This config is working for me:

aaa new-model

aaa authentication login default group radius

aaa authentication login LINE-CON none

aaa authorization auth-proxy default group radius

ip admission name RULE1 proxy http

ip device tracking

interface GigabitEthernet1/0/5

switchport access vlan 10

switchport mode access

ip access-group POLICY1 in

spanning-tree portfast

ip admission RULE1

!

ip access-list extended POLICY1

permit udp any any eq bootps

deny ip any any log

!

radius-server attribute 8 include-in-access-req

radius-server host 10.100.100.110 auth-port 1645 acct-port 1646 key ***

radius-server vsa send authentication

Hope that helps.

Shelly

Hey Shelly, you're a GENIUS! I got the web redirection to work and I am getting the login page when I launch the browser. I am still getting a failed authentication though with a message about the certificate (something about the serial number of the AAA client) I just need to get past this stage and I'll be good.

Have you ever used a similar method to authenticate clients connecting to a wireless access point?

Cool! Glad that worked. Haven't seen any messages about certificates before...is this something you get from "debug radius authentication"?

Haven't tried this with wireless yet, sorry.

Hi

I've come across this forum entry and have the problem that web authentication doesn't work in my setup. Running IOS 12.2(37)SE1 on Cat3560.

I've sticked to the config guide for enabling web authentication and applied more or less the very same commands that scadora posted here. The thing is I don't get to the web authentication prompt when using the web browser, yet at least I get an IP address. No error msg appears on the client.

It is important to note that we're using a Microsoft IAS as RADIUS server. I suspect an authentication problem at the point where the switch initially sends an authentication msg upon the plug-in of the network cable (keyword 'attribute 8 include-in-access-req', which reports the IP address of the client to the RADIUS server even before web login). The server denies this request.

The debug output of the switch can be found in the attachment 'Troubleshooting Web Authentication RADIUS Attribute 8.TXT':

The error in the IAS event log can be found in the file 'Troubleshooting Web Authentication IAS.txt'.

Note that we haven't set up any user called "IGEM\Gast" knowingly for this setup. It also doesn't appear in the initial switch RADIUS packet.

Question: Does anybody have experience with MS IAS and web authentication in combination? Any hint why this is failing?

Thanks

Toni

The initial switch RADIUS packet you show in the first attachment is for the automatic mac check that is performed (in case this is a printer or non-browser device). This would not have any effect on the subsequent Web Authentication. It doesn't look like Web-Auth is being triggered at all. Can you post your config? There might be something wrong with your device tracking or ip admission config. Also, what url are you typing into the browser? At least so far, I don't see any evidence that IAS is causing the problem.

Shelly

Shelly

I just don't get why there is an automatic MAC check happening, we didn't configure the port to do so. Yes, we're running 802.1x port authentication next to that but that's not the case for port 20, where we're running the Web Authentication tests.

Please check the attached file for the config excerpt.

The IP tracking log output you've seen corresponds to ports that aren't enabled for Web Authentication; one additional thing I don't understand.

It doesn't matter what URL I type into the browser, it may either be a name or a random IP; I expect the Web Authentication process to intercept any kind of web traffic.

Regards

Toni

Hi, Toni.

The automatic MAC check happens by default if you're doing standalone web-auth (which you are on port 20). You don't configure it (alas, you can't even turn it of), it just happens.

As for your config, try enabling "ip http server".

I agree that Web-Auth should get triggered by name or ip. However, you have to configure it to do so. Before the authentication succeeds and the RADIUS server sends down the rest of the access-list, the port is completely controlled by port acl. The acl on your port as it stands will drop all dns traffic, so the browser won't be able to resolve any fqdns. Hence, I suggested adding the line for dns.

Hope that helps,

Shelly

Hi Shelly

Your input helped me to get closer to the solution. Meanwhile, I solved the problem and web authentication works now.

I had to take care of three things:

1. The customer had an access-class sitting on the http server that filtered source addresses very restricively. In order to allow every possible source address to be able to web authenticate, we had to remove the ACL.

2. The customer used 'ip http secure-server', which prevents triggering web authentication through normal port 80 traffic. We kept this feature running for security reasons but with the hint in mind to trigger web authentication only through 443.

3. We finally figured out how to pass on the AV pairs 'priv-lvl=15' and

'proxyacl#1=permit ip any any' from Microsoft IAS to the switch.

Thanks for your help once again!

Toni

No, even my Cisco Sale Eng. has given up. If you manage to make this work, tell me !

Can you post your config and the output of debug radius authentication when you attempt web-auth?

This is the config and the debug radius/aaa auth/aaa acct as I attempt logins on both Fa1/0/11 and Fa1/0/12. Port Fa1/0/12 has no ACL attached to it. My username is "vishnu"

Have you configured the ACS to send the AV-Pairs down with the Access-Accept? I don't see them in the Radius debug. You need priv-lvl=15 and an proxyacl that will open up the port (since the original access-group restricted the traffic).

You configure the AV pairs in either User Setup or Group Setup on the ACS. I've attached a screenshot.

Hope that helps,

Shelly