cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2322
Views
0
Helpful
3
Replies

RADIUS: Authenticate LAN Users via Cisco 2911

jsrod
Level 1
Level 1

Hello,

I'm pretty sure it won't be possible to do what I want to do, but I thought I'd ask the experts anyway...

We have remote users that dial-in over ISDN to a Cisco 2911. We have configured AAA to pass the authentication off to a RADIUS server. Once successfully authenticated, the router permits the users to access a single web server. This all works great.

However, we need to do some testing in our test environment, but unfortunately we don't have an ISDN line to test with. We have created a little environment in our LAB using a 2911, a switch, a RADIUS server & web server. I was hoping that we could simply create a "user" VLAN off the back of the 2911 to simulate our remote users, and access the web site from the test usr PC's over the LAN. I was hoping that the 2911 would be able to intercept the connection and pass the authentication off to the RADIUS server (as it does with the PPP ISDN traffic). But I cannot find anyway to do this, because I can only configure AAA to offload either PPP traffic or telnet/ssh connections to the router itself.

In summary what I want is for a user to access an internal web site over a LAN interface of a 2911 - but have the 2911 authenticate the user via a remote RADIUS server first. Is there a way to configure a 2911 (or any router!) to do this?

Is the answer to configure port-based authentication (802.1X) on the switch?

Thanks,

James.

3 Replies 3

camejia
Level 3
Level 3

Hello,

You might want to check the IOS feature called "Web-based Authentication". I am attaching the .pdf configuration guide.

If this was helpful please rate.

Regards.

Hi,

Thanks for the response. This looks to be only configurable on a Cisco switch - is there any way to configure Web Based Authentication on a Cisco 2911 router?

NB. We have non-Cisco switches in our LAB, but I may be able to get hold of some if needed.....

Thanks,

James.

Hello James,

I have not had a chance to look for the Router configuration document, however, for one of my certificate exams I did configure Authentication Proxy on an IOS router. The config for that lab was:

aaa new-model

!

!

aaa authentication login default group tacacs+ local

aaa authorization auth-proxy default group tacacs+ local

!

!

aaa session-id common

ip auth-proxy name AUTHPROXY http inactivity-time 60

!

interface FastEthernet0/0

ip address 192.168.250.19 255.255.255.0

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 192.168.200.120 255.255.255.0

ip access-group 110 in

ip nat inside

ip virtual-reassembly

ip auth-proxy AUTHPROXY

duplex auto

speed auto

ip route 0.0.0.0 0.0.0.0 192.168.250.1

ip http server

ip http authentication aaa

no ip http secure-server

!

!

ip nat inside source list nat interface FastEthernet0/0 overload

!

ip access-list extended nat

permit ip 192.168.200.0 0.0.0.255 any

access-list 110 permit ip any any

!

tacacs-server host 192.168.250.20

tacacs-server key cisco123

end

Please check if the commands are supported on your router as well.

If this ws helpful please rate.

Regards.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: