241
Cisco Systems, Inc. www.cisco.com
Configuring Web-Based Authentication
Prerequisites for Configuring Web-Based Authentication
By default, the IP device tracking feature is disabled on a switch. You must enable the IP device tracking feature to
use web-based authentication.
You must configure at least one IP address to run the switch HTTP server. You must also configure routes to reach
each host IP address. The HTTP server sends the HTTP login page to the host.
You must configure the default ACL on the interface before configuring web-based authentication. Configure a port
ACL for a Layer 2 interface.
Restrictions for Configuring Web-Based Authentication
Web-based authentication is an ingress-only feature.
You can configure web-based authentication only on access ports. Web-based authentication is not supported on
trunk ports, EtherChannel member ports, or dynamic trunk ports.
You cannot authenticate hosts on Layer 2 interfaces with static ARP cache assignment. These hosts are not detected
by the web-based authentication feature because they do not send ARP messages.
Hosts that are more than one hop away might experience traffic disruption if an STP topology change results in the
host traffic arriving on a different port. This occurs because the ARP and DHCP updates might not be sent after a
Layer 2 (STP) topology change.
Web-based authentication does not support VLAN assignment as a downloadable-host policy.
Web-based authentication is not supported for IPv6 traffic.
Web-based authentication and Network Edge Access Topology (NEAT) are mutually exclusive. You cannot use
web-based authentication when NEAT is enabled on an interface, and you cannot use NEAT when web-based
authentication is running on an interface.
Web-based authentication supports only RADIUS authorization servers. You cannot use TACACS+ servers or local
authorization.
Information About Configuring Web-Based Authentication
Web-Based Authentication
Use the web-based authentication feature, known as web authentication proxy, to authenticate end users on host
systems that do not run the IEEE 802.1x supplicant.
Note: You can configure web-based authentication on Layer 2 interfaces.
To Next Page
Loading...
Need help?
General
