Solved: Re: Update

Xavier Lloyd · ‎05-31-2011

Hello all,

I have 802.1x configured on a 3550 switch with ACS 5.1 acting as the AAA policy server.

My problem is this. When my computer boots up, ACS authenticates the machine to AD slapping me in a guest VLAN with limited access to the network. Once I login though, I reauthenticate to AD via ACS which then puts me into an employee VLAN but my IP address doesn't refresh automatically. I have to run ipconfig /renew to get my IP in the correct VLAN or write a logon script that does the same thing everytime I log in.

Is there anyway for this to be done automatically outside of writing a logon script?

Thanks,

Xavier

Tarik Admani · ‎06-01-2011

Xavier,

You are right dACL and proxy acls will only work with auth-proxy and webauth. You will have to setup your authorization profile to hand back the cisco-av-pairs for the access lists. What version of ACS are you running? Here is a screenshot on how to do this on ACS 5.x (dont forget the deny at the end just to be safe)

If you are using ACS 4 here is a link that will help - http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_guide_chapter09186a00801fd914.html#wp391111

Hope this helps!

Tarik Admani

View solution in original post

Tarik Admani · ‎05-31-2011

Xavier,

There is no way to do an ip refresh, one thing to consider would be your authorization policy, have the machines connect to the proper production vlan but hand down access-lists in the authorization profile so your network access is limited. Once you authenticate after booting up you will hit another authorization profile where the "permit ip any any"(for example) will be handed down and this will prevent you from having to change vlans and bouncing your ip when you are booting up.

thanks,

Tarik Admani

Xavier Lloyd · ‎06-01-2011

Thanks for the response Tarik,

I was thinking about that too but for some reason, the downloadable ACL and proxy ACL features only work with WebAuth Fallback mode for me. I was following a guide on how to configure dACLs and that was the only one that showed up. Can you tell me how to get it to work with regular authentication please? I'm running a 3550 with ip-services. Does that switch model support dACLs?

Thanks much

Xavier

Tarik Admani · ‎06-01-2011

Xavier,

You are right dACL and proxy acls will only work with auth-proxy and webauth. You will have to setup your authorization profile to hand back the cisco-av-pairs for the access lists. What version of ACS are you running? Here is a screenshot on how to do this on ACS 5.x (dont forget the deny at the end just to be safe)

If you are using ACS 4 here is a link that will help - http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_guide_chapter09186a00801fd914.html#wp391111

Hope this helps!

Tarik Admani

Xavier Lloyd · ‎06-02-2011

This is perfect! Thanks so much! I'm going to try this right now (running ACS 5.1).

Cheers!

Xavier

Xavier Lloyd · ‎06-02-2011

I just tried it and it still didn't work. Is there any configuration on the switch that I'll need to do?

I already have the following commands:

aaa authentication login default group radius
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting auth-proxy default start-stop group radius
aaa accounting dot1x default start-stop group radius

radius-server vsa send authentication

Is there any other I'm missing?

Here's a copy of my debug

*Mar 17 23:58:38.906: RADIUS:   Cisco AVpair       [1]   19 "shell:priv-lvl=15"
*Mar 17 23:58:38.906: RADIUS: Vendor, Cisco       [26] 50
*Mar 17 23:58:38.906: RADIUS:   Cisco AVpair       [1]   44 "ip:inacl#1=deny icmp any host 172.16.0.195"
*Mar 17 23:58:38.906: RADIUS: Vendor, Cisco       [26] 36
*Mar 17 23:58:38.906: RADIUS:   Cisco AVpair       [1]   30 "ip:inacl#2=permit ip any any"

When I login, I can still ping 172.16.0.195

I'm going to try again though

Xavier Lloyd · ‎06-02-2011

Ok so I finally found some documentation on av-pairs and realised that he ones you gave me were for Tacacs+, not Radius. What kind of config should I put on the switch to enable tacacs+ to configure it?

This is what I'm thinking but I'm not sure it'll work. Can you confirm these commands?

aaa authorization network default group tacacs

tacacs-server host ACS_IP_ADDR key cisco123

Tarik Admani · ‎06-02-2011

Xavier,

I was giving you the correct av-pairs, did you include the deny ip any any av pair at the end of your authorization profile. Also please use the example I gave you and send the "show ip access-lists" output.

thanks,

Xavier Lloyd · ‎06-03-2011

Do I have to include the deny ip any any?

I wanted my access list to look like this:

deny access to resourceA

deny access to resourceB

deny access to resourceC

permit access to rest of resources

When I run show ip access lists, only the ACL for web-auth shows up...nothing is added before/after authentication.

Tarik Admani · ‎06-03-2011

Can you debug the session and send me the output of the following (debug radius authentication) and blur out all the ip address but referencing which resource lines up with your scenario. I am curious to see why this isnt taking.

Thanks,

Tarik Admani

ACS 5.1 with 802.1x IP refresh