I’m not a huge fan of CNA or GUI’s in general, however I have a couple of customers that use it. I recently configured a customers devices to authenticate to a Microsoft NPS server. What I didn’t know was that an admin in a remote location uses the web interface on the switch to configure VLAN membership. The customer wanted this admin to be able to continue to work this way. Come to find out it wasn’t as easy as I thought. The built-in web server on the switch will only use the default authentication method. The VTY’s and the Console port can be configured with their own method.
In this example we configure the VTY’s to use RADIUS for authentication. The default group for HTTP is also configured for RADIUS. Since the default method is the only method support on the HTTP server, the configuration above is required. The configuration for the VTY’s could also use the default method, but by separating them, we will have more flexibility in our VTY configuration. For the Console, I usually build another method and have that method only look at the local database of users. The only time we typically log into the Console is when there is an issue and I don’t want to be waiting on RADIUS.