Wired WebAuth only with NAC Guest Server (No ACS)

david9young · ‎03-20-2012

Ok, I have been fighting this for two days now. I want to use the webauth function on some of our Cisco 3750Gs ver

12.2(55)SE5 for guest access. I'm trying to use our NAC Guest Server ver: 2.0.3 as the backend portal and Radius server. We do not have ACS or any of the other components of ISE or NAC. I think the issue is the NGS server is not sending the d(ACL) back to switch. Guest work work fine from our WLCs.

switch debug: No Attributes in swtich debug

Mar 22 12:56:00.448 CDT: RADIUS(0000030C): Config NAS IP: 199.46.201.26

Mar 22 12:56:00.448 CDT: RADIUS/ENCODE(0000030C): acct_session_id: 1012

Mar 22 12:56:00.448 CDT: RADIUS(0000030C): sending

Mar 22 12:56:00.448 CDT: RADIUS(0000030C): Send Access-Request to 10.199.33.20:1812 id 1645/19, len 177

Mar 22 12:56:00.448 CDT: RADIUS: authenticator 99 95 59 55 09 A9 D9 E1 - 2B 01 90 36 1B 8A 41 92

Mar 22 12:56:00.448 CDT: RADIUS: User-Name [1] 20 "mycoxemail@cox.net"

Mar 22 12:56:00.448 CDT: RADIUS: User-Password [2] 18 *

Mar 22 12:56:00.448 CDT: RADIUS: Framed-IP-Address [8] 6 199.46.201.231

Mar 22 12:56:00.448 CDT: RADIUS: Service-Type [6] 6 Outbound [5]

Mar 22 12:56:00.448 CDT: RADIUS: Message-Authenticato[80] 18

Mar 22 12:56:00.448 CDT: RADIUS: A2 57 B5 F2 A6 FB 46 71 D0 EA 26 54 95 90 F4 D0 [ WFq&T]

Mar 22 12:56:00.448 CDT: RADIUS: Vendor, Cisco [26] 49

Mar 22 12:56:00.448 CDT: RADIUS: Cisco AVpair [1] 43 "audit-session-id=C72EC91A000002FC0A6CD698"

Mar 22 12:56:00.448 CDT: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]

Mar 22 12:56:00.448 CDT: RADIUS: NAS-Port [5] 6 50106

Mar 22 12:56:00.448 CDT: RADIUS: NAS-Port-Id [87] 22 "GigabitEthernet1/0/6"

Mar 22 12:56:00.448 CDT: RADIUS: NAS-IP-Address [4] 6 199.46.201.26

Mar 22 12:56:00.448 CDT: RADIUS(0000030C): Started 5 sec timeout

Mar 22 12:56:01.454 CDT: RADIUS: Received from id 1645/19 10.199.33.20:1812, Access-Reject, len 20

Mar 22 12:56:01.454 CDT: RADIUS: authenticator 92 98 05 84 6E 4B CF DD - B5 D7 90 25 10 59 7B E7

Mar 22 12:56:01.454 CDT: RADIUS(0000030C): Received from id 1645/19

NGS log:

rad_recv: Access-Request packet from host 199.46.201.26 port 1645, id=19, length=177

User-Name = "mycoxemail@cox.net"

User-Password = "5rRmpPt9"

Framed-IP-Address = 199.46.201.231

Service-Type = Outbound-User

Message-Authenticator = 0xa257b5f2a6fb4671d0ea26549590f4d0

Cisco-AVPair = "audit-session-id=C72EC91A000002FC0A6CD698"

NAS-Port-Type = Ethernet

NAS-Port = 50106

NAS-Port-Id = "GigabitEthernet1/0/6"

NAS-IP-Address = 199.46.201.26

+- entering group authorize {...}

[radius-user-auth] expand: %{User-Name} -> mycoxemail@cox.net

[radius-user-auth] expand: %{User-Password} -> 5rRmpPt9

[radius-user-auth] expand: %{NAS-IP-Address} -> 199.46.201.26

[radius-user-auth] expand: %{Calling-Station-Id} ->

Exec-Program output: Note: no attributes here

Exec-Program: returned: 1

++[radius-user-auth] returns reject

Delaying reject of request 12 for 1 seconds

Going to the next request

Waking up in 0.6 seconds.

