Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
508
Views
0
Helpful
3
Replies

Trying to setup webauth

Don Maker
Level 1
Level 1

‎01-12-2017 06:31 AM

I'm trying to get webauth going, but it's not too smooth so far. Here is my aaa, radius and ip admission config lines on a 3560G:

sh run | include admiss
ip admission name webauth proxy http
ip admission webauth
core#sri aaa
aaa new-model
aaa authentication login default group radius
aaa authorization auth-proxy default group radius
aaa session-id common
core#sri radius
aaa authentication login default group radius
aaa authorization auth-proxy default group radius
ip radius source-interface Vlan10
radius-server host 192.168.0.14
radius-server key 7 06330170414F1D0B0C2F

I'm using a Windows 2008 R2 domain controller for radius. What usually happens is that I get a login page, enter valid credentials, another page pops up warning about security with a "connect" option. When I click connect, another login tab opens...repeat ad naseum. Wireshark shows a radius request and reject packet on the DC, and the event log of the DC shows a policy denial. The reason given is that the user provided in the request is locked out, but the user always shows up as domain\guest. I have no idea why.

Is there anything in my config that looks off, or does anyone have any experience with this situation?

Also, a general webauth question. Can webauth be used to block network access completely, or just web traffic? I know 802.1x can do it, but I was asked to use webauth, but I'm not sure that it can.

Thank you!

 

Labels:
0 Helpful
3 Replies 3

Don Maker
Level 1
Level 1

‎01-12-2017 07:04 AM

I tried enabling the guest account just to see if things would work. I get different errors now. On the DC it says I'm trying to use an auth type not specified in the network policy. I have PAP checked and this same user account works when I use radius for logon auth on the same switch. 

Very puzzling and inconsistent so far.

0 Helpful

Don Maker
Level 1
Level 1
In response to Don Maker

‎01-12-2017 08:15 AM

It works if I don't force clients to negotiate an authentication method. Does anyone know what auth method should be selected for Windows 2008 radius? 

0 Helpful

Don Maker
Level 1
Level 1
In response to Don Maker

‎01-13-2017 01:02 PM

bumpage

0 Helpful
Customers Also Viewed These Support Documents