1.6.4 Configure Web interface

Information

Web-based authentication is an ingress-only feature.

You can configure web-based authentication only on access ports. Web-based authentication is not supported on trunk ports, EtherChannel member ports, or dynamic trunk ports.

External web authentication, where the switch redirects a client to a particular host or web server for displaying login message, is not supported.

You cannot authenticate hosts on Layer 2 interfaces with static ARP cache assignment. These hosts are not detected by the web-based authentication feature because they do not send ARP messages.

You must enable SISF-Based device tracking to use web-based authentication. By default, SISF-Based device tracking is disabled on a switch.

You must configure at least one IP address to run the switch HTTP server. You must also configure routes to reach each host IP address. The HTTP server sends the HTTP login page to the host.

Hosts that are more than one hop away might experience traffic disruption if an STP topology change results in the host traffic arriving on a different port. This occurs because the ARP and DHCP updates might not be sent after a Layer 2 (STP) topology change.

Web-based authentication does not support VLAN assignment as a downloadable-host policy.

Web-based authentication and Network Edge Access Topology (NEAT) are mutually exclusive. You cannot use web-based authentication when NEAT is enabled on an interface, and you cannot use NEAT when web-based authentication is running on an interface.

Identify the following RADIUS security server settings that will be used while configuring switch-to-RADIUS-server communication:

Host name

Host IP address

Host name and specific UDP port numbers

IP address and specific UDP port numbers

Rationale:

The combination of the IP address and UDP port number creates a unique identifier, that enables RADIUS requests to be sent to multiple UDP ports on a server at the same IP address. If two different host entries on the same RADIUS server are configured for the same service (for example, authentication) the second host entry that is configured functions as the failover backup to the first one. The RADIUS host entries are chosen in the order that they were configured.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Configuring the Authentication Rule and Interfaces

Hostname#(config)ip admission name {Name} proxy http
Hostname#(config)interface {type slot/port}
Hostname#(config)ip access-group {Name}
Hostname#(config)ip admission name
Hostname#(config)ip admission max-login-attempts {number}

See Also

https://workbench.cisecurity.org/files/3762

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(11)

Plugin: Cisco

Control ID: 7bf31a1e351404a9a1514e84997ff4e517883b936a660cb3d9eb07924cf44480