802.1x Web Authentication from Jose A. Arnau Alvarez on 2009-08-26 (Ccielab archives 08/2009)

From: Jose A. Arnau Alvarez <jaral18_at_hotmail.com>
Date: Wed, 26 Aug 2009 16:28:36 +0000

Hi guys,

I have a problem with the configuration of Web Authentication over a 3560
switch with c3560-ipbasek9-mz.122-50.SE3.bin image. The Cisco ACS server is
running 4.2 version with the last patches applied.

This is my tpology:

PC------Switch------ACS

I would like that when a user connect to a wired port in the network he needs
to authenticate trough a Web page before he cans access to the network.
Actually when a user connect to the switch, he take an IP address but when
open a web browser the login page is not displayed. I am in a lab envirorment
and I can do tests.

This is the config applied to the switch:

aaa new-model
!
!
aaa authentication login default local none
aaa authentication enable default enable none
aaa authorization auth-proxy default group radius
!
!
ip device tracking
ip admission name RULE1 proxy http inactivity-time 60
!
!
dot1x system-auth-control
!
!
!
!
!
!
fallback profile WEB-AUTH
ip access-group DEFAULT-ACCESS in
ip admission RULE1
!
interface FastEthernet0/3
description Dot1x Demo with MAB and Web-Auth
switchport access vlan 151
switchport mode access
switchport voice vlan 152
authentication port-control auto
authentication fallback WEB-AUTH
mab
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x max-req 3
spanning-tree portfast
!
ip http server
ip http secure-server
!
ip access-list extended DEFAULT-ACCESS
remark Allow DHCP
permit udp any eq bootpc any eq bootps
remark Allow DNS
permit udp any any eq domain
remark Allow HTTP
permit tcp any any eq www
remark Allow ICMP for test purposes
permit icmp any any
remark Implicit Deny
deny ip any any
!
ip radius source-interface Vlan99
radius-server attribute 8 include-in-access-req
radius-server host 192.168.200.68 auth-port 1645 acct-port 1646 key
sothis2009
radius-server key XXXXXX
radius-server vsa send authentication

Somebody have any idea?

Thanks in advance and kind regards.

-----------------------------------
-----------------------------------
Jose A. Arnau Alvarez
CCIE #23051 R&S
-----------------------------------
-----------------------------------
Received on Wed Aug 26 2009 - 16:28:36 ART

This archive was generated by hypermail 2.2.0 : Tue Sep 01 2009 - 05:43:57 ART