Enables Web Authentication to use dynamically created passcodes to authenticate users in the VLAN.

auth-mode passcode [ flush-expired | generate | grace-period time | length passcode-length | log { snmp-trap | syslog } | refresh-type { duration time | time [ time-string | delete-all ] } | resend-log | static ]
no auth-mode passcode [ flush-expired | generate | grace-period time | length passcode-length | log { snmp-trap | syslog } | refresh-type { duration time | time [ time-string | delete-all ] } | resend-log | static ]

Passcode authentication is not enabled.

flush-expired
Deletes old passcodes that have expired but are still valid because they are in the grace period.
generate
Refreshes the passcode instead of waiting for the system to automatically generate one.
grace-period time
Configures a grace period for an expired passcode.
length passcode-length
Configures the passcode length. Valid values are from 4 through 16 digits. The default is 4 digits.
log
Enables the generation of syslog messages and SNMP trap messages every time a new passcode is generated and passcode authentication is attempted. By default, the syslog and SNMP trap messages are enabled.
snmp-trap
Generates SNMP trap messages every time a new passcode is generated and passcode authentication is attempted.
syslog
Generates syslog messages every time a new passcode is generated and passcode authentication is attempted.
refresh-type
Configures the passcode refresh type as one of the following:
duration time
Configures the duration of time after which passcodes are refreshed. By default, dynamically created passcodes are refreshed every 1440 minutes (24 hours).
time time-string
Configures the time of the day when the passcode should be refreshed. When initially enabled, the time of day method will cause passcodes to be refreshed at 00:00 (12:00 midnight). You can add up to 24 refresh periods in a 24-hour period.
delete-all
Deletes all of the configured passcode refresh times and reverts back to the default time of 00:00 (12:00 midnight).
resend-log
Retransmits the current passcode to a syslog message or SNMP trap if passcode logging is enabled.
static
Creates a static passcode.

Web Authentication configuration mode

You can delete old passcodes that have expired but are still valid because they are in the grace period using the auth-mode passcode flush-expired command. This is useful in situations where the old passcodes have been compromised but are still valid because of the grace period. This command does not affect current valid passcodes or passcodes that newly expire.

When manually refreshed using the auth-mode passcode generate command, the old passcode will no longer work, even if a grace period is configured. Also, if the passcode refresh method duration of time is used, the duration counter is reset when the passcode is manually refreshed. The passcode refresh method time of day is not affected when the passcode is manually refreshed.

If the grace period is reconfigured using the auth-mode passcode grace-period command while a passcode is already in the grace period, the passcode is not affected by the configuration change. The new grace period will apply only to passcodes that expire after the new grace period is set.

If you change the passcode refresh value using the auth-mode passcode refresh-type, the configuration is immediately applied to the current passcode. If both the duration of time and time of day passcode refresh values are configured, they are saved to the configuration file. You can switch back and forth between the passcode refresh methods, but only one method can be enabled at a time.

Passcodes are not stateful, meaning a software reset or reload will cause the system to erase the passcode. When the device comes back up, a new passcode will be generated.

When the auth-mode passcode resend-log command is configured, the switch retransmits the current passcode only. Passcodes that are in the grace period are not sent.

Static passcodes can be used for troubleshooting purposes, or for networks that want to use passcode authentication, but do not have the ability to support automatically generated passcodes (for example, the network does not fully support the use of SNMP traps or syslog messages with passcodes). Manually created passcodes are used in conjunction with dynamic passcodes . You can configure up to four static passcodes that never expire. Unlike dynamically created passcodes, static passcodes are saved to flash memory. By default, there are no static passcodes configured on the switch. Static passcodes do not have to be the same length as passcodes that are automatically generated.

Use the show webauth vlan vlan-id passcode command to view the current passcodes.

The no form of the command removes or disables the configured settings.

The following example flushes out all expired passcodes that are currently in the grace period.

device(config)# vlan 10
device(config-vlan-10)# webauth
device(config-vlan-10-webauth)# auth-mode passcode flush-expired

The following example refreshes the passcode immediately.

device(config)# vlan 10
device(config-vlan-10)# webauth
device(config-vlan-10-webauth)# auth-mode passcode generate

The following example configures the grace period for an expired passcode.

device(config)# vlan 10
device(config-vlan-10)# webauth
device(config-vlan-10-webauth)# auth-mode passcode grace-period 5

The following example increases the passcode length to 10 digits.

device(config)# vlan 10
device(config-vlan-10)# webauth
device(config-vlan-10-webauth)# auth-mode passcode length 10

The following example shows how to re-enable syslog messages for passcodes after they have been disabled.

device(config)# vlan 10
device(config-vlan-10)# webauth
device(config-vlan-10-webauth)# auth-mode passcode log syslog

The following example changes the duration of time after which passcodes are refreshed to 4320 minutes (72 hours).

device(config)# vlan 10
device(config-vlan-10)# webauth
device(config-vlan-10-webauth)# auth-mode passcode refresh-type duration 4320	

The following example configures the switch to refresh passcodes at a certain time of day.

device(config)# vlan 10
device(config-vlan-10)# webauth
device(config-vlan-10-webauth)# auth-mode passcode refresh-type time 14:30

The following example deletes all of the configured passcode refresh times and reverts back to the default time of 00:00 (12:00 midnight).

device(config)# vlan 10
device(config-vlan-10)# webauth
device(config-vlan-10-webauth)# auth-mode passcode refresh-type time delete-all

The following example retransmits the current passcode to a syslog message or SNMP trap if passcode logging is enabled.

device(config)# vlan 10
device(config-vlan-10)# webauth
device(config-vlan-10-webauth)# auth-mode passcode resend-log

The following example creates static passcodes.

device(config)# vlan 10
device(config-vlan-10)# webauth
device(config-vlan-10-webauth)# auth-mode passcode static 3267345