Gateway Ip; Acls; Context-Based Access Control; Etherchannel - Cisco Catalyst 2960-X Security Configuration Manual

Configuring Web-Based Authentication

Gateway IP

You cannot configure Gateway IP (GWIP) on a Layer 3 VLAN interface if web-based authentication is
configured on any of the switch ports in the VLAN.
You can configure web-based authentication on the same Layer 3 interface as Gateway IP. The host policies
for both features are applied in software. The GWIP policy overrides the web-based authentication host policy.

ACLs

If you configure a VLAN ACL or a Cisco IOS ACL on an interface, the ACL is applied to the host traffic
only after the web-based authentication host policy is applied.
For Layer 2 web-based authentication, it is more secure, though not required, to configure a port ACL (PACL)
as the default access policy for ingress traffic from hosts connected to the port. After authentication, the
web-based authentication host policy overrides the PACL. The Policy ACL is applied to the session even if
there is no ACL configured on the port.
You cannot configure a MAC ACL and web-based authentication on the same interface.
You cannot configure web-based authentication on a port whose access VLAN is configured for VACL
capture.

Context-Based Access Control

Web-based authentication cannot be configured on a Layer 2 port if context-based access control (CBAC) is
configured on the Layer 3 VLAN interface of the port VLAN.

EtherChannel

You can configure web-based authentication on a Layer 2 EtherChannel interface. The web-based authentication
configuration applies to all member channels.

How to Configure Web-Based Authentication

Default Web-Based Authentication Configuration

The following table shows the default web-based authentication configuration.
Table 30: Default Web-based Authentication Configuration
Feature
AAA
OL-29048-01
Default Setting
Disabled
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX
How to Configure Web-Based Authentication
369