Cisco WS-C6506 - Default Web-Based Proxy Authentication Configuration; Web-Based Authentication Guidelines and Restrictions

1488 pages

Save Page as PDF

To Next Page

To Next Page

To Previous Page

To Previous Page

Loading...

42-8

Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7

OL-8978-04

Chapter 42 Configuring Web-Based Proxy Authentication

Default Web-Based Proxy Authentication Configuration

• MAC-Authentication Bypass—MAC-Authentication Bypass is a Layer 2 authentication that uses a

MAC address. There is no actual authentication with MAC-Authentication Bypass. When you

configure web-based proxy authentication on an interface that has MAC-Authentication Bypass

configured, web-based proxy authentication occurs when the MAC-Authentication Bypass

completes. MAC-Authentication Bypass adds the port to a VLAN and gets an IP address using

DHCP, which triggers web-based proxy authentication.

• Port Security—When you enable port security and web-based proxy authentication on a port, the

hosts that are secured by port security are web authenticated.

• Voice VLAN ID (VVID)—Web-based proxy authentication and VVID support is restricted to

port-VLAN hosts.

• Guest VLAN—At the completion of the 802.1X authentication or MAC-Authentication Bypass, a

port is added to the guest VLAN based on the 802.1X or the MAC-Authentication Bypass

authentication result. The port receives an IP address using DHCP in the guest VLAN. Web-based

proxy authentication occurs after the IP address is received.

• Auth-Fail-VLAN—You can enable web-based proxy authentication and the authentication-fail

VLAN on the same port/VLAN.

• Network Admission Control (NAC)—You can enable web-based proxy authentication and NAC

LAN port IP on the same port/VLAN. NAC with LAN port IP is independent of web-based proxy

authentication; LAN port IP posture validation can happen before web-based proxy authentication.

Default Web-Based Proxy Authentication Configuration

Table 42-1 shows the default web-based proxy authentication configuration settings.

Web-Based Authentication Guidelines and Restrictions

This section provides the guidelines and restrictions for configuring web-based proxy authentication:

• Web-based authentication is not supported on trunk or port-channel interfaces.

• Because PBACL will be mapped to a VLAN, all ports in the VLAN have default access specified by

the PBACLs default policy. We recommend that you enable web-based authentication on all the

ports in the VLAN.

Table 42-1 Web-Based Proxy Authentication Default Configuration

Feature Default Value

Port access entity (PAE) capability Authenticator only

Web-based proxy authentication—Global Disabled

Web-based proxy authentication—Per port Disabled

Global session timeout 3600 seconds

Quiet timeout 60 seconds

Login attempts 3 attempts

Table of Contents

Related product manuals

Preview: Cisco WS-C6509

Preview: Cisco WS-C2950-24

Cisco WS-C2950-24

Preview: Cisco WS-C2950-12

Cisco WS-C2950-12

Cisco WS-C2940-8TT-S

Preview: Cisco WS-C3750-48PS-S

Cisco WS-C3750-48PS-S

Cisco WS-C2948G-GE-TX

Preview: Cisco WS-C3560-48PS-S

Cisco WS-C3560-48PS-S

Preview: Cisco WS-C2960L-8TS-LL

Cisco WS-C2960L-8TS-LL

Preview: Cisco WS-C3560E-24PD-E

Cisco WS-C3560E-24PD-E

Cisco WS-C3750G-48PS-S

Preview: Cisco WS-C2960L-24TS-LL

Cisco WS-C2960L-24TS-LL

Preview: Cisco Catalyst WS-C3850-24T-L

Cisco Catalyst WS-C3850-24T-L