https://community.cisco.com/t5/network-access-control/web-auth-on-catalyst-3750/m-p/617056#M421833 <HTML><HEAD></HEAD><BODY><P>Thanks. I'll try it and see. Wish me luck.</P></BODY></HTML> Thu, 01 Feb 2007 10:03:06 GMT vjokhoo 2007-02-01T10:03:06Z https://community.cisco.com/t5/network-access-control/web-auth-on-catalyst-3750/m-p/617054#M421830 <P>Hi, I'm using catalyst 3750s and cisco acs 4.1 to authenticate clients but I need help. The docs tell how to configure basic web auth on ports but I need more details as I'm very new to this. For example, do I need an external webserver to serve the login page? Does anyone have an example of a login page code/script to share? How do I configure the web redirection?</P><P></P><P>I'll appreciate any help. Thanks</P> Sun, 10 Mar 2019 21:57:34 GMT https://community.cisco.com/t5/network-access-control/web-auth-on-catalyst-3750/m-p/617054#M421830 vjokhoo 2019-03-10T21:57:34Z https://community.cisco.com/t5/network-access-control/web-auth-on-catalyst-3750/m-p/617055#M421832 <HTML><HEAD></HEAD><BODY><P>You don't need an external webserver and you don't need to configure redirection. When you configure web auth, the 3750 itself acts as a webserver and presents a default login page to the end user to enter his/her credentials.</P><P></P><P>Hope that helps. </P><P></P><P>Shelly</P></BODY></HTML> Thu, 01 Feb 2007 05:37:12 GMT https://community.cisco.com/t5/network-access-control/web-auth-on-catalyst-3750/m-p/617055#M421832 scadora 2007-02-01T05:37:12Z https://community.cisco.com/t5/network-access-control/web-auth-on-catalyst-3750/m-p/617056#M421833 <HTML><HEAD></HEAD><BODY><P>Thanks. I'll try it and see. Wish me luck.</P></BODY></HTML> Thu, 01 Feb 2007 10:03:06 GMT https://community.cisco.com/t5/network-access-control/web-auth-on-catalyst-3750/m-p/617056#M421833 vjokhoo 2007-02-01T10:03:06Z https://community.cisco.com/t5/network-access-control/web-auth-on-catalyst-3750/m-p/617057#M421835 <HTML><HEAD></HEAD><BODY><P>Ok, I may not have explained myself properly. This is required to give clients Internet Access but only if they authenticate first against a radius server (The ACS) Not all clients will have 802.1x clients so I am considering the web authentication method. So when a client connects his laptop to the switch via ethernet he gets an IP Address via DHCP but then needs to authenticate against a radius server before he can get access to the Internet.</P><P></P><P>I have configured as to the directions in the documentation. I am getting the IP Address via DHCP but when I launch a browser nothing happens (I am of the opinion that I should get some default login page) The only login page I get is if I point my browser to the switch IP Address but this only grants me access to the switch itself. This is my config:</P><P></P><P></P><P></P><P>aaa new-model</P><P>aaa authentication login default local group radius</P><P>aaa authorization network default local group radius </P><P>aaa authorization auth-proxy default group radius </P><P>!</P><P>aaa session-id common</P><P>switch 1 provision ws-c3750-24ts</P><P>system mtu routing 1500</P><P>ip subnet-zero</P><P>ip routing</P><P>ip admission name cwc2007 proxy http</P><P>ip dhcp excluded-address 192.168.10.1</P><P>!</P><P>ip dhcp pool cwc2007</P><P> network 192.168.10.0 255.255.255.0</P><P> dns-server 196.3.132.1 196.3.132.4 </P><P> default-router 192.168.10.1 </P><P> domain-name tstt.net.tt</P><P>!</P><P>ip device tracking</P><P>!</P><P>!</P><P>!</P><P>!</P><P>!</P><P>no file verify auto</P><P>spanning-tree mode pvst</P><P>spanning-tree extend system-id</P><P>!</P><P>vlan internal allocation policy ascending</P><P>!</P><P>!</P><P>interface Loopback0</P><P> ip address 10.0.0.1 255.255.255.255</P><P>!</P><P>interface FastEthernet1/0/1</P><P> switchport access vlan 10</P><P> switchport mode access</P><P> ip admission cwc2007</P><P>!