Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1541
Views
10
Helpful
2
Replies

Use of the command: ip admission watch-list expiry-time 0

Go to solution
JashpalsinhMahida69797
Level 1
Level 1

‎09-28-2020 09:29 AM

I have Cisco IE4010 switch with following line in the configuration. I don't know what the purpose of this line?i am trying to create the a template for switch and confused about should i keep this line in the config.

 

ip admission watch-list expiry-time 0

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame

‎09-28-2020 09:52 AM

That is just a watch-list time out 

Authentication Process

When you enable web-based authentication, the following events occur:

  • The user initiates an HTTP session.
  • The HTTP traffic is intercepted, and authorization is initiated. The switch sends the login page to the user. The user enters a username and password on the login page, and the switch sends the entries to the authentication server.
  • If the client identity is valid and the authentication succeeds, the switch downloads and activates the user’s access policy from the authentication server. The login success page is sent to the user.
  • If the authentication fails, the switch sends the login fail page. The user retries the login. If the maximum number of attempts fails, the switch sends the login expired page and the host is placed in a watch list, using the following commands:

ip admission watch-list enable

ip admission watch-list expiry-time < milliseconds >

  • After the watch list times out, the user can retry the authentication process.
  • If the authentication server does not respond to the switch, and if an AAA fail policy is configured, the switch applies the failure access policy to the host. The login success page is sent to the user. See the “Customization of the Authentication Proxy Web Pages” section.
  • The switch reauthenticates a client when the host does not respond to an ARP probe on a Layer 2 interface, or the host does not send any traffic within the idle timeout on a Layer 3 interface.
  • The feature applies the downloaded timeout or the locally configured session timeout.
  • If the terminate action is RADIUS, the feature sends a nonresponsive host (NRH) request to the server. The terminate action is included in the response from the server.
  • If the terminate action is default, the session is dismantled and the applied policy is removed.
  • Link for more info:
  • https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/XE3-6-0E/15-22E/configuration/guide/xe-360-config/webauth.html
  • HTH

View solution in original post

2 Replies 2

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame

‎09-28-2020 09:52 AM

That is just a watch-list time out 

Authentication Process

When you enable web-based authentication, the following events occur:

  • The user initiates an HTTP session.
  • The HTTP traffic is intercepted, and authorization is initiated. The switch sends the login page to the user. The user enters a username and password on the login page, and the switch sends the entries to the authentication server.
  • If the client identity is valid and the authentication succeeds, the switch downloads and activates the user’s access policy from the authentication server. The login success page is sent to the user.
  • If the authentication fails, the switch sends the login fail page. The user retries the login. If the maximum number of attempts fails, the switch sends the login expired page and the host is placed in a watch list, using the following commands:

ip admission watch-list enable

ip admission watch-list expiry-time < milliseconds >

  • After the watch list times out, the user can retry the authentication process.
  • If the authentication server does not respond to the switch, and if an AAA fail policy is configured, the switch applies the failure access policy to the host. The login success page is sent to the user. See the “Customization of the Authentication Proxy Web Pages” section.
  • The switch reauthenticates a client when the host does not respond to an ARP probe on a Layer 2 interface, or the host does not send any traffic within the idle timeout on a Layer 3 interface.
  • The feature applies the downloaded timeout or the locally configured session timeout.
  • If the terminate action is RADIUS, the feature sends a nonresponsive host (NRH) request to the server. The terminate action is included in the response from the server.
  • If the terminate action is default, the session is dismantled and the applied policy is removed.
  • Link for more info:
  • https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/XE3-6-0E/15-22E/configuration/guide/xe-360-config/webauth.html
  • HTH
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card