Hi Usama,
This is what I know for certain: dot1x does NOT work with TACACS, neither
does WebAuth as a fallback to dot1x (for obvious reasons). Now, what I dont
know for a fact is if "standalone WebAuth" works with TACACs. I have never
certainly seen this configured with TACACs anyway, much less see it working.
What does the logs on ACS say? Any AAA debugs on the switch to share?
I know if you have the config with RADIUS, is should work well - configured
and tested several times.
Let us know how you get on please.
Thanks,
Sadiq
On Mon, Apr 12, 2010 at 3:03 PM, Usama Pervaiz <chaudri_at_gmail.com> wrote:
> Hello all,
>
> I am trying a test config of web auth on a 3560. We have a ACS server
> version 4.2 running TACACS+ for authenticating all of our access to
> the switches and routers. I have not configured dot1x as the time out
> for non dot1x hosts is unacceptable (approximately 90sec by default).
> So I am using web auth as my main authorization. Following is the
> config on the switch I am testing on.
>
> aaa new-model
> !
> aaa authentication login whatever group tacacs+ local
> aaa authorization exec default group tacacs+ local
> aaa authorization commands 15 default group tacacs+ none
> aaa authorization auth-proxy default group tacacs+ local
> aaa accounting commands 7 default start-stop group tacacs+
> aaa accounting commands 8 default start-stop group tacacs+
> aaa accounting commands 15 default start-stop group tacacs+
> aaa accounting system default start-stop group tacacs+
> !
> ip dhcp snooping
> ip device tracking
> ip auth-proxy proxy http success redirect http://www.xxxxxxxx
> ip admission proxy http success redirect http://www.xxxxxxxxx
> ip admission name WEBAUTH proxy http inactivity-time 60
> !
> interface GigabitEthernet0/33
> switchport access vlan 10
> switchport mode access
> ip access-group PRE-WEBAUTH in
> authentication order webauth
> no mdix auto
> storm-control unicast level pps 10k 9.5k
> storm-control action trap
> ip admission WEBAUTH
> !
> ip access-list extended PRE-WEBAUTH
> permit udp any any eq bootps
> permit udp any any eq domain
> deny ip any any
> !
> tacacs-server host x.x.x.x
> tacacs-server host x.x.x.x
> tacacs-server directed-request
> tacacs-server key 7 xxxxxxxxx
>
> With this config the authentication prompt displays but when I put my
> credentials in I get a log in failure.I think my config on the switch
> is correct but I have no idea the config on the TACACS+ side. All the
> documentation out there is for RADIUS. I must confess I do not have
> any exposure to ACS environment. I know the basic differences between
> TACACS and RADIUS but not enough to figure this out. Any help or
> reference to any documentation for web auth with TACACS would be
> greatly appreciated!
>
> Thanks,
> Usama
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
-- CCIE #19963 Blogs and organic groups at http://www.ccie.netReceived on Mon Apr 12 2010 - 15:28:20 ART
This archive was generated by hypermail 2.2.0 : Sat May 01 2010 - 09:49:57 ART