topic Re: Catalyst Web-Based Authentication in Network Access Control

Catalyst Web-Based Authentication

Ronni J — Mon, 11 Mar 2019 00:32:06 GMT

Hi there,

I am having problems getting this web-auth working and am hoping you guys can assist with a solution. It works for ssh/telnet, but not for proxy web auth.

This is the equipment:

Cisco 3750G with IOS 12.2(53)SE1

CiscoSecure ACS Appliance Release 4.1(1) Build 23 Patch 4

Windows 2003 R2 domain controller

Here the relevant config:

<snip>

aaa new-model
!
!
aaa authentication login default group tacacs+
aaa authentication login no_auth line
aaa authentication login use_tacacs group tacacs+ local
aaa authentication login console local
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa authorization network default group radius none
aaa authorization auth-proxy default group tacacs+
aaa accounting exec default start-stop broadcast group tacacs+
aaa accounting commands 15 default start-stop broadcast group tacacs+
!
interface Vlan150
ip address 10.10.10.14 255.255.255.0
!
ip tacacs source-interface Vlan150
!
!
ip radius source-interface Vlan150
tacacs-server host 10.10.10.4 single-connection
tacacs-server directed-request
tacacs-server key 7 15270505307A21
radius-server attribute 8 include-in-access-req
radius-server dead-criteria tries 2
radius-server host 10.10.10.4 auth-port 1645 acct-port 1646
radius-server vsa send authentication

</snip>

..and in the log, I get this when trying to authenticate from the web auth page:

006514: Nov 1 12:08:24.307 CET: AAA/AUTHEN/LOGIN (0000059D): Pick method list 'default'
006515: Nov 1 12:08:24.307 CET: TPLUS: Queuing AAA Authentication request 1437 for processing
006516: Nov 1 12:08:24.307 CET: TPLUS: processing authentication start request id 1437
006517: Nov 1 12:08:24.307 CET: TPLUS: Authentication start packet created for 1437(roje)
006518: Nov 1 12:08:24.307 CET: TPLUS: Using server 10.10.10.4
006519: Nov 1 12:08:24.307 CET: TPLUS(0000059D)/0/NB_WAIT/475C16C: Started 5 sec timeout
006520: Nov 1 12:08:24.307 CET: TPLUS(0000059D)/0/NB_WAIT: wrote entire 43 bytes request
006521: Nov 1 12:08:24.315 CET: TPLUS(0000059D)/0/READ: read entire 12 header bytes (expect 16 bytes)
006522: Nov 1 12:08:24.315 CET: TPLUS(0000059D)/0/READ: read entire 28 bytes response
006523: Nov 1 12:08:24.315 CET: TPLUS(0000059D)/0/475C16C: Processing the reply packet
006524: Nov 1 12:08:24.315 CET: TPLUS: Received authen response status GET_PASSWORD (8)

And please do let me know if you need additional information or test to spot the error..

Thank you.

Re: Catalyst Web-Based Authentication

Ronni J — Mon, 01 Nov 2010 11:31:09 GMT

Sorry, totally forgot this part from the config:

ip device tracking
ip auth-proxy auth-proxy-banner http ^C TEST-SW01 ^C
ip auth-proxy max-login-attempts 10
ip auth-proxy proxy http success redirect http://www.mysite.com
ip auth-proxy auth-proxy-audit
ip admission auth-proxy-banner http ^C TEST-SW01 ^C
ip admission max-login-attempts 10
ip admission proxy http success redirect http://www.mysite.com
ip admission auth-proxy-audit
ip admission name webauth proxy http inactivity-time 60

Re: Catalyst Web-Based Authentication

Panos Kampanakis — Mon, 01 Nov 2010 14:22:42 GMT

I don't see the "ip http aaa ..." and "ip http server enable" configured.

Can you try it and let us know?

Re: Catalyst Web-Based Authentication

Ronni J — Mon, 01 Nov 2010 14:30:49 GMT

I do have "ip http server" already, sorry I left it out of the copy/paste. As fair as I (and IOS on that box) know, there's nothing called "ip http aaa..."?

When I open a browser on a test-pc that is connected to the port configured like this:

interface GigabitEthernet1/0/1
switchport access vlan 10
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
ip admission webauth

...I get to the Web-Auth page with the user/pass web form just fine. However, when I type in the same user/pass as works with ssh/telnet, it says "authentication failed!"

That's the annoying part.. 😕

Re: Catalyst Web-Based Authentication

Panos Kampanakis — Mon, 01 Nov 2010 14:52:20 GMT

"ip http authentication aaa" will enforce the default aaa authentication for http also.

I hope it helps.

Re: Catalyst Web-Based Authentication

Ronni J — Tue, 02 Nov 2010 06:07:11 GMT

Thanks for the suggestion, but unfortunately it didn't help 😕 This is what I get in the log when trying to authenticate on the auth page:

