topic Re: C1111-8P and Web Authentication in Routing

C1111-8P and Web Authentication

leosoft — Sat, 12 Jun 2021 19:40:28 GMT

Hello guys,

The following config is working flawlessly in a C886VA but in a C1111-8P and IOS XE 16 (or even 17) I experiencing a very strange issue. My bridged interface (now BDI2) seems that is never executing the authentication commands (authentication order webauth, authentication fallback web_auth_profile). Does anyone run into a similar problem?

!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
aaa authorization network default local
aaa authorization auth-proxy default local
!
!
aaa attribute list auth_list
 attribute type priv-lvl 0
 attribute type user-maxlinks 7
 attribute type proxyacl "deny tcp any host 192.168.2.1 eq 80" service auth-proxy
 attribute type proxyacl "deny tcp any host 192.168.2.1 eq 443" service auth-proxy
 attribute type proxyacl "deny tcp any host 192.168.2.1 eq 22" service auth-proxy
 attribute type proxyacl "deny tcp any host 192.168.2.1 eq 23" service auth-proxy
 attribute type proxyacl "deny ip any 192.168.0.0 0.0.0.255" service auth-proxy
 attribute type proxyacl "deny ip any 192.168.1.0 0.0.0.255" service auth-proxy
 attribute type proxyacl "deny ip any 192.168.2.0 0.0.0.255" service auth-proxy
 attribute type proxyacl "permit ip any any" service auth-proxy
!
ip admission proxy http login expired page file flash:expired.htm
ip admission proxy http login page file flash:login.htm
ip admission proxy http success page file flash:success.htm
ip admission proxy http failure page file flash:fail.htm
ip admission init-state-time 5
ip admission inactivity-timer 120
ip admission name web_auth proxy http inactivity-time 120 list proxy_list
!
username guest aaa attribute list auth_list privilege 0 password 0 xxxxxxxxxxx
!
mac access-list extended MACDeniedVLAN2
 deny   host cccc.bbbb.aaaa any
 permit any any
!
fallback profile web_auth_profile
 ip access-group preauth_list in
 ip admission web_auth
!
interface GigabitEthernet0/1/0
switchport mode trunk
!
interface Vlan2
 no ip address
 no autostate
 service instance 2 ethernet
  encapsulation dot1q 2
  rewrite ingress tag pop 1 symmetric
  mac access-group MACDeniedVLAN2 in
  bridge-domain 2
!
interface BDI2
 device-tracking
 ip address 192.168.2.1 255.255.255.0
 no ip redirects
 no ip unreachables
 ip mtu 1476
 ip nat inside
 zone-member security InsideGuests
 ip tcp adjust-mss 1436
 encapsulation dot1Q 2
 authentication order webauth
 authentication fallback web_auth_profile
 service-policy input guest-fw
 ip virtual-reassembly
!
ip access-list extended preauth_list
 10 permit udp any any range bootps bootpc
 20 permit udp any any eq domain
!
ip http server
ip http authentication aaa

Tried to debug :

debug ip admission all

debug authentication feature webauth all

But absolutely nothing came. As I said in the beginning looks like the authentication commands are ignored.

Thanks for your time,

Re: C1111-8P and Web Authentication

leosoft — Sun, 20 Jun 2021 09:02:24 GMT

Hello all,

In the following configuration guide regarding IOS XE (...17 probably;;;), i found a declaration that disappointed me:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/xe-17/sec-usr-aaa-xe-17-book/sec-cfg-authentifcn.html

So if finally web authentication is not supported anymore, why all configuration commands are still there without giving you a message like so many other deprecated commands??? Web authentication is also able to be converted to the "new style" (c3pl) but in any case all related commands seems to be ignored while configuration is running.

Re: C1111-8P and Web Authentication

Richard Burts — Sun, 20 Jun 2021 18:17:09 GMT

Thanks for the update. I am glad that you found that explanation in the documentation. It is disappointing that a command that has been deprecated can be entered and not generate any kind of error/warning message.

Re: C1111-8P and Web Authentication

leosoft — Mon, 21 Jun 2021 09:50:12 GMT

Hello,

I really have no idea if this is an explanation. Because web authentication is not a simple command that it does not giving any error message. There are dozens of separate commands and at least two well known ways to build it (legacy and c3pl) and none of all those giving any error or warning message.

Re: C1111-8P and Web Authentication

leosoft — Mon, 21 Jun 2021 17:51:11 GMT

Hello again,

Finally seems that Cisco decided to cut the Web Authentication from IOS XE and all router platforms running it. I manage to search using "by feature" tool and unfortunately made sure that Web Authentication gone:

https://cfnng.cisco.com/browse/routing/products

To be honest I am really sad because I spent hundred of hours reading about IOS XE and of course money on hardware and license upgrade and now all goes to the garbage.

P/S: And now I also have to "Accept as Solution" my unpleasant finding :))))))