Re: web auth on 3560

All,

I have found some what of a resolution to this issue. I have however
run into a snag. When I have dhcp snooping i get de-authed after about
half the lease time. Following is my config:

aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa authorization network default group tacacs+ local
aaa authorization auth-proxy default group tacacs+
aaa accounting auth-proxy default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+

!

!

ip dhcp snooping vlan xxx
no ip dhcp snooping information option
ip dhcp snooping
ip device tracking

ip auth-proxy watch-list enable
ip auth-proxy watch-list expiry-time 1
ip auth-proxy proxy http login expired page file flash:expired.html
ip auth-proxy proxy http login page file flash:webAuthTest1.html
ip auth-proxy proxy http success page file flash:success.html
ip auth-proxy proxy http failure page file flash:failed.html
ip auth-proxy auth-proxy-audit
ip admission source-interface Vlanyyy
ip admission watch-list enable
ip admission watch-list expiry-time 1
ip admission proxy http login expired page file flash:expired.html
ip admission proxy http login page file flash:webAuthTest1.html
ip admission proxy http success page file flash:success.html
ip admission proxy http failure page file flash:failed.html
ip admission auth-proxy-audit
ip admission name WEBAUTH proxy http inactivity-time 60 list 101

!

!

interface GigabitEthernet0/1
switchport access vlan XXX
switchport mode access
ip access-group 102 in
authentication order webauth
authentication priority webauth
no mdix auto
storm-control unicast level pps 10k 9.5k
storm-control action trap
spanning-tree portfast
ip admission WEBAUTH

!

interface GigabitEthernet0/24
switchport trunk encapsulation dot1q
switchport mode trunk
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
queue-set 2
mls qos trust cos
auto qos voip trust
ip dhcp snooping trust

!

ip http server

!

access-list 101 deny ip any host Z.Z.Z.Z log <----another
http server with all images
access-list 101 deny tcp any host Z.Z.Z.Z log
access-list 101 deny udp any host Z.Z.Z.Z log
access-list 101 permit ip any any

access-list 102 permit udp any any eq bootps
access-list 102 permit udp any any eq domain

I cannot for the life of me figure out why dhcp snooping would be
killing my web auth session. Following is the debug from dhcp snooping
and ip admission:

May 21 11:06:05.050: DHCP_SNOOPING: checking expired snoop binding entries
May 21 11:07:40.052: DHCP_SNOOPING: add binding on port GigabitEthernet0/1.
May 21 11:07:40.052: DHCP_SNOOPING: dhcp binding entry already exists,
update binding lease time to (900) seconds
May 21 11:07:40.052: DHCP_SNOOPING_SW no entry found for
my.machine.mac 0.0.0.xxx GigabitEthernet0/1
May 21 11:07:40.052: DHCP_SNOOPING_SW host tracking not found for
update add dynamic (my.machine.ip, 0.0.0.0, my.machine.mac) vlan xxx
May 21 11:07:40.052: AUTH_PROXY: Acct Stop event:unique-id=615
1w3d: %AP-6-AUTH_PROXY_AUDIT_STOP: initiator (my.machine.ip) send 4
packets 840 bytes; duration time 1w3d|
        AUDITSESSID=0A00002400000228376E77FF
May 21 11:07:40.052: ip_admission_det:my.machine.mac(my.machine.ip):
Activate session creation
May 21 11:07:40.052: AUTH-PROXY:NAS-Port details sent to AAA
slot/adapter/port_ext = 0/0/0

Any and all help is appreciated!

Thanks .

On Tue, Apr 13, 2010 at 2:45 PM, Usama Pervaiz <chaudri_at_gmail.com> wrote:
> Hello guys,
>
> following are the logs i get from the TACACS access control debugging:
>
> 02:30:39: TPLUS: Queuing AAA Authentication request 92 for processing
> 02:30:39: TPLUS: processing authentication start request id 92
> 02:30:39: TPLUS: Authentication start packet created for 92(myusername)
> 02:30:39: TPLUS: Using server x.x.x.x
> 02:30:39: TPLUS(0000005C)/0/NB_WAIT/42DA490: Started 5 sec timeout
> 02:30:39: TPLUS(0000005C)/0/NB_WAIT: socket event 2
> 02:30:39: TPLUS(0000005C)/0/NB_WAIT: wrote entire 46 bytes request
> 02:30:39: TPLUS(0000005C)/0/READ: socket event 1
> 02:30:39: TPLUS(0000005C)/0/READ: Would block while reading
> 02:30:40: TPLUS(0000005C)/0/READ: socket event 1
> 02:30:40: TPLUS(0000005C)/0/READ: read entire 12 header bytes (expect
> 16 bytes data)
> 02:30:40: TPLUS(0000005C)/0/READ: socket event 1
> 02:30:40: TPLUS(0000005C)/0/READ: read entire 28 bytes response
> 02:30:40: TPLUS(0000005C)/0/42DA490: Processing the reply packet
> 02:30:40: TPLUS: Received authen response status GET_PASSWORD (8)
> 02:31:33: TPLUS: Queuing AAA Authentication request 93 for processing
> 02:31:33: TPLUS: processing authentication start request id 93
>
> I am entering the username and password on the login screen but it
> seems like TACACS is not reading info that the switch is sending to it
> properly. I get an Authentication failed! message and on the TACACS
> side under failed attempts under Message Type i see unknown NAS. Am i
> missing something on the TACACS side?
>
> Any and all help on this would be appreciated!
>
> Thanks
>
>
>
>
> On Mon, Apr 12, 2010 at 10:03 AM, Usama Pervaiz <chaudri_at_gmail.com> wrote:
>> Hello all,
>>
>> I am trying a test config of web auth on a 3560. We have a ACS server
>> version 4.2 running TACACS+ for authenticating all of our access to
>> the switches and routers. I have not configured dot1x as the time out
>> for non dot1x hosts is unacceptable (approximately 90sec by default).
>> So I am using web auth as my main authorization. Following is the
>> config on the switch I am testing on.
>>
>> aaa new-model
>> !
>> aaa authentication login whatever group tacacs+ local
>> aaa authorization exec default group tacacs+ local
>> aaa authorization commands 15 default group tacacs+ none
>> aaa authorization auth-proxy default group tacacs+ local
>> aaa accounting commands 7 default start-stop group tacacs+
>> aaa accounting commands 8 default start-stop group tacacs+
>> aaa accounting commands 15 default start-stop group tacacs+
>> aaa accounting system default start-stop group tacacs+
>> !
>> ip dhcp snooping
>> ip device tracking
>> ip auth-proxy proxy http success redirect http://www.xxxxxxxx
>> ip admission proxy http success redirect http://www.xxxxxxxxx
>> ip admission name WEBAUTH proxy http inactivity-time 60
>> !
>> interface GigabitEthernet0/33
>> switchport access vlan 10
>> switchport mode access
>> ip access-group PRE-WEBAUTH in
>> authentication order webauth
>> no mdix auto
>> storm-control unicast level pps 10k 9.5k
>> storm-control action trap
>> ip admission WEBAUTH
>> !
>> ip access-list extended PRE-WEBAUTH
>> permit udp any any eq bootps
>> permit udp any any eq domain
>> deny ip any any
>> !
>> tacacs-server host x.x.x.x
>> tacacs-server host x.x.x.x
>> tacacs-server directed-request
>> tacacs-server key 7 xxxxxxxxx
>>
>> With this config the authentication prompt displays but when I put my
>> credentials in I get a log in failure.I think my config on the switch
>> is correct but I have no idea the config on the TACACS+ side. All the
>> documentation out there is for RADIUS. I must confess I do not have
>> any exposure to ACS environment. I know the basic differences between
>> TACACS and RADIUS but not enough to figure this out. Any help or
>> reference to any documentation for web auth with TACACS would be
>> greatly appreciated!
>>
>> Thanks,
>> Usama

Blogs and organic groups at http://www.ccie.net
Received on Tue May 25 2010 - 11:16:20 ART