Similar debug from NGS but auth request from WLC: See attributes are sent to wlc although not needed

rad_recv: Access-Request packet from host 10.100.16.100 port 32770, id=22, length=152

User-Name = "mycoxemail@cox.net"

User-Password = "5rRmpPt9"

Service-Type = Login-User

NAS-IP-Address = 10.100.16.100

NAS-Port = 13

NAS-Identifier = "ICTWLC01"

NAS-Port-Type = Ethernet

Airespace-Wlan-Id = 514

Calling-Station-Id = "10.198.12.211"

Called-Station-Id = "10.100.16.100"

Message-Authenticator = 0xc9383e767f0c228a2b8a0ece7069f366

+- entering group authorize {...}

[radius-user-auth] expand: %{User-Name} -> mycoxemail@cox.net

[radius-user-auth] expand: %{User-Password} -> 5rRmpPt9

[radius-user-auth] expand: %{NAS-IP-Address} -> 10.100.16.100

[radius-user-auth] expand: %{Calling-Station-Id} -> 10.198.12.211

Exec-Program output: Session-Timeout := 20002004, cisco-AVPair += priv-lvl=15, cisco-AVPair += auth-proxy:proxyacl#1=permit ip any any

Exec-Program-Wait: plaintext: Session-Timeout := 20002004, cisco-AVPair += priv-lvl=15, cisco-AVPair += auth-proxy:proxyacl#1=permit ip any any

Exec-Program: returned: 0

++[radius-user-auth] returns ok

[files] users: Matched entry DEFAULT at line 1

++[files] returns ok

Found Auth-Type = Accept

Auth-Type = Accept, accepting the user

+- entering group post-auth {...}

[sql] expand: %{User-Name} -> mycoxemail@cox.net

[sql] sql_set_user escaped user --> 'mycoxemail@cox.net'

[sql] expand: %{User-Password} -> 5rRmpPt9

[sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ('%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', NOW()) -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ('mycoxemail@cox.net', '5rRmpPt9', 'Access-Accept', NOW())

rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ('mycoxemail@cox.net', '5rRmpPt9', 'Access-Accept', NOW())

rlm_sql (sql): Reserving sql socket id: 12

rlm_sql_postgresql: Status: PGRES_COMMAND_OK

rlm_sql_postgresql: query affected rows = 1

rlm_sql (sql): Released sql socket id: 12

++[sql] returns ok

Sending Access-Accept of id 22 to 10.100.16.100 port 32770

Finished request 4.

Going to the next request

Waking up in 4.9 seconds.

rad_recv: Accounting-Request packet from host 10.100.16.100 port 32770, id=30, length=170

config:

aaa new-model

!

aaa authentication login default group radius

aaa authentication login console group tacacs+ line

aaa authentication enable default group tacacs+ enable

aaa authorization console

aaa authorization exec default group tacacs+ none

aaa authorization auth-proxy default group radius

aaa accounting auth-proxy default start-stop group radius

aaa accounting exec default stop-only group tacacs+

aaa accounting commands 15 default stop-only group tacacs+

ip device tracking

ip auth-proxy auth-proxy-banner http ^C HawkerBeechcraft Guest Network ^C

ip auth-proxy proxy http login expired page file flash:expired.html

ip auth-proxy proxy http login page file flash:login.html

ip auth-proxy proxy http success page file flash:success.html

ip auth-proxy proxy http failure page file flash:failed.html

ip admission auth-proxy-banner http ^C HawkerBeechcraft Guest Network ^C

ip admission proxy http login expired page file flash:expired.html

ip admission proxy http login page file flash:login.html

ip admission proxy http success page file flash:success.html

ip admission proxy http failure page file flash:failed.html

ip admission name web-auth-guest proxy http inactivity-time 60

dot1x system-auth-control

identity policy FAILOPEN

access-group PERMIT

!

interface GigabitEthernet1/0/6

switchport access vlan 301

switchport mode access

ip access-group pre-webauth-guest in

no logging event link-status

srr-queue bandwidth share 10 10 60 20

queue-set 2

priority-queue out

mls qos trust device cisco-phone

mls qos trust dscp

no snmp trap link-status

auto qos voip cisco-phone

spanning-tree portfast

spanning-tree bpduguard enable

service-policy input AutoQoS-Police-CiscoPhone

ip admission web-auth-guest

ip http server

ip http secure-server

!

ip access-list extended PERMIT

permit ip any any

ip access-list extended pre-webauth-guest

permit udp any any eq bootps

permit udp any any eq domain

permit tcp any host 10.199.33.20 eq 8443

permit tcp any host 10.199.33.21 eq 8443

permit tcp any host 10.100.255.90 eq 8443

deny ip any any log

!

ip radius source-interface Vlan301

radius-server attribute 8 include-in-access-req

radius-server dead-criteria tries 2

radius-server host 10.199.33.20 auth-port 1812 acct-port 1813 key 7 022E5C782C130A74586F1C0D0D

radius-server vsa send authentication

I get the login and AUP page then the failed page... I never see the priv-lvl 15 or the proxyacl? How do I do this with Guest server only?

Help!

david9young · ‎03-22-2012

Is anyone using the IOS webauth feature with Cisco's Guest server without ACS?

jonmarso_07 · ‎05-21-2012

Without the ACS, only with the NAC guest is possible?

They can send me sample configuration?