02-09-2012 12:22 AM - edited 03-10-2019 06:48 PM
Hello,
I'm pretty sure it won't be possible to do what I want to do, but I thought I'd ask the experts anyway...
We have remote users that dial-in over ISDN to a Cisco 2911. We have configured AAA to pass the authentication off to a RADIUS server. Once successfully authenticated, the router permits the users to access a single web server. This all works great.
However, we need to do some testing in our test environment, but unfortunately we don't have an ISDN line to test with. We have created a little environment in our LAB using a 2911, a switch, a RADIUS server & web server. I was hoping that we could simply create a "user" VLAN off the back of the 2911 to simulate our remote users, and access the web site from the test usr PC's over the LAN. I was hoping that the 2911 would be able to intercept the connection and pass the authentication off to the RADIUS server (as it does with the PPP ISDN traffic). But I cannot find anyway to do this, because I can only configure AAA to offload either PPP traffic or telnet/ssh connections to the router itself.
In summary what I want is for a user to access an internal web site over a LAN interface of a 2911 - but have the 2911 authenticate the user via a remote RADIUS server first. Is there a way to configure a 2911 (or any router!) to do this?
Is the answer to configure port-based authentication (802.1X) on the switch?
Thanks,
James.
02-09-2012 09:33 AM
02-09-2012 10:55 AM
Hi,
Thanks for the response. This looks to be only configurable on a Cisco switch - is there any way to configure Web Based Authentication on a Cisco 2911 router?
NB. We have non-Cisco switches in our LAB, but I may be able to get hold of some if needed.....
Thanks,
James.
02-09-2012 11:17 AM
Hello James,
I have not had a chance to look for the Router configuration document, however, for one of my certificate exams I did configure Authentication Proxy on an IOS router. The config for that lab was:
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authorization auth-proxy default group tacacs+ local
!
!
aaa session-id common
ip auth-proxy name AUTHPROXY http inactivity-time 60
!
interface FastEthernet0/0
ip address 192.168.250.19 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.200.120 255.255.255.0
ip access-group 110 in
ip nat inside
ip virtual-reassembly
ip auth-proxy AUTHPROXY
duplex auto
speed auto
ip route 0.0.0.0 0.0.0.0 192.168.250.1
ip http server
ip http authentication aaa
no ip http secure-server
!
!
ip nat inside source list nat interface FastEthernet0/0 overload
!
ip access-list extended nat
permit ip 192.168.200.0 0.0.0.255 any
access-list 110 permit ip any any
!
tacacs-server host 192.168.250.20
tacacs-server key cisco123
end
Please check if the commands are supported on your router as well.
If this ws helpful please rate.
Regards.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: