RE: 802.1x Web Authentication

Hi,

I already solved the problem. The main question is that the av-pairs are in an
incorrect format in the ACS config for this group.

For the global knowledge when you configure ip admission, you need send two
av-pair, priv-lvl and proxyacl, I am sending it but I had a mistake and I
forget put the "auth-proxy:" before. This is the correct format:

auth-proxy:priv-lvl=15
auth-proxy:proxyacl#1=permit icmp any any

Thanks again and kind regards.

-----------------------------------
-----------------------------------
Jose A. Arnau Alvarez
CCIE #23051 R&S
-----------------------------------
-----------------------------------

> Date: Thu, 27 Aug 2009 13:17:19 +0100
> Subject: Re: 802.1x Web Authentication
> From: sadiqtanko_at_gmail.com
> To: jaral18_at_hotmail.com
> CC: jainknitin_at_gmail.com; ccielab_at_groupstudy.com
>
> Jose,
>
> Looking again at your config, a couple of issues spotted now:
>
> 1. As you have turned dot1x on on the switch port, you will have to enable
> "aaa authentication dot1x". This is because you have enabled WebAuth in
this
> case as a fall back method and NOT standalone. Please add these 2 lines:
>
> aaa authentication dot1x default group radius
> aaa authorization network default group radius
>
> 2. Can you please make one more change to the ACE for www (permit tcp any
> any eq www). This is because you dont have to allow www traffic through the
> Port ACL for WebAuth to be triggered. What actually happens is the switch
> makes an entry on the TCAM to redirect all incoming http traffic. Anyway,
> your ACL would look like this:
>
> ip access-list extended DEFAULT-ACCESS
> permit udp any eq bootpc any eq bootps
> permit udp any any eq domain
> permit icmp any any
> deny ip any any
>
> Also, when the PC is ready to authenticate, can you provide output for the
> follow commands:
>
> show authentication sess
> show authentication sess int gx/x
> show ip admission cache
> show ip access-list
>
> Pretty confident it would work now.
>
> Thanks,
> Sadiq
>
> On Thu, Aug 27, 2009 at 8:29 AM, Jose A. Arnau Alvarez
> <jaral18_at_hotmail.com>wrote:
>
> > Hi guys,
> >
> > Thanks a lot for your help. I have tryed commands that you say, but the
Web
> > Auth still not works. I don't know why is the reason because the web page
> is
> > not displayed. I will try with another platform of switch.
> >
> > Kind regards.
> >
> > -----------------------------------
> > -----------------------------------
> > Jose A. Arnau Alvarez
> > CCIE #23051 R&S
> > -----------------------------------
> > -----------------------------------
> >
> >
> > > From: jainknitin_at_gmail.com
> > > To: sadiqtanko_at_gmail.com; jaral18_at_hotmail.com
> > > CC: ccielab_at_groupstudy.com
> > > Subject: RE: 802.1x Web Authentication
> > > Date: Thu, 27 Aug 2009 01:22:56 +0400
> >
> > >
> > > Jose,
> > >
> > > You need to enable aaa authorization as well for network
> > >
> > >
> > > Aaa authorization network default group radius
> > >
> > >
> > > "Every Impossible says - I M Possible."
> > >
> > > ----Nitin
> > >
> > >
> > > -----Original Message-----
> > > From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> > > Sadiq Yakasai
> > > Sent: Wednesday, August 26, 2009 9:12 PM
> > > To: Jose A. Arnau Alvarez
> > > Cc: Grupo de Estudio CCIE
> > > Subject: Re: 802.1x Web Authentication
> > >
> > > Jose,
> > >
> > > Can you change the login authentication method to radius? I think this
is
> > > your culprit there:
> > >
> > >
> > > aaa authentication login default local none
> > >
> > > change to:
> > >
> > > aaa authentication login default group radius
> > >
> > > HTH,
> > > Sadiq
> > >
> > > On Wed, Aug 26, 2009 at 5:28 PM, Jose A. Arnau Alvarez
> > > <jaral18_at_hotmail.com>wrote:
> > >
> > > > Hi guys,
> > > >
> > > > I have a problem with the configuration of Web Authentication over a
> > 3560
> > > > switch with c3560-ipbasek9-mz.122-50.SE3.bin image. The Cisco ACS
> > server
> > > is
> > > > running 4.2 version with the last patches applied.
> > > >
> > > > This is my tpology:
> > > >
> > > > PC------Switch------ACS
> > > >
> > > > I would like that when a user connect to a wired port in the network
he
> > > > needs
> > > > to authenticate trough a Web page before he cans access to the
network.
> > > > Actually when a user connect to the switch, he take an IP address but
> > when
> > > > open a web browser the login page is not displayed. I am in a lab
> > > > envirorment
> > > > and I can do tests.
> > > >
> > > > This is the config applied to the switch:
> > > >
> > > > aaa new-model
> > > > !
> > > > !
> > > > aaa authentication login default local none
> > > > aaa authentication enable default enable none
> > > > aaa authorization auth-proxy default group radius
> > > > !
> > > > !
> > > > ip device tracking
> > > > ip admission name RULE1 proxy http inactivity-time 60
> > > > !
> > > > !
> > > > dot1x system-auth-control
> > > > !
> > > > !
> > > > !
> > > > !
> > > > !
> > > > !
> > > > fallback profile WEB-AUTH
> > > > ip access-group DEFAULT-ACCESS in
> > > > ip admission RULE1
> > > > !
> > > > interface FastEthernet0/3
> > > > description Dot1x Demo with MAB and Web-Auth
> > > > switchport access vlan 151
> > > > switchport mode access
> > > > switchport voice vlan 152
> > > > authentication port-control auto
> > > > authentication fallback WEB-AUTH
> > > > mab
> > > > dot1x pae authenticator
> > > > dot1x timeout tx-period 10
> > > > dot1x max-req 3
> > > > spanning-tree portfast
> > > > !
> > > > ip http server
> > > > ip http secure-server
> > > > !
> > > > ip access-list extended DEFAULT-ACCESS
> > > > remark Allow DHCP
> > > > permit udp any eq bootpc any eq bootps
> > > > remark Allow DNS
> > > > permit udp any any eq domain
> > > > remark Allow HTTP
> > > > permit tcp any any eq www
> > > > remark Allow ICMP for test purposes
> > > > permit icmp any any
> > > > remark Implicit Deny
> > > > deny ip any any
> > > > !
> > > > ip radius source-interface Vlan99
> > > > radius-server attribute 8 include-in-access-req
> > > > radius-server host 192.168.200.68 auth-port 1645 acct-port 1646 key
> > > > sothis2009
> > > > radius-server key XXXXXX
> > > > radius-server vsa send authentication
> > > >
> > > > Somebody have any idea?
> > > >
> > > > Thanks in advance and kind regards.
> > > >
> > > > -----------------------------------
> > > > -----------------------------------
> > > > Jose A. Arnau Alvarez
> > > > CCIE #23051 R&S
> > > > -----------------------------------
> > > > -----------------------------------
> > > >
> > > >
> > > > _________________________________________________________________
> > > > Ten Messenger en tu celular ahora - Clic Aqum
> > > > http://www.messengerentucelu.com
> > > >
> > > >
> > > > Blogs and organic groups at http://www.ccie.net
> > > >
> > > >
Received on Fri Aug 28 2009 - 19:35:09 ART