Hi Everyone.
I need a feature which could control the network access and permit traffic only from users that provide proper credentials. In branch office there are few users - all network services are located in central office.
Users access them via IPsec VPN S2S. In assumption a user provide credentials. If he authenticates successfully the tcp traffic is allowed, otherwise is blocked.
I cannot use 802.1x here - access switches in that location do not support this feature. I tried the web authentication configuration on the router (c880data-universalk9-mz.152-3.T.bin) but it works partially.
Only the http traffic is being blocked - when user open web browser he is prompted for login in password - at the same time the tcp traffic is allowed. I do not know where is the problem.
I am not sure if this configuration could be done on IOS. On ASA such configuraion is easy with no sophisticaded configuration.
Do you have any ideas?
aaa new-model
aaa authentication login default group radius
aaa authentication login ssh local
aaa authorization auth-proxy default group radius
ip admission max-login-attempts 5
ip admission name webauth1 proxy http list 113
ip radius source-interface Vlan1
radius-server host 10.0.0.11 auth-port 1812 acct-port 1813 key Rad1
interface Vlan1
ip address 192.168.18.1 255.255.255.0
ip access-group 112 in
no ip redirects
ip nat inside
ip virtual-reassembly in
no ip route-cache
authentication order webauth
hold-queue 32 in
hold-queue 100 out
ip admission webauth1
access-list 112 permit ip 192.168.18.0 0.0.0.255 any
access-list 113 permit tcp 192.168.18.0 0.0.0.255 10.0.0.0 0.255.255.255
Regards