Consolidated Platform Configuration Guide, Cisco Ios Release 15.2(4)E (Catalyst 2960-X Switches - Cisco Catalyst 2960 series Configuration Manual

• Web-based authentication and Network Edge Access Topology (NEAT) are mutually exclusive. You
cannot use web-based authentication when NEAT is enabled on an interface, and you cannot use NEAT
when web-based authentication is running on an interface.
• Web-based authentication NRH (Non-Responsive Host) is not supported for voice devices.
• Only the Password Authentication Protocol (PAP) is supported for web-based RADIUS authentication
on controllers. The Challenge Handshake Authentication Protocol (CHAP) is not supported for web-based
RADIUS authentication on controllers.
• Identify the following RADIUS security server settings that will be used while configuring
switch-to-RADIUS-server communication:
◦ Host name
◦ Host IP address
◦ Host name and specific UDP port numbers
◦ IP address and specific UDP port numbers
The combination of the IP address and UDP port number creates a unique identifier, that enables RADIUS
requests to be sent to multiple UDP ports on a server at the same IP address. If two different host entries
on the same RADIUS server are configured for the same service (for example, authentication) the second
host entry that is configured functions as the failover backup to the first one. The RADIUS host entries
are chosen in the order that they were configured.
• When you configure the RADIUS server parameters:
◦ Specify the key string on a separate command line.
◦ For key string, specify the authentication and encryption key used between the switch and the
RADIUS daemon running on the RADIUS server. The key is a text string that must match the
encryption key used on the RADIUS server.
◦ When you specify the key string, use spaces within and at the end of the key. If you use spaces in
the key, do not enclose the key in quotation marks unless the quotation marks are part of the key.
This key must match the encryption used on the RADIUS daemon.
◦ You can globally configure the timeout, retransmission, and encryption key values for all RADIUS
servers by using with the radius-server host global configuration command. If you want to
configure these options on a per-server basis, use the radius-server timeout, radius-server transmit,
and the radius-server key global configuration commands. For more information, see the Cisco
IOS Security Configuration Guide, Release 12.4 and the Cisco IOS Security Command Reference,
Release 12.4.
You need to configure some settings on the RADIUS server, including: the switch IP
Note
address, the key string to be shared by both the server and the switch, and the
downloadable ACL (DACL). For more information, see the RADIUS server
documentation.

Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(4)E (Catalyst 2960-X Switches)

Information About Web-Based Authentication
1431