Chapter 52
Configuring Web-Based Authentication
Note
•
•
•
•
•
•
•
•
•
•
Web-Based Authentication Configuration Task List
To configure the web-based authentication feature, perform the following tasks:
•
•
•
•
•
•
Configuring the Authentication Rule and Interfaces
To configure web-based authentication, perform this task:
Command
Step 1
Switch(config)# ip admission name name proxy http
Switch(config)# no ip admission name name
proxyacl# 40=permit udp any any eq tftp
The proxyacl entry determines the type of allowed network access.
Web-based authentication is an ingress-only feature.
You can configure web-based authentication only on access ports. Web-based authentication is not
supported on trunk ports, EtherChannel member ports, or dynamic trunk ports.
You must configure the default ACL on the interface before configuring web-based authentication.
Configure a port ACL for a Layer 2 interface, or a Cisco IOS ACL for a Layer 3 interface.
On Layer 2 interfaces, you cannot authenticate hosts with static ARP cache assignment. These hosts
are not detected by the web-based authentication feature, because they do not send ARP messages.
By default, the IP device tracking feature is disabled on a switch. You must enable the IP device
tracking feature to use web-based authentication.
You must configure at least one IP address to run the HTTP server on the switch. You must also
configure routes to reach each host IP address. The HTTP server sends the HTTP login page to the
host.
Hosts that are more than one hop away may experience traffic disruption if an STP topology change
results in the host traffic arriving on a different port. it is because ARP and DHCP updates may not
be sent after a Layer 2 (STP) topology change.
Web-based authentication does not support VLAN assignment as a downloadable host policy.
Cisco IOS Release 12.2(50)SG supports downloadable ACLs (DACLs) from the RADIUS server.
Web-based authentication is not supported for IPv6 traffic.
Configuring the Authentication Rule and Interfaces, page 52-7
Configuring AAA Authentication, page 52-9
Configuring Switch-to-RADIUS-Server Communication, page 52-9
Configuring the HTTP Server, page 52-11
Configuring the Web-Based Authentication Parameters, page 52-13
Removing Web-Based Authentication Cache Entries, page 52-14
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
Configuring Web-Based Authentication
Purpose
Configures an authentication rule for web-based
authorization.
Removes the authentication rule.
52-7