Re: 802.1x Web Authentication

Jose,

Looking again at your config, a couple of issues spotted now:

1. As you have turned dot1x on on the switch port, you will have to enable
"aaa authentication dot1x". This is because you have enabled WebAuth in this
case as a fall back method and NOT standalone. Please add these 2 lines:

aaa authentication dot1x default group radius
aaa authorization network default group radius

2. Can you please make one more change to the ACE for www (permit tcp any
any eq www). This is because you dont have to allow www traffic through the
Port ACL for WebAuth to be triggered. What actually happens is the switch
makes an entry on the TCAM to redirect all incoming http traffic. Anyway,
your ACL would look like this:

ip access-list extended DEFAULT-ACCESS
 permit udp any eq bootpc any eq bootps
 permit udp any any eq domain
 permit icmp any any
 deny ip any any

Also, when the PC is ready to authenticate, can you provide output for the
follow commands:

show authentication sess
show authentication sess int gx/x
show ip admission cache
show ip access-list

Pretty confident it would work now.

Thanks,
Sadiq

On Thu, Aug 27, 2009 at 8:29 AM, Jose A. Arnau Alvarez
<jaral18_at_hotmail.com>wrote:

> Hi guys,
>
> Thanks a lot for your help. I have tryed commands that you say, but the Web
> Auth still not works. I don't know why is the reason because the web page
is
> not displayed. I will try with another platform of switch.
>
> Kind regards.
>
> -----------------------------------
> -----------------------------------
> Jose A. Arnau Alvarez
> CCIE #23051 R&S
> -----------------------------------
> -----------------------------------
>
>
> > From: jainknitin_at_gmail.com
> > To: sadiqtanko_at_gmail.com; jaral18_at_hotmail.com
> > CC: ccielab_at_groupstudy.com
> > Subject: RE: 802.1x Web Authentication
> > Date: Thu, 27 Aug 2009 01:22:56 +0400
>
> >
> > Jose,
> >
> > You need to enable aaa authorization as well for network
> >
> >
> > Aaa authorization network default group radius
> >
> >
> > "Every Impossible says - I M Possible."
> >
> > ----Nitin
> >
> >
> > -----Original Message-----
> > From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> > Sadiq Yakasai
> > Sent: Wednesday, August 26, 2009 9:12 PM
> > To: Jose A. Arnau Alvarez
> > Cc: Grupo de Estudio CCIE
> > Subject: Re: 802.1x Web Authentication
> >
> > Jose,
> >
> > Can you change the login authentication method to radius? I think this is
> > your culprit there:
> >
> >
> > aaa authentication login default local none
> >
> > change to:
> >
> > aaa authentication login default group radius
> >
> > HTH,
> > Sadiq
> >
> > On Wed, Aug 26, 2009 at 5:28 PM, Jose A. Arnau Alvarez
> > <jaral18_at_hotmail.com>wrote:
> >
> > > Hi guys,
> > >
> > > I have a problem with the configuration of Web Authentication over a
> 3560
> > > switch with c3560-ipbasek9-mz.122-50.SE3.bin image. The Cisco ACS
> server
> > is
> > > running 4.2 version with the last patches applied.
> > >
> > > This is my tpology:
> > >
> > > PC------Switch------ACS
> > >
> > > I would like that when a user connect to a wired port in the network he
> > > needs
> > > to authenticate trough a Web page before he cans access to the network.
> > > Actually when a user connect to the switch, he take an IP address but
> when
> > > open a web browser the login page is not displayed. I am in a lab
> > > envirorment
> > > and I can do tests.
> > >
> > > This is the config applied to the switch:
> > >
> > > aaa new-model
> > > !
> > > !
> > > aaa authentication login default local none
> > > aaa authentication enable default enable none
> > > aaa authorization auth-proxy default group radius
> > > !
> > > !
> > > ip device tracking
> > > ip admission name RULE1 proxy http inactivity-time 60
> > > !
> > > !
> > > dot1x system-auth-control
> > > !
> > > !
> > > !
> > > !
> > > !
> > > !
> > > fallback profile WEB-AUTH
> > > ip access-group DEFAULT-ACCESS in
> > > ip admission RULE1
> > > !
> > > interface FastEthernet0/3
> > > description Dot1x Demo with MAB and Web-Auth
> > > switchport access vlan 151
> > > switchport mode access
> > > switchport voice vlan 152
> > > authentication port-control auto
> > > authentication fallback WEB-AUTH
> > > mab
> > > dot1x pae authenticator
> > > dot1x timeout tx-period 10
> > > dot1x max-req 3
> > > spanning-tree portfast
> > > !
> > > ip http server
> > > ip http secure-server
> > > !
> > > ip access-list extended DEFAULT-ACCESS
> > > remark Allow DHCP
> > > permit udp any eq bootpc any eq bootps
> > > remark Allow DNS
> > > permit udp any any eq domain
> > > remark Allow HTTP
> > > permit tcp any any eq www
> > > remark Allow ICMP for test purposes
> > > permit icmp any any
> > > remark Implicit Deny
> > > deny ip any any
> > > !
> > > ip radius source-interface Vlan99
> > > radius-server attribute 8 include-in-access-req
> > > radius-server host 192.168.200.68 auth-port 1645 acct-port 1646 key
> > > sothis2009
> > > radius-server key XXXXXX
> > > radius-server vsa send authentication
> > >
> > > Somebody have any idea?
> > >
> > > Thanks in advance and kind regards.
> > >
> > > -----------------------------------
> > > -----------------------------------
> > > Jose A. Arnau Alvarez
> > > CCIE #23051 R&S
> > > -----------------------------------
> > > -----------------------------------
> > >
> > >
> > > _________________________________________________________________
> > > Ten Messenger en tu celular ahora - Clic Aqum
> > > http://www.messengerentucelu.com
> > >
> > >
> > > Blogs and organic groups at http://www.ccie.net
> > >
> > > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> >
> >
> > --
> > CCIE #19963
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
>
> ------------------------------
> ?Sabmas que puedes revisar tus correos de Hotmail desde el Messenger? !Tu
> vida en lmnea es mas simple con Windows
Live!<http://www.microsoft.com/latam/windows/windowslive/default.aspx>
>

--
CCIE #19963
Blogs and organic groups at http://www.ccie.net