RE: 802.1x Web Authentication

Jose,

You need to enable aaa authorization as well for network

Aaa authorization network default group radius

"Every Impossible says - I M Possible."
 
----Nitin

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Sadiq Yakasai
Sent: Wednesday, August 26, 2009 9:12 PM
To: Jose A. Arnau Alvarez
Cc: Grupo de Estudio CCIE
Subject: Re: 802.1x Web Authentication

Jose,

Can you change the login authentication method to radius? I think this is
your culprit there:

aaa authentication login default local none

change to:

aaa authentication login default group radius

HTH,
Sadiq

On Wed, Aug 26, 2009 at 5:28 PM, Jose A. Arnau Alvarez
<jaral18_at_hotmail.com>wrote:

> Hi guys,
>
> I have a problem with the configuration of Web Authentication over a 3560
> switch with c3560-ipbasek9-mz.122-50.SE3.bin image. The Cisco ACS server
is
> running 4.2 version with the last patches applied.
>
> This is my tpology:
>
> PC------Switch------ACS
>
> I would like that when a user connect to a wired port in the network he
> needs
> to authenticate trough a Web page before he cans access to the network.
> Actually when a user connect to the switch, he take an IP address but when
> open a web browser the login page is not displayed. I am in a lab
> envirorment
> and I can do tests.
>
> This is the config applied to the switch:
>
> aaa new-model
> !
> !
> aaa authentication login default local none
> aaa authentication enable default enable none
> aaa authorization auth-proxy default group radius
> !
> !
> ip device tracking
> ip admission name RULE1 proxy http inactivity-time 60
> !
> !
> dot1x system-auth-control
> !
> !
> !
> !
> !
> !
> fallback profile WEB-AUTH
> ip access-group DEFAULT-ACCESS in
> ip admission RULE1
> !
> interface FastEthernet0/3
> description Dot1x Demo with MAB and Web-Auth
> switchport access vlan 151
> switchport mode access
> switchport voice vlan 152
> authentication port-control auto
> authentication fallback WEB-AUTH
> mab
> dot1x pae authenticator
> dot1x timeout tx-period 10
> dot1x max-req 3
> spanning-tree portfast
> !
> ip http server
> ip http secure-server
> !
> ip access-list extended DEFAULT-ACCESS
> remark Allow DHCP
> permit udp any eq bootpc any eq bootps
> remark Allow DNS
> permit udp any any eq domain
> remark Allow HTTP
> permit tcp any any eq www
> remark Allow ICMP for test purposes
> permit icmp any any
> remark Implicit Deny
> deny ip any any
> !
> ip radius source-interface Vlan99
> radius-server attribute 8 include-in-access-req
> radius-server host 192.168.200.68 auth-port 1645 acct-port 1646 key
> sothis2009
> radius-server key XXXXXX
> radius-server vsa send authentication
>
> Somebody have any idea?
>
> Thanks in advance and kind regards.
>
> -----------------------------------
> -----------------------------------
> Jose A. Arnau Alvarez
> CCIE #23051 R&S
> -----------------------------------
> -----------------------------------
>
>
> _________________________________________________________________
> Ten Messenger en tu celular ahora - Clic Aqum
> http://www.messengerentucelu.com
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
CCIE #19963
Blogs and organic groups at http://www.ccie.net