Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
560
Views
0
Helpful
1
Replies

Wired WebAuth issues

suenalltheSIorg
Level 1
Level 1

‎09-11-2012 06:23 AM - edited ‎03-10-2019 07:31 PM

         

Hello,

I've inherited a design for our Wired Guest Network (Security's policy prohibits any type of wireless in our facilities) to use the Cisco WebAuth solution, not as a fall back to 802.1x, but as a Guest Access solution in it's own right (probably due to the fact that in the strictly GuestNet environment, we would not have the supplicants on the user's computers). I realize that Cisco best practices states that WebAuth, being less secure than 802.1x, should only be used as fall back for the dot1x (and for this as well as other reasons we are looking into other solutions from other vendors), but I'm having a strange issue with WebAuth that I'm wondering if anyone can give me some ideas with. Basically it's a cludgy solution at best, but we have one site (Site A) where it's working as well as can be expected, users are presented with the AUP, present their credentials and are authenticated via a TekRadius server. I have "local" listed as a fall back to the radius authentication (yes I'm aware of the bug) so that if for some reason the radius server goes down or is unavailable, users are blocked from using the Internet, unless they happen to be one of the 4 of us who know the u/p on the switch (Security department's requirement). However I have another site (Site B) where users simply get out to the Internet and are never presented with the AUP, nor are they prompted to enter credentials anywhere. I've configured multiple switches at Site A, so I'm pretty sure I've configured them correctly. I've even gone so far as to do the following:

1. Pointed a SiteA switch at the radius server from Site B - WebAuth still works as expected

2. Run a DIFF against the 2 configs (one from Site A and one from Site B) - only differences are the expected ones in IP addressing, VLAN and routing info. Configured Radius server is accessible via PING and at both sites is in the management network.

3. Configured a switch at Site A, placed it on the network and tested the WebAuth, then changed only the IP addresses and pertinent routing info, sent it to Site B where it does NOT work (users simply get out to the Internet with no AUP page ever presented - so conceivably all other network related services and routing are working fine.)

Now I'm really frustrated. So I turned on some debugging (debug ip admission detailed) on both the working Site A switch and the mystery device at Site B. Site A's switch is totally silent, no error messages. But at Site B every 60 seconds the switch tells me the following:

*Mar 6 22:12:39: AUTH-PROXY auth_proxy_interested_http_packet: auth-proxy config not found

When I search for this error online I don't see much at all of interest to my particular issue with WebAuth. Other specific details, we have a mixed vendor environment Cisco and Extreme, so some of my trunks are to Summit switches.  If anyone has any ideas or needs further config info from me please let me know. 

        

Labels:
134838-SiteA.txt.zip
134837-SiteB.txt.zip
0 Helpful
1 Reply 1

Tarik Admani
VIP Alumni
VIP Alumni

‎09-11-2012 06:43 AM

Susan,

Can you check the dhcp scope of the clients at SiteB, can you verify if their default gateway is pointing to the SVI on the 2960 and not the SVI on the upstream router, that could cause the auth-proxy config to be skipped.

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents