Web-Based Authentication Configuration Guidelines And Restrictions - Cisco Catalyst 2960-X Security Configuration Manual

Web-Based Authentication Configuration Guidelines and Restrictions

Feature
RADIUS server
Default value of inactivity timeout
Inactivity timeout
Web-Based Authentication Configuration Guidelines and Restrictions
• Web-based authentication is an ingress-only feature.
• You can configure web-based authentication only on access ports. Web-based authentication is not
• You must configure the default ACL on the interface before configuring web-based authentication.
• You cannot authenticate hosts on Layer 2 interfaces with static ARP cache assignment. These hosts are
• By default, the IP device tracking feature is disabled on a switch. You must enable the IP device tracking
• You must configure at least one IP address to run the switch HTTP server. You must also configure
• Hosts that are more than one hop away might experience traffic disruption if an STP topology change
• Web-based authentication does not support VLAN assignment as a downloadable-host policy.
• Web-based authentication supports IPv6 in Session-aware policy mode. IPv6 Web-authentication requires
• Web-based authentication and Network Edge Access Topology (NEAT) are mutually exclusive. You
• Only the Password Authentication Protocol (PAP) is supported for web-based RADIUS authentication
• Identify the following RADIUS security server settings that will be used while configuring
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX
370
• IP address
• UDP authentication port
• Key
supported on trunk ports, EtherChannel member ports, or dynamic trunk ports.
Configure a port ACL for a Layer 2 interface or a Cisco IOS ACL for a Layer 3 interface.
not detected by the web-based authentication feature because they do not send ARP messages.
feature to use web-based authentication.
routes to reach each host IP address. The HTTP server sends the HTTP login page to the host.
results in the host traffic arriving on a different port. This occurs because the ARP and DHCP updates
might not be sent after a Layer 2 (STP) topology change.
at least one IPv6 address configured on the switch and IPv6 Snooping configured on the switchport.
cannot use web-based authentication when NEAT is enabled on an interface, and you cannot use NEAT
when web-based authentication is running on an interface.
on controllers. The Challenge Handshake Authentication Protocol (CHAP) is not supported for web-based
RADIUS authentication on controllers.
switch-to-RADIUS-server communication:
◦ Host name
Configuring Web-Based Authentication
Default Setting
• None specified
• 1645
• None specified
3600 seconds
Enabled
OL-29048-01