Re: 802.1x Web Authentication

Nitin,

Actually, for WebAuth, you dont need network authorization configured. That
would only be required if you were doing dot1x (or MAB).

HTH,
Sadiq

On Wed, Aug 26, 2009 at 10:22 PM, Nitin Jain <jainknitin_at_gmail.com> wrote:

> Jose,
>
> You need to enable aaa authorization as well for network
>
>
> Aaa authorization network default group radius
>
>
> "Every Impossible says - I M Possible."
>
> ----Nitin
>
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Sadiq Yakasai
> Sent: Wednesday, August 26, 2009 9:12 PM
> To: Jose A. Arnau Alvarez
> Cc: Grupo de Estudio CCIE
> Subject: Re: 802.1x Web Authentication
>
> Jose,
>
> Can you change the login authentication method to radius? I think this is
> your culprit there:
>
>
> aaa authentication login default local none
>
> change to:
>
> aaa authentication login default group radius
>
> HTH,
> Sadiq
>
> On Wed, Aug 26, 2009 at 5:28 PM, Jose A. Arnau Alvarez
> <jaral18_at_hotmail.com>wrote:
>
> > Hi guys,
> >
> > I have a problem with the configuration of Web Authentication over a 3560
> > switch with c3560-ipbasek9-mz.122-50.SE3.bin image. The Cisco ACS server
> is
> > running 4.2 version with the last patches applied.
> >
> > This is my tpology:
> >
> > PC------Switch------ACS
> >
> > I would like that when a user connect to a wired port in the network he
> > needs
> > to authenticate trough a Web page before he cans access to the network.
> > Actually when a user connect to the switch, he take an IP address but
> when
> > open a web browser the login page is not displayed. I am in a lab
> > envirorment
> > and I can do tests.
> >
> > This is the config applied to the switch:
> >
> > aaa new-model
> > !
> > !
> > aaa authentication login default local none
> > aaa authentication enable default enable none
> > aaa authorization auth-proxy default group radius
> > !
> > !
> > ip device tracking
> > ip admission name RULE1 proxy http inactivity-time 60
> > !
> > !
> > dot1x system-auth-control
> > !
> > !
> > !
> > !
> > !
> > !
> > fallback profile WEB-AUTH
> > ip access-group DEFAULT-ACCESS in
> > ip admission RULE1
> > !
> > interface FastEthernet0/3
> > description Dot1x Demo with MAB and Web-Auth
> > switchport access vlan 151
> > switchport mode access
> > switchport voice vlan 152
> > authentication port-control auto
> > authentication fallback WEB-AUTH
> > mab
> > dot1x pae authenticator
> > dot1x timeout tx-period 10
> > dot1x max-req 3
> > spanning-tree portfast
> > !
> > ip http server
> > ip http secure-server
> > !
> > ip access-list extended DEFAULT-ACCESS
> > remark Allow DHCP
> > permit udp any eq bootpc any eq bootps
> > remark Allow DNS
> > permit udp any any eq domain
> > remark Allow HTTP
> > permit tcp any any eq www
> > remark Allow ICMP for test purposes
> > permit icmp any any
> > remark Implicit Deny
> > deny ip any any
> > !
> > ip radius source-interface Vlan99
> > radius-server attribute 8 include-in-access-req
> > radius-server host 192.168.200.68 auth-port 1645 acct-port 1646 key
> > sothis2009
> > radius-server key XXXXXX
> > radius-server vsa send authentication
> >
> > Somebody have any idea?
> >
> > Thanks in advance and kind regards.
> >
> > -----------------------------------
> > -----------------------------------
> > Jose A. Arnau Alvarez
> > CCIE #23051 R&S
> > -----------------------------------
> > -----------------------------------
> >
> >
> > _________________________________________________________________
> > Ten Messenger en tu celular ahora - Clic Aqum
> > http://www.messengerentucelu.com
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
> >
>
>
> --
> CCIE #19963
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
CCIE #19963
Blogs and organic groups at http://www.ccie.net