a port ACL for a Layer 2 interface or a Cisco IOS ACL for a Layer 3 interface.
You cannot authenticate hosts on Layer 2 interfaces with static ARP cache assignment. These hosts are
not detected by the web-based authentication feature because they do not send ARP messages.
By default, the IP device tracking feature is disabled on a switch. You must enable the IP device tracking
feature to use web-based authentication.
You must configure at least one IP address to run the switch HTTP server. You must also configure
routes to reach each host IP address. The HTTP server sends the HTTP login page to the host.
Hosts that are more than one hop away might experience traffic disruption if an STP topology change
results in the host traffic arriving on a different port. This occurs because the ARP and DHCP updates
might not be sent after a Layer 2 (STP) topology change.
Web-based authentication does not support VLAN assignment as a downloadable-host policy.
Web-based authentication supports IPv6 in Session-aware policy mode. IPv6 Web-authentication requires
at least one IPv6 address configured on the switch and IPv6 Snooping configured on the switchport.
Web-based authentication and Network Edge Access Topology (NEAT) are mutually exclusive. You
cannot use web-based authentication when NEAT is enabled on an interface, and you cannot use NEAT
when web-based authentication is running on an interface.
Only the Password Authentication Protocol (PAP) is supported for web-based RADIUS authentication
on controllers. The Challenge Handshake Authentication Protocol (CHAP) is not supported for web-based
RADIUS authentication on controllers.
Identify the following RADIUS security server settings that will be used while configuring
switch-to-RADIUS-server communication:
Host name
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX
370 OL-29048-01
Configuring Web-Based Authentication
Web-Based Authentication Configuration Guidelines and Restrictions

Table of Contents

Other manuals for Cisco Catalyst 2960-X

Related product manuals