03-20-2012 01:52 PM - edited 03-10-2019 06:55 PM
Ok, I have been fighting this for two days now. I want to use the webauth function on some of our Cisco 3750Gs ver
12.2(55)SE5 for guest access. I'm trying to use our NAC Guest Server ver: 2.0.3 as the backend portal and Radius server. We do not have ACS or any of the other components of ISE or NAC. I think the issue is the NGS server is not sending the d(ACL) back to switch. Guest work work fine from our WLCs.
switch debug: No Attributes in swtich debug
Mar 22 12:56:00.448 CDT: RADIUS(0000030C): Config NAS IP: 199.46.201.26
Mar 22 12:56:00.448 CDT: RADIUS/ENCODE(0000030C): acct_session_id: 1012
Mar 22 12:56:00.448 CDT: RADIUS(0000030C): sending
Mar 22 12:56:00.448 CDT: RADIUS(0000030C): Send Access-Request to 10.199.33.20:1812 id 1645/19, len 177
Mar 22 12:56:00.448 CDT: RADIUS: authenticator 99 95 59 55 09 A9 D9 E1 - 2B 01 90 36 1B 8A 41 92
Mar 22 12:56:00.448 CDT: RADIUS: User-Name [1] 20 "mycoxemail@cox.net"
Mar 22 12:56:00.448 CDT: RADIUS: User-Password [2] 18 *
Mar 22 12:56:00.448 CDT: RADIUS: Framed-IP-Address [8] 6 199.46.201.231
Mar 22 12:56:00.448 CDT: RADIUS: Service-Type [6] 6 Outbound [5]
Mar 22 12:56:00.448 CDT: RADIUS: Message-Authenticato[80] 18
Mar 22 12:56:00.448 CDT: RADIUS: A2 57 B5 F2 A6 FB 46 71 D0 EA 26 54 95 90 F4 D0 [ WFq&T]
Mar 22 12:56:00.448 CDT: RADIUS: Vendor, Cisco [26] 49
Mar 22 12:56:00.448 CDT: RADIUS: Cisco AVpair [1] 43 "audit-session-id=C72EC91A000002FC0A6CD698"
Mar 22 12:56:00.448 CDT: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
Mar 22 12:56:00.448 CDT: RADIUS: NAS-Port [5] 6 50106
Mar 22 12:56:00.448 CDT: RADIUS: NAS-Port-Id [87] 22 "GigabitEthernet1/0/6"
Mar 22 12:56:00.448 CDT: RADIUS: NAS-IP-Address [4] 6 199.46.201.26
Mar 22 12:56:00.448 CDT: RADIUS(0000030C): Started 5 sec timeout
Mar 22 12:56:01.454 CDT: RADIUS: Received from id 1645/19 10.199.33.20:1812, Access-Reject, len 20
Mar 22 12:56:01.454 CDT: RADIUS: authenticator 92 98 05 84 6E 4B CF DD - B5 D7 90 25 10 59 7B E7
Mar 22 12:56:01.454 CDT: RADIUS(0000030C): Received from id 1645/19
NGS log:
rad_recv: Access-Request packet from host 199.46.201.26 port 1645, id=19, length=177
User-Name = "mycoxemail@cox.net"
User-Password = "5rRmpPt9"
Framed-IP-Address = 199.46.201.231
Service-Type = Outbound-User
Message-Authenticator = 0xa257b5f2a6fb4671d0ea26549590f4d0
Cisco-AVPair = "audit-session-id=C72EC91A000002FC0A6CD698"
NAS-Port-Type = Ethernet
NAS-Port = 50106
NAS-Port-Id = "GigabitEthernet1/0/6"
NAS-IP-Address = 199.46.201.26
+- entering group authorize {...}
[radius-user-auth] expand: %{User-Name} -> mycoxemail@cox.net
[radius-user-auth] expand: %{User-Password} -> 5rRmpPt9
[radius-user-auth] expand: %{NAS-IP-Address} -> 199.46.201.26
[radius-user-auth] expand: %{Calling-Station-Id} ->
Exec-Program output: Note: no attributes here
Exec-Program: returned: 1
++[radius-user-auth] returns reject
Delaying reject of request 12 for 1 seconds
Going to the next request
Waking up in 0.6 seconds.
