248
Configuring Web-Based Authentication
Information About Configuring Web-Based Authentication
Context-Based Access Control, page 248
802.1x Authentication, page 248
EtherChannel, page 249
Port Security
You can configure web-based authentication and port security on the same port. Web-based authentication
authenticates the port, and port security manages network access for all MAC addresses, including that of the client. You
can then limit the number or group of clients that can access the network through the port.
LAN Port IP
You can configure LAN port IP (LPIP) and Layer 2 web-based authentication on the same port. The host is authenticated
by using web-based authentication first, followed by LPIP posture validation. The LPIP host policy overrides the
web-based authentication host policy.
If the web-based authentication idle timer expires, the NAC policy is removed. The host is authenticated, and posture is
validated again.
Gateway IP
You cannot configure Gateway IP (GWIP) on a Layer 3 VLAN interface if web-based authentication is configured on any
of the switch ports in the VLAN.
You can configure web-based authentication on the same Layer 3 interface as Gateway IP. The host policies for both
features are applied in software. The GWIP policy overrides the web-based authentication host policy.
ACLs
If you configure a VLAN ACL or a Cisco IOS ACL on an interface, the ACL is applied to the host traffic only after the
web-based authentication host policy is applied.
For Layer 2 web-based authentication, you must configure a port ACL (PACL) as the default access policy for ingress
traffic from hosts connected to the port. After authentication, the web-based authentication host policy overrides the
PACL.
Note: When a proxy ACL is configured for a web-based authentication client, the proxy ACL is downloaded and applied
as part of the authorization process. Hence, the PACL displays the proxy ACL access control entry (ACE).
You cannot configure a MAC ACL and web-based authentication on the same interface.
You cannot configure web-based authentication on a port whose access VLAN is configured for VACL capture.
Context-Based Access Control
Web-based authentication cannot be configured on a Layer 2 port if context-based access control (CBAC) is configured
on the Layer 3 VLAN interface of the port VLAN.
802.1x Authentication
You cannot configure web-based authentication on the same port as 802.1x authentication except as a fallback
authentication method.
To Next Page
Loading...
Need help?
General