Detections
Analytics
1.6.4 Configure Web interface
Warning! Audit Deprecated
This audit has been deprecated and will be removed in a future update.
View Next Audit VersionInformation
Web-based authentication is an ingress-only feature.You can configure web-based authentication only on access ports. Web-based authentication is not supported on trunk ports, EtherChannel member ports, or dynamic trunk ports.
External web authentication, where the switch redirects a client to a particular host or web server for displaying login message, is not supported.
You cannot authenticate hosts on Layer 2 interfaces with static ARP cache assignment. These hosts are not detected by the web-based authentication feature because they do not send ARP messages.
You must enable SISF-Based device tracking to use web-based authentication. By default, SISF-Based device tracking is disabled on a switch.
You must configure at least one IP address to run the switch HTTP server. You must also configure routes to reach each host IP address. The HTTP server sends the HTTP login page to the host.
Hosts that are more than one hop away might experience traffic disruption if an STP topology change results in the host traffic arriving on a different port. This occurs because the ARP and DHCP updates might not be sent after a Layer 2 (STP) topology change.
Web-based authentication does not support VLAN assignment as a downloadable-host policy.
Web-based authentication and Network Edge Access Topology (NEAT) are mutually exclusive. You cannot use web-based authentication when NEAT is enabled on an interface, and you cannot use NEAT when web-based authentication is running on an interface.
Identify the following RADIUS security server settings that will be used while configuring switch-to-RADIUS-server communication:
Host name
Host IP address
Host name and specific UDP port numbers
IP address and specific UDP port numbers
Rationale:
The combination of the IP address and UDP port number creates a unique identifier, that enables RADIUS requests to be sent to multiple UDP ports on a server at the same IP address. If two different host entries on the same RADIUS server are configured for the same service (for example, authentication) the second host entry that is configured functions as the failover backup to the first one. The RADIUS host entries are chosen in the order that they were configured.
NOTE: Nessus has not identified that 'ip addmission ... proxy http' is configured on the target device.
Solution
Configuring the Authentication Rule and InterfacesHostname#(config)ip admission name {Name} proxy http
Hostname#(config)interface {type slot/port}
Hostname#(config)ip access-group {Name}
Hostname#(config)ip admission name
Hostname#(config)ip admission max-login-attempts {number}
See Also
Item Details
Audit Name: CIS Cisco IOS 16 L2 v1.1.0
Category: SYSTEM AND COMMUNICATIONS PROTECTION
References: 800-53|SC-7(11)
Plugin: Cisco
Control ID: 7bf31a1e351404a9a1514e84997ff4e517883b936a660cb3d9eb07924cf44480