web auth on 3560 from Usama Pervaiz on 2010-04-12 (Ccielab archives 04/2010)

From: Usama Pervaiz <chaudri_at_gmail.com>
Date: Mon, 12 Apr 2010 10:03:04 -0400

Hello all,

I am trying a test config of web auth on a 3560. We have a ACS server
version 4.2 running TACACS+ for authenticating all of our access to
the switches and routers. I have not configured dot1x as the time out
for non dot1x hosts is unacceptable (approximately 90sec by default).
So I am using web auth as my main authorization. Following is the
config on the switch I am testing on.

aaa new-model
!
aaa authentication login whatever group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa authorization commands 15 default group tacacs+ none
aaa authorization auth-proxy default group tacacs+ local
aaa accounting commands 7 default start-stop group tacacs+
aaa accounting commands 8 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
!
ip dhcp snooping
ip device tracking
ip auth-proxy proxy http success redirect http://www.xxxxxxxx
ip admission proxy http success redirect http://www.xxxxxxxxx
ip admission name WEBAUTH proxy http inactivity-time 60
!
interface GigabitEthernet0/33
switchport access vlan 10
switchport mode access
ip access-group PRE-WEBAUTH in
authentication order webauth
no mdix auto
storm-control unicast level pps 10k 9.5k
storm-control action trap
ip admission WEBAUTH
!
ip access-list extended PRE-WEBAUTH
permit udp any any eq bootps
permit udp any any eq domain
deny ip any any
!
tacacs-server host x.x.x.x
tacacs-server host x.x.x.x
tacacs-server directed-request
tacacs-server key 7 xxxxxxxxx

With this config the authentication prompt displays but when I put my
credentials in I get a log in failure.I think my config on the switch
is correct but I have no idea the config on the TACACS+ side. All the
documentation out there is for RADIUS. I must confess I do not have
any exposure to ACS environment. I know the basic differences between
TACACS and RADIUS but not enough to figure this out. Any help or
reference to any documentation for web auth with TACACS would be
greatly appreciated!

Thanks,
Usama

Blogs and organic groups at http://www.ccie.net
Received on Mon Apr 12 2010 - 10:03:04 ART

This archive was generated by hypermail 2.2.0 : Sat May 01 2010 - 09:49:57 ART