Solved: Web authentication on switches for 802.1x incompatible clients

Jaroslav Straka · ‎04-03-2013

Hello all,

excuse my english, it's not my first language. I am trying to get to work Web-based authentication on Catalyst 2960 and 3560 for clients that don't support dot1x. I followed this guide. Here's the problem: Client (win7) joins the network, opens the web browser and tries to navigate to any http site. The switch forces him the "login" page in which he has to enter credentials. After the client enters credentials, the switch sends http 500 internal server error page and nothing happens. Doesn't matter if the credentials were correct or not. Also i checked radius logs for requests, the switch doesn't even ask radius.

Could anyone please help with this? Or suggest where should i look, what debug messages to watch etc. Thanks.

The configuration:

sh ip admission configuration

Authentication Proxy Banner not configured

Consent Banner is not configured

Authentication Proxy webpage

Login page : flash:login.htm

Success page : flash:success.htm

Fail page : flash:fail.htm

Login Expire page : flash:expired.htm

Authentication global cache time is 60 minutes

Authentication global absolute time is 0 minutes

Authentication global init state time is 2 minutes

Authentication Proxy Watch-list is disabled

Authentication Proxy Max HTTP process is 7

Authentication Proxy Rule Configuration

Auth-proxy name sdj

http list not specified inactivity-time 60 minutes

Authentication Proxy Auditing is disabled

Max Login attempts per user is 5

sh ru

aaa new-model

!

aaa authentication login default group radius local

aaa authentication dot1x default group radius

aaa authorization auth-proxy default group radius

!

ip device tracking

ip auth-proxy proxy http login expired page file flash:expired.htm

ip auth-proxy proxy http login page file flash:login.htm

ip auth-proxy proxy http success page file flash:success.htm

ip auth-proxy proxy http failure page file flash:fail.htm

ip admission proxy http login expired page file flash:expired.htm

ip admission proxy http login page file flash:login.htm

ip admission proxy http success page file flash:success.htm

ip admission proxy http failure page file flash:fail.htm

ip admission name sdj proxy http

!

radius-server dead-criteria tries 5

radius-server host xxxx auth-port 1812 acct-port 1813 key xxxxx

radius-server vsa send authentication

!

johnlloyd_13 · ‎04-04-2013

hi,

thanks for the config! kindly add:

aaa authentication login default group radius

aaa authorization auth-proxy default group radius

ip http authentication aaa

is your radius an ACS server?

View solution in original post

johnlloyd_13 · ‎04-03-2013

hi,

can your switch ping the radius server?

kindly run the below and post them here:

debug radius authentication

test aaa group radius server new-code

Jaroslav Straka · ‎04-03-2013

Hi, yes it can, although only in legacy mode:

CVT_SC_CVT_0#debug radius authentication

Radius protocol debugging is on

Radius protocol brief debugging is off

Radius protocol verbose debugging is off

Radius packet hex dump debugging is off

Radius packet protocol (authentication) debugging is on

Radius packet protocol (accounting) debugging is off

Radius elog debugging debugging is off

Radius packet retransmission debugging is off

Radius server fail-over debugging is off

Radius elog debugging debugging is off

CVT_SC_CVT_0#test aaa group radius server xxxx checkservice abc123 new-code

Unable to find specified server in group.

CVT_SC_CVT_0#test aaa group radius server xxxx checkservice abc123 legacy

Attempting authentication test to server-group radius using radius

User was successfully authenticated.

CVT_SC_CVT_0#test aaa group radius server xxxx checkservice wrongpassword legacy

Attempting authentication test to server-group radius using radius

User authentication request was rejected by server.

johnlloyd_13 · ‎04-03-2013

Ok so your switch can talk to radius. Have you applied the proxy rule on the switch ports?

Kindly post show run and remove sensitive data.

int fast x/x
ip admission NAME
authentication order webauth

Sent from Cisco Technical Support iPhone App

Jaroslav Straka · ‎04-03-2013

There it is, I've removed some sensitive data, unused interfaces and vlan info. I am trying this on int gi0/37. int gi0/48 is "input" to the switch. Cheers for the help!

For some reason this forum couldn't allow me to post it here, it says "This message can not be displayed due to its content. Please use the contact us link with any questions." So i had to post it here

http://pastebin.com/qDZeDsg9

johnlloyd_13 · ‎04-04-2013

hi,

thanks for the config! kindly add:

aaa authentication login default group radius

aaa authorization auth-proxy default group radius

ip http authentication aaa

is your radius an ACS server?

Jaroslav Straka · ‎04-04-2013

No i don't think so, it's just freeradius daemon on a linux host.

But thanks!

ip http authentication aaa did it, i need some more testing but at first sight it works as i imagined

That command is nowhere in the Configuring Web-Based Authentication guide on cisco.com though.