006983: Nov 2 06:50:57.418 CET: AUTH-EVENT (Gi1/0/1) Link UP
006984: Nov 2 06:50:59.407 CET: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to up
006985: Nov 2 06:51:00.413 CET: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to up
006986: Nov 2 06:51:02.015 CET: AAA/BIND(000005CF): Bind i/f
006987: Nov 2 06:51:02.015 CET: AAA/AUTHEN/LOGIN (000005CF): Pick method list 'default'
006988: Nov 2 06:51:02.015 CET: TPLUS: Queuing AAA Authentication request 1487 for processing
006989: Nov 2 06:51:02.015 CET: TPLUS: processing authentication start request id 1487
006990: Nov 2 06:52:16.591 CET: AAA/AUTHEN/LOGIN (000005CF): Pick method list 'default'
006991: Nov 2 06:52:16.591 CET: TPLUS: Queuing AAA Authentication request 1487 for processing
006992: Nov 2 06:52:16.591 CET: TPLUS: processing authentication start request id 1487
006993: Nov 2 06:52:16.591 CET: TPLUS: Authentication start packet created for 1487(roje)
006994: Nov 2 06:52:16.591 CET: TPLUS: Using server 10.10.10.4
006995: Nov 2 06:52:16.591 CET: TPLUS(000005CF)/0/NB_WAIT/5B431B8: Started 5 sec timeout
006996: Nov 2 06:52:16.591 CET: TPLUS(000005CF)/0/NB_WAIT: wrote entire 43 bytes request
006997: Nov 2 06:52:16.742 CET: TPLUS(000005CF)/0/READ: read entire 12 header bytes (expect 16 bytes)
006998: Nov 2 06:52:16.742 CET: TPLUS(000005CF)/0/READ: read entire 28 bytes response
006999: Nov 2 06:52:16.742 CET: TPLUS(000005CF)/0/5B431B8: Processing the reply packet
007000: Nov 2 06:52:16.742 CET: TPLUS: Received authen response status GET_PASSWORD (8)
007001: Nov 2 06:53:07.100 CET: AAA/BIND(000005D0): Bind i/f
007002: Nov 2 06:53:07.100 CET: AAA/AUTHEN/LOGIN (000005D0): Pick method list 'default'
007003: Nov 2 06:53:07.100 CET: TPLUS: Queuing AAA Authentication request 1488 for processing
007004: Nov 2 06:53:07.100 CET: TPLUS: processing authentication start request id 1488

Any other ideas?

Best regards.

Re: Catalyst Web-Based Authentication

Panos Kampanakis — Tue, 02 Nov 2010 17:21:25 GMT

It doesn't seem the router is sending the password to the server or that the server is responding to the password sent.

You can try capturing the packets to the server to verify.

Re: Catalyst Web-Based Authentication

Ronni J — Thu, 04 Nov 2010 09:16:04 GMT

Password is not sent from the switch to the ACS server - any ideas why and how to fix? 😕

Using IOS 12.2(53)SE1

Here's a little more log detail:

013616: Nov 4 10:20:38.478 CET: T+: End Packet
013617: Nov 4 10:21:11.789 CET: AAA/AUTHEN/LOGIN (0000095F): Pick method list 'default'
013618: Nov 4 10:21:11.789 CET: TPLUS: Queuing AAA Authentication request 2399 for processing
013619: Nov 4 10:21:11.789 CET: TPLUS: processing authentication start request id 2399
013620: Nov 4 10:21:11.789 CET: TPLUS: Authentication start packet created for 2399(roje)
013621: Nov 4 10:21:11.789 CET: TPLUS: Using server 10.10.10.4
013622: Nov 4 10:21:11.789 CET: TPLUS(0000095F)/0/NB_WAIT/5B4E178: Started 5 sec timeout
013623: Nov 4 10:21:11.789 CET: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
013624: Nov 4 10:21:11.789 CET: T+: session_id 3455235127 (0xCDF2B437), dlen 36 (0x24)
013625: Nov 4 10:21:11.789 CET: T+: type:AUTHEN/START, priv_lvl:15 action:LOGIN ascii
013626: Nov 4 10:21:11.789 CET: T+: svc:LOGIN user_len:8 port_len:20 (0x14) raddr_len:0 (0x0) data_len:0
013627: Nov 4 10:21:11.789 CET: T+: user: roje
013628: Nov 4 10:21:11.789 CET: T+: port: GigabitEthernet1/0/1
013629: Nov 4 10:21:11.789 CET: T+: rem_addr:
013630: Nov 4 10:21:11.789 CET: T+: data:
013631: Nov 4 10:21:11.789 CET: T+: End Packet
013632: Nov 4 10:21:11.789 CET: TPLUS(0000095F)/0/NB_WAIT: wrote entire 48 bytes request
013633: Nov 4 10:21:11.798 CET: TPLUS(0000095F)/0/READ: read entire 12 header bytes (expect 16 bytes)
013634: Nov 4 10:21:11.798 CET: TPLUS(0000095F)/0/READ: read entire 28 bytes response
013635: Nov 4 10:21:11.798 CET: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
013636: Nov 4 10:21:11.798 CET: T+: session_id 3455235127 (0xCDF2B437), dlen 16 (0x10)
013637: Nov 4 10:21:11.798 CET: T+: AUTHEN/REPLY status:5 flags:0x1 msg_len:10, data_len:0
013638: Nov 4 10:21:11.798 CET: T+: msg: Password:
013639: Nov 4 10:21:11.798 CET: T+: data:
013640: Nov 4 10:21:11.798 CET: T+: End Packet
013641: Nov 4 10:21:11.798 CET: TPLUS(0000095F)/0/5B4E178: Processing the reply packet
013642: Nov 4 10:21:11.798 CET: TPLUS: Received authen response status GET_PASSWORD (8)
013643: Nov 4 10:21:21.436 CET: AAA/BIND(00000960): Bind i/f
013644: Nov 4 10:21:21.436 CET: AAA/AUTHEN/LOGIN (00000960): Pick method list 'default'
013645: Nov 4 10:21:21.436 CET: TPLUS: Queuing AAA Authentication request 2400 for processing
013646: Nov 4 10:21:21.436 CET: TPLUS: processing authentication start request id 2400

Re: Catalyst Web-Based Authentication

Stephen Montgomery — Thu, 16 Dec 2010 17:50:23 GMT

I`m gettting the same results when configuring the web based authentication using Tacacs but I do have it working using radius. Don`t know if that helps.

Using a C3560-IPBASEK9-M, Version 12.2(55)SE and CSACS-SE 4.2