Web Auth on catalyst 3750

Unanswered Question
Jan 31st, 2007

Hi, I'm using catalyst 3750s and cisco acs 4.1 to authenticate clients but I need help. The docs tell how to configure basic web auth on ports but I need more details as I'm very new to this. For example, do I need an external webserver to serve the login page? Does anyone have an example of a login page code/script to share? How do I configure the web redirection?

I'll appreciate any help. Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
scadora Wed, 01/31/2007 - 21:37

You don't need an external webserver and you don't need to configure redirection. When you configure web auth, the 3750 itself acts as a webserver and presents a default login page to the end user to enter his/her credentials.

Hope that helps.

Shelly

vjokhoo Thu, 02/01/2007 - 04:51

Ok, I may not have explained myself properly. This is required to give clients Internet Access but only if they authenticate first against a radius server (The ACS) Not all clients will have 802.1x clients so I am considering the web authentication method. So when a client connects his laptop to the switch via ethernet he gets an IP Address via DHCP but then needs to authenticate against a radius server before he can get access to the Internet.

I have configured as to the directions in the documentation. I am getting the IP Address via DHCP but when I launch a browser nothing happens (I am of the opinion that I should get some default login page) The only login page I get is if I point my browser to the switch IP Address but this only grants me access to the switch itself. This is my config:

aaa new-model

aaa authentication login default local group radius

aaa authorization network default local group radius

aaa authorization auth-proxy default group radius

!

aaa session-id common

switch 1 provision ws-c3750-24ts

system mtu routing 1500

ip subnet-zero

ip routing

ip admission name cwc2007 proxy http

ip dhcp excluded-address 192.168.10.1

!

ip dhcp pool cwc2007

network 192.168.10.0 255.255.255.0

dns-server 196.3.132.1 196.3.132.4

default-router 192.168.10.1

domain-name tstt.net.tt

!

ip device tracking

!

!

!

!

!

no file verify auto

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

!

interface Loopback0

ip address 10.0.0.1 255.255.255.255

!

interface FastEthernet1/0/1

switchport access vlan 10

switchport mode access

ip admission cwc2007

!

interface FastEthernet1/0/2

switchport access vlan 10

switchport mode access

ip admission cwc2007

!

interface FastEthernet1/0/3

switchport access vlan 10

switchport mode access

ip admission cwc2007

!

interface FastEthernet1/0/4

switchport access vlan 10

switchport mode access

ip admission cwc2007

!

interface FastEthernet1/0/5

switchport access vlan 10

switchport mode access

ip admission cwc2007

!

interface FastEthernet1/0/6

switchport access vlan 10

switchport mode access

ip admission cwc2007

!

interface FastEthernet1/0/7

switchport access vlan 10

switchport mode access

ip admission cwc2007

!

interface FastEthernet1/0/8

switchport access vlan 10

switchport mode access

ip admission cwc2007

!

interface FastEthernet1/0/9

switchport access vlan 10

switchport mode access

ip admission cwc2007

!

interface FastEthernet1/0/10

switchport access vlan 10

switchport mode access

ip admission cwc2007

!

interface FastEthernet1/0/11

switchport access vlan 10

switchport mode access

ip admission cwc2007

!

interface FastEthernet1/0/12

switchport access vlan 10

switchport mode access

ip admission cwc2007

!

interface FastEthernet1/0/13

!

interface FastEthernet1/0/14

!

interface FastEthernet1/0/15

!

interface FastEthernet1/0/16

!

interface FastEthernet1/0/17

!

interface FastEthernet1/0/18

!

interface FastEthernet1/0/19

!

interface FastEthernet1/0/20

!

interface FastEthernet1/0/21

!

interface FastEthernet1/0/22

!

interface FastEthernet1/0/23

switchport access vlan 101

switchport mode access

!

interface FastEthernet1/0/24

switchport access vlan 100

switchport mode access

!

interface GigabitEthernet1/0/1

!

interface GigabitEthernet1/0/2

!

interface Vlan1

no ip address

shutdown

!

interface Vlan10

ip address 192.168.10.1 255.255.255.0

!

interface Vlan100

ip address 10.1.1.3 255.255.255.0

!

interface Vlan101

ip address 201.238.75.157 255.255.255.252

!

!

ip classless

ip http server

ip http secure-server

!

!

!

radius-server attribute 8 include-in-access-req

radius-server host 192.168.1.60 auth-port 1645 acct-port 1646 key ****

radius-server source-ports 1645-1646

radius-server vsa send authentication

!

control-plane

!

Maybe I am missing an ACL or something?

scadora Thu, 02/01/2007 - 07:56

Right, you need an ACL. Otherwise all traffic is allowed through the port and not intercepted for web auth. Try adding something like this:

ip access-list extended POLICY1

permit udp any any eq bootps

deny ip any any log

interface FastEthernet1/0/1

ip access-group POLICY1 in

switchport access vlan 10

switchport mode access

ip admission cwc2007

...etc

Hope that helps.

Shelly

Actions

This Discussion