05-31-2011 07:21 AM - edited 03-10-2019 06:07 PM
Hello all,
I have 802.1x configured on a 3550 switch with ACS 5.1 acting as the AAA policy server.
My problem is this. When my computer boots up, ACS authenticates the machine to AD slapping me in a guest VLAN with limited access to the network. Once I login though, I reauthenticate to AD via ACS which then puts me into an employee VLAN but my IP address doesn't refresh automatically. I have to run ipconfig /renew to get my IP in the correct VLAN or write a logon script that does the same thing everytime I log in.
Is there anyway for this to be done automatically outside of writing a logon script?
Thanks,
Xavier
Solved! Go to Solution.
06-01-2011 03:52 PM
Xavier,
You are right dACL and proxy acls will only work with auth-proxy and webauth. You will have to setup your authorization profile to hand back the cisco-av-pairs for the access lists. What version of ACS are you running? Here is a screenshot on how to do this on ACS 5.x (dont forget the deny at the end just to be safe)
If you are using ACS 4 here is a link that will help - http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_guide_chapter09186a00801fd914.html#wp391111
Hope this helps!
Tarik Admani
05-31-2011 10:21 PM
Xavier,
There is no way to do an ip refresh, one thing to consider would be your authorization policy, have the machines connect to the proper production vlan but hand down access-lists in the authorization profile so your network access is limited. Once you authenticate after booting up you will hit another authorization profile where the "permit ip any any"(for example) will be handed down and this will prevent you from having to change vlans and bouncing your ip when you are booting up.
thanks,
Tarik Admani
06-01-2011 07:31 AM
Thanks for the response Tarik,
I was thinking about that too but for some reason, the downloadable ACL and proxy ACL features only work with WebAuth Fallback mode for me. I was following a guide on how to configure dACLs and that was the only one that showed up. Can you tell me how to get it to work with regular authentication please? I'm running a 3550 with ip-services. Does that switch model support dACLs?
Thanks much
Xavier
06-01-2011 03:52 PM
Xavier,
You are right dACL and proxy acls will only work with auth-proxy and webauth. You will have to setup your authorization profile to hand back the cisco-av-pairs for the access lists. What version of ACS are you running? Here is a screenshot on how to do this on ACS 5.x (dont forget the deny at the end just to be safe)
If you are using ACS 4 here is a link that will help - http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_guide_chapter09186a00801fd914.html#wp391111
Hope this helps!
Tarik Admani
06-02-2011 06:40 AM
This is perfect! Thanks so much! I'm going to try this right now (running ACS 5.1).
Cheers!
Xavier
06-02-2011 06:58 AM
I just tried it and it still didn't work. Is there any configuration on the switch that I'll need to do?
I already have the following commands:
aaa authentication login default group radius
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting auth-proxy default start-stop group radius
aaa accounting dot1x default start-stop group radius
radius-server vsa send authentication
Is there any other I'm missing?
Here's a copy of my debug
*Mar 17 23:58:38.906: RADIUS: Cisco AVpair [1] 19 "shell:priv-lvl=15"
*Mar 17 23:58:38.906: RADIUS: Vendor, Cisco [26] 50
*Mar 17 23:58:38.906: RADIUS: Cisco AVpair [1] 44 "ip:inacl#1=deny icmp any host 172.16.0.195"
*Mar 17 23:58:38.906: RADIUS: Vendor, Cisco [26] 36
*Mar 17 23:58:38.906: RADIUS: Cisco AVpair [1] 30 "ip:inacl#2=permit ip any any"
When I login, I can still ping 172.16.0.195
I'm going to try again though
06-02-2011 07:20 AM
Ok so I finally found some documentation on av-pairs and realised that he ones you gave me were for Tacacs+, not Radius. What kind of config should I put on the switch to enable tacacs+ to configure it?
This is what I'm thinking but I'm not sure it'll work. Can you confirm these commands?
aaa authorization network default group tacacs
tacacs-server host ACS_IP_ADDR key cisco123
06-02-2011 09:32 PM
Xavier,
I was giving you the correct av-pairs, did you include the deny ip any any av pair at the end of your authorization profile. Also please use the example I gave you and send the "show ip access-lists" output.
thanks,
06-03-2011 07:50 AM
Do I have to include the deny ip any any?
I wanted my access list to look like this:
deny access to resourceA
deny access to resourceB
deny access to resourceC
permit access to rest of resources
When I run show ip access lists, only the ACL for web-auth shows up...nothing is added before/after authentication.
06-03-2011 11:29 AM
Can you debug the session and send me the output of the following (debug radius authentication) and blur out all the ip address but referencing which resource lines up with your scenario. I am curious to see why this isnt taking.
Thanks,
Tarik Admani
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide