Him trying to test this feature and I'm having a hard time.
Him geting log like this with result code 1 0 and -1. What are those result code.
Dec 12 11:49:25: ip_admission_det:Validate IP=10.10.2.12 with static rule rule1 on FastEthernet1/0/2. Result
Second, I cant get the web authentication to work and I did everything by the book. I think there s something missing in the DOC
If anyone have a working example for the switch config, that would be great!
This config is working for me:
aaa authentication login default group radius
aaa authentication login LINE-CON none
aaa authorization auth-proxy default group radius
ip admission name RULE1 proxy http
ip device tracking
switchport access vlan 10
switchport mode access
ip access-group POLICY1 in
ip admission RULE1
ip access-list extended POLICY1
permit udp any any eq bootps
deny ip any any log
radius-server attribute 8 include-in-access-req
radius-server host 10.100.100.110 auth-port 1645 acct-port 1646 key ***
radius-server vsa send authentication
Hope that helps.
Hey Shelly, you're a GENIUS! I got the web redirection to work and I am getting the login page when I launch the browser. I am still getting a failed authentication though with a message about the certificate (something about the serial number of the AAA client) I just need to get past this stage and I'll be good.
Have you ever used a similar method to authenticate clients connecting to a wireless access point?
Cool! Glad that worked. Haven't seen any messages about certificates before...is this something you get from "debug radius authentication"?
Haven't tried this with wireless yet, sorry.
I've come across this forum entry and have the problem that web authentication doesn't work in my setup. Running IOS 12.2(37)SE1 on Cat3560.
I've sticked to the config guide for enabling web authentication and applied more or less the very same commands that scadora posted here. The thing is I don't get to the web authentication prompt when using the web browser, yet at least I get an IP address. No error msg appears on the client.
It is important to note that we're using a Microsoft IAS as RADIUS server. I suspect an authentication problem at the point where the switch initially sends an authentication msg upon the plug-in of the network cable (keyword 'attribute 8 include-in-access-req', which reports the IP address of the client to the RADIUS server even before web login). The server denies this request.
The debug output of the switch can be found in the attachment 'Troubleshooting Web Authentication RADIUS Attribute 8.TXT':
The error in the IAS event log can be found in the file 'Troubleshooting Web Authentication IAS.txt'.
Note that we haven't set up any user called "IGEM\Gast" knowingly for this setup. It also doesn't appear in the initial switch RADIUS packet.
Question: Does anybody have experience with MS IAS and web authentication in combination? Any hint why this is failing?
The initial switch RADIUS packet you show in the first attachment is for the automatic mac check that is performed (in case this is a printer or non-browser device). This would not have any effect on the subsequent Web Authentication. It doesn't look like Web-Auth is being triggered at all. Can you post your config? There might be something wrong with your device tracking or ip admission config. Also, what url are you typing into the browser? At least so far, I don't see any evidence that IAS is causing the problem.
I just don't get why there is an automatic MAC check happening, we didn't configure the port to do so. Yes, we're running 802.1x port authentication next to that but that's not the case for port 20, where we're running the Web Authentication tests.
Please check the attached file for the config excerpt.
The IP tracking log output you've seen corresponds to ports that aren't enabled for Web Authentication; one additional thing I don't understand.
It doesn't matter what URL I type into the browser, it may either be a name or a random IP; I expect the Web Authentication process to intercept any kind of web traffic.
The automatic MAC check happens by default if you're doing standalone web-auth (which you are on port 20). You don't configure it (alas, you can't even turn it of), it just happens.
As for your config, try enabling "ip http server".
I agree that Web-Auth should get triggered by name or ip. However, you have to configure it to do so. Before the authentication succeeds and the RADIUS server sends down the rest of the access-list, the port is completely controlled by port acl. The acl on your port as it stands will drop all dns traffic, so the browser won't be able to resolve any fqdns. Hence, I suggested adding the line for dns.
Hope that helps,
Your input helped me to get closer to the solution. Meanwhile, I solved the problem and web authentication works now.
I had to take care of three things:
1. The customer had an access-class sitting on the http server that filtered source addresses very restricively. In order to allow every possible source address to be able to web authenticate, we had to remove the ACL.
2. The customer used 'ip http secure-server', which prevents triggering web authentication through normal port 80 traffic. We kept this feature running for security reasons but with the hint in mind to trigger web authentication only through 443.
3. We finally figured out how to pass on the AV pairs 'priv-lvl=15' and
'proxyacl#1=permit ip any any' from Microsoft IAS to the switch.
Thanks for your help once again!
Have you configured the ACS to send the AV-Pairs down with the Access-Accept? I don't see them in the Radius debug. You need priv-lvl=15 and an proxyacl that will open up the port (since the original access-group restricted the traffic).
You configure the AV pairs in either User Setup or Group Setup on the ACS. I've attached a screenshot.
Hope that helps,