Host Detection; Session Creation - Cisco Catalyst 2960-X Security Configuration Manual
Cisco ios release 15.0(2)ex
Hide thumbs
Also See for Catalyst 2960-X:
- Command reference manual (135 pages) ,
- Hardware installation manual (34 pages) ,
- Getting started manual (25 pages)
Table of Contents
Advertisement
Configuring Web-Based Authentication
This figure shows the roles of these devices in a network.
Figure 23: Web-Based Authentication Device Roles
Host Detection
The switch maintains an IP device tracking table to store information about detected hosts.
By default, the IP device tracking feature is disabled on a switch. You must enable the IP device tracking
Note
feature to use web-based authentication.
For Layer 2 interfaces, web-based authentication detects IP hosts by using these mechanisms:
• ARP based trigger—ARP redirect ACL allows web-based authentication to detect hosts with a static IP
• Dynamic ARP inspection
• DHCP snooping—Web-based authentication is notified when the switch creates a DHCP-binding entry
Session Creation
When web-based authentication detects a new host, it creates a session as follows:
• Reviews the exception list.
• Reviews for authorization bypass
• Sets up the HTTP intercept ACL
OL-29048-01
address or a dynamic IP address.
for the host.
If the host IP is included in the exception list, the policy from the exception list entry is applied, and the
session is established.
If the host IP is not on the exception list, web-based authentication sends a nonresponsive-host (NRH)
request to the server.
If the server response is access accepted, authorization is bypassed for this host. The session is established.
If the server response to the NRH request is access rejected, the HTTP intercept ACL is activated, and
the session waits for HTTP traffic from the host.
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX
Host Detection
361
Hide quick links:
Advertisement
Table of Contents