</P><P>interface FastEthernet1/0/2</P><P> switchport access vlan 10</P><P> switchport mode access</P><P> ip admission cwc2007</P><P>!</P><P>interface FastEthernet1/0/3</P><P> switchport access vlan 10</P><P> switchport mode access</P><P> ip admission cwc2007</P><P>!</P><P>interface FastEthernet1/0/4</P><P> switchport access vlan 10</P><P> switchport mode access</P><P> ip admission cwc2007</P><P>!</P><P>interface FastEthernet1/0/5</P><P> switchport access vlan 10</P><P> switchport mode access</P><P> ip admission cwc2007</P><P>!</P><P>interface FastEthernet1/0/6</P><P> switchport access vlan 10</P><P> switchport mode access</P><P> ip admission cwc2007</P><P>!</P><P>interface FastEthernet1/0/7</P><P> switchport access vlan 10</P><P> switchport mode access</P><P> ip admission cwc2007</P><P>!</P><P>interface FastEthernet1/0/8</P><P> switchport access vlan 10</P><P> switchport mode access</P><P> ip admission cwc2007</P><P>!</P><P>interface FastEthernet1/0/9</P><P> switchport access vlan 10</P><P> switchport mode access</P><P> ip admission cwc2007</P><P>!</P><P>interface FastEthernet1/0/10</P><P> switchport access vlan 10</P><P> switchport mode access</P><P> ip admission cwc2007</P><P>!</P><P>interface FastEthernet1/0/11</P><P> switchport access vlan 10</P><P> switchport mode access</P><P> ip admission cwc2007</P><P>!</P><P>interface FastEthernet1/0/12</P><P> switchport access vlan 10</P><P> switchport mode access</P><P> ip admission cwc2007</P><P>!</P><P>interface FastEthernet1/0/13</P><P>!</P><P>interface FastEthernet1/0/14</P><P>!</P><P>interface FastEthernet1/0/15</P><P>!</P><P>interface FastEthernet1/0/16</P><P>!</P><P>interface FastEthernet1/0/17</P><P>!</P><P>interface FastEthernet1/0/18</P><P>!</P><P>interface FastEthernet1/0/19</P><P>!</P><P>interface FastEthernet1/0/20</P><P>!</P><P>interface FastEthernet1/0/21</P><P>!</P><P>interface FastEthernet1/0/22</P><P>!</P><P>interface FastEthernet1/0/23</P><P> switchport access vlan 101</P><P> switchport mode access</P><P>!</P><P>interface FastEthernet1/0/24</P><P> switchport access vlan 100</P><P> switchport mode access</P><P>!</P><P>interface GigabitEthernet1/0/1</P><P>! </P><P>interface GigabitEthernet1/0/2</P><P>!</P><P>interface Vlan1</P><P> no ip address</P><P> shutdown</P><P>!</P><P>interface Vlan10</P><P> ip address 192.168.10.1 255.255.255.0</P><P>!</P><P>interface Vlan100</P><P> ip address 10.1.1.3 255.255.255.0</P><P>!</P><P>interface Vlan101</P><P> ip address 201.238.75.157 255.255.255.252</P><P>!</P><P></P><P>!</P><P>ip classless</P><P>ip http server</P><P>ip http secure-server</P><P>!</P><P>!</P><P>!</P><P></P><P>radius-server attribute 8 include-in-access-req</P><P>radius-server host 192.168.1.60 auth-port 1645 acct-port 1646 key ****</P><P>radius-server source-ports 1645-1646</P><P>radius-server vsa send authentication</P><P>!</P><P>control-plane</P><P>!</P><P></P><P></P><P>Maybe I am missing an ACL or something?</P></BODY></HTML> Thu, 01 Feb 2007 12:51:14 GMT https://community.cisco.com/t5/network-access-control/web-auth-on-catalyst-3750/m-p/617057#M421835 vjokhoo 2007-02-01T12:51:14Z https://community.cisco.com/t5/network-access-control/web-auth-on-catalyst-3750/m-p/617058#M421838 <HTML><HEAD></HEAD><BODY><P>Right, you need an ACL. Otherwise all traffic is allowed through the port and not intercepted for web auth. Try adding something like this:</P><P></P><P>ip access-list extended POLICY1</P><P> permit udp any any eq bootps</P><P> deny ip any any log</P><P></P><P>interface FastEthernet1/0/1</P><P>ip access-group POLICY1 in</P><P>switchport access vlan 10</P><P>switchport mode access</P><P>ip admission cwc2007 </P><P>...etc</P><P></P><P>Hope that helps.</P><P></P><P>Shelly</P></BODY></HTML> Thu, 01 Feb 2007 15:56:14 GMT https://community.cisco.com/t5/network-access-control/web-auth-on-catalyst-3750/m-p/617058#M421838 scadora 2007-02-01T15:56:14Z