auth-mode passcode
-
- Last UpdatedJul 20, 2017
- 4 minutes read
Enables Web Authentication to use dynamically created passcodes to authenticate users in the VLAN.
Passcode authentication is not enabled.
flush-expired
| Deletes old passcodes that have expired but are still valid because they are in the grace period.
| ||||||
generate
| Refreshes the passcode instead of waiting for the system to automatically generate one.
| ||||||
grace-period
time
| Configures a grace period for an expired passcode.
| ||||||
length
passcode-length
| Configures the passcode length. Valid values are from 4 through 16 digits. The default is 4 digits.
| ||||||
log
| Enables the generation of syslog messages and SNMP trap messages every time a new passcode is generated and passcode authentication is attempted. By default, the syslog and SNMP trap messages are enabled.
| ||||||
snmp-trap
| Generates SNMP trap messages every time a new passcode is generated and passcode authentication is attempted.
| ||||||
syslog
| Generates syslog messages every time a new passcode is generated and passcode authentication is attempted.
| ||||||
refresh-type
| Configures the passcode refresh type as one of the following:
| ||||||
resend-log
| Retransmits the current passcode to a syslog message or SNMP trap if passcode logging is enabled.
| ||||||
static
| Creates a static passcode.
|
Web Authentication configuration mode
You can delete old passcodes that have expired but are still valid because they are in the grace period using the auth-mode passcode flush-expired command. This is useful in situations where the old passcodes have been compromised but are still valid because of the grace period. This command does not affect current valid passcodes or passcodes that newly expire.
When manually refreshed using the auth-mode passcode generate command, the old passcode will no longer work, even if a grace period is configured. Also, if the passcode refresh method duration of time is used, the duration counter is reset when the passcode is manually refreshed. The passcode refresh method time of day is not affected when the passcode is manually refreshed.
If the grace period is reconfigured using the auth-mode passcode grace-period command while a passcode is already in the grace period, the passcode is not affected by the configuration change. The new grace period will apply only to passcodes that expire after the new grace period is set.
If you change the passcode refresh value using the auth-mode passcode refresh-type, the configuration is immediately applied to the current passcode. If both the duration of time and time of day passcode refresh values are configured, they are saved to the configuration file. You can switch back and forth between the passcode refresh methods, but only one method can be enabled at a time.
Passcodes are not stateful, meaning a software reset or reload will cause the system to erase the passcode. When the device comes back up, a new passcode will be generated.
When the auth-mode passcode resend-log command is configured, the switch retransmits the current passcode only. Passcodes that are in the grace period are not sent.
Static passcodes can be used for troubleshooting purposes, or for networks that want to use passcode authentication, but do not have the ability to support automatically generated passcodes (for example, the network does not fully support the use of SNMP traps or syslog messages with passcodes). Manually created passcodes are used in conjunction with dynamic passcodes . You can configure up to four static passcodes that never expire. Unlike dynamically created passcodes, static passcodes are saved to flash memory. By default, there are no static passcodes configured on the switch. Static passcodes do not have to be the same length as passcodes that are automatically generated.
Use the show webauth vlan vlan-id passcode command to view the current passcodes.
The no form of the command removes or disables the configured settings.
The following example flushes out all expired passcodes that are currently in the grace period.
device(config)# vlan 10
device(config-vlan-10)# webauth
device(config-vlan-10-webauth)# auth-mode passcode flush-expired
The following example refreshes the passcode immediately.
device(config)# vlan 10
device(config-vlan-10)# webauth
device(config-vlan-10-webauth)# auth-mode passcode generate
The following example configures the grace period for an expired passcode.
device(config)# vlan 10
device(config-vlan-10)# webauth
device(config-vlan-10-webauth)# auth-mode passcode grace-period 5
The following example increases the passcode length to 10 digits.
device(config)# vlan 10
device(config-vlan-10)# webauth
device(config-vlan-10-webauth)# auth-mode passcode length 10
The following example shows how to re-enable syslog messages for passcodes after they have been disabled.
device(config)# vlan 10
device(config-vlan-10)# webauth
device(config-vlan-10-webauth)# auth-mode passcode log syslog
The following example changes the duration of time after which passcodes are refreshed to 4320 minutes (72 hours).
device(config)# vlan 10
device(config-vlan-10)# webauth
device(config-vlan-10-webauth)# auth-mode passcode refresh-type duration 4320
The following example configures the switch to refresh passcodes at a certain time of day.
device(config)# vlan 10
device(config-vlan-10)# webauth
device(config-vlan-10-webauth)# auth-mode passcode refresh-type time 14:30
The following example deletes all of the configured passcode refresh times and reverts back to the default time of 00:00 (12:00 midnight).
device(config)# vlan 10
device(config-vlan-10)# webauth
device(config-vlan-10-webauth)# auth-mode passcode refresh-type time delete-all
The following example retransmits the current passcode to a syslog message or SNMP trap if passcode logging is enabled.
device(config)# vlan 10
device(config-vlan-10)# webauth
device(config-vlan-10-webauth)# auth-mode passcode resend-log
The following example creates static passcodes.
device(config)# vlan 10
device(config-vlan-10)# webauth
device(config-vlan-10-webauth)# auth-mode passcode static 3267345