Similar debug from NGS but auth request from WLC: See attributes are sent to wlc although not needed
rad_recv: Access-Request packet from host 10.100.16.100 port 32770, id=22, length=152
User-Name = "mycoxemail@cox.net"
User-Password = "5rRmpPt9"
Service-Type = Login-User
NAS-IP-Address = 10.100.16.100
NAS-Port = 13
NAS-Identifier = "ICTWLC01"
NAS-Port-Type = Ethernet
Airespace-Wlan-Id = 514
Calling-Station-Id = "10.198.12.211"
Called-Station-Id = "10.100.16.100"
Message-Authenticator = 0xc9383e767f0c228a2b8a0ece7069f366
+- entering group authorize {...}
[radius-user-auth] expand: %{User-Name} -> mycoxemail@cox.net
[radius-user-auth] expand: %{User-Password} -> 5rRmpPt9
[radius-user-auth] expand: %{NAS-IP-Address} -> 10.100.16.100
[radius-user-auth] expand: %{Calling-Station-Id} -> 10.198.12.211
Exec-Program output: Session-Timeout := 20002004, cisco-AVPair += priv-lvl=15, cisco-AVPair += auth-proxy:proxyacl#1=permit ip any any
Exec-Program-Wait: plaintext: Session-Timeout := 20002004, cisco-AVPair += priv-lvl=15, cisco-AVPair += auth-proxy:proxyacl#1=permit ip any any
Exec-Program: returned: 0
++[radius-user-auth] returns ok
[files] users: Matched entry DEFAULT at line 1
++[files] returns ok
Found Auth-Type = Accept
Auth-Type = Accept, accepting the user
+- entering group post-auth {...}
[sql] expand: %{User-Name} -> mycoxemail@cox.net
[sql] sql_set_user escaped user --> 'mycoxemail@cox.net'
[sql] expand: %{User-Password} -> 5rRmpPt9
[sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ('%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', NOW()) -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ('mycoxemail@cox.net', '5rRmpPt9', 'Access-Accept', NOW())
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ('mycoxemail@cox.net', '5rRmpPt9', 'Access-Accept', NOW())
rlm_sql (sql): Reserving sql socket id: 12
rlm_sql_postgresql: Status: PGRES_COMMAND_OK
rlm_sql_postgresql: query affected rows = 1
rlm_sql (sql): Released sql socket id: 12
++[sql] returns ok
Sending Access-Accept of id 22 to 10.100.16.100 port 32770
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Accounting-Request packet from host 10.100.16.100 port 32770, id=30, length=170
config:
aaa new-model
!
!
aaa authentication login default group radius
aaa authentication login console group tacacs+ line
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization exec default group tacacs+ none
aaa authorization auth-proxy default group radius
aaa accounting auth-proxy default start-stop group radius
aaa accounting exec default stop-only group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
ip device tracking
ip auth-proxy auth-proxy-banner http ^C HawkerBeechcraft Guest Network ^C
ip auth-proxy proxy http login expired page file flash:expired.html
ip auth-proxy proxy http login page file flash:login.html
ip auth-proxy proxy http success page file flash:success.html
ip auth-proxy proxy http failure page file flash:failed.html
ip admission auth-proxy-banner http ^C HawkerBeechcraft Guest Network ^C
ip admission proxy http login expired page file flash:expired.html
ip admission proxy http login page file flash:login.html
ip admission proxy http success page file flash:success.html
ip admission proxy http failure page file flash:failed.html
ip admission name web-auth-guest proxy http inactivity-time 60
dot1x system-auth-control
identity policy FAILOPEN
access-group PERMIT
!
interface GigabitEthernet1/0/6
switchport access vlan 301
switchport mode access
ip access-group pre-webauth-guest in
no logging event link-status
srr-queue bandwidth share 10 10 60 20
queue-set 2
priority-queue out
mls qos trust device cisco-phone
mls qos trust dscp
no snmp trap link-status
auto qos voip cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
service-policy input AutoQoS-Police-CiscoPhone
ip admission web-auth-guest
ip http server
ip http secure-server
!
ip access-list extended PERMIT
permit ip any any
ip access-list extended pre-webauth-guest
permit udp any any eq bootps
permit udp any any eq domain
permit tcp any host 10.199.33.20 eq 8443
permit tcp any host 10.199.33.21 eq 8443
permit tcp any host 10.100.255.90 eq 8443
deny ip any any log
!
ip radius source-interface Vlan301
radius-server attribute 8 include-in-access-req
radius-server dead-criteria tries 2
radius-server host 10.199.33.20 auth-port 1812 acct-port 1813 key 7 022E5C782C130A74586F1C0D0D
radius-server vsa send authentication
I get the login and AUP page then the failed page... I never see the priv-lvl 15 or the proxyacl? How do I do this with Guest server only?
Help!
03-22-2012 10:47 AM
Is anyone using the IOS webauth feature with Cisco's Guest server without ACS?
05-21-2012 11:45 AM
Without the ACS, only with the NAC guest is possible?
They can send me sample configuration?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: