01-31-2007 05:30 PM - edited 03-10-2019 02:57 PM
Hi, I'm using catalyst 3750s and cisco acs 4.1 to authenticate clients but I need help. The docs tell how to configure basic web auth on ports but I need more details as I'm very new to this. For example, do I need an external webserver to serve the login page? Does anyone have an example of a login page code/script to share? How do I configure the web redirection?
I'll appreciate any help. Thanks
01-31-2007 09:37 PM
You don't need an external webserver and you don't need to configure redirection. When you configure web auth, the 3750 itself acts as a webserver and presents a default login page to the end user to enter his/her credentials.
Hope that helps.
Shelly
02-01-2007 02:03 AM
Thanks. I'll try it and see. Wish me luck.
02-01-2007 04:51 AM
Ok, I may not have explained myself properly. This is required to give clients Internet Access but only if they authenticate first against a radius server (The ACS) Not all clients will have 802.1x clients so I am considering the web authentication method. So when a client connects his laptop to the switch via ethernet he gets an IP Address via DHCP but then needs to authenticate against a radius server before he can get access to the Internet.
I have configured as to the directions in the documentation. I am getting the IP Address via DHCP but when I launch a browser nothing happens (I am of the opinion that I should get some default login page) The only login page I get is if I point my browser to the switch IP Address but this only grants me access to the switch itself. This is my config:
aaa new-model
aaa authentication login default local group radius
aaa authorization network default local group radius
aaa authorization auth-proxy default group radius
!
aaa session-id common
switch 1 provision ws-c3750-24ts
system mtu routing 1500
ip subnet-zero
ip routing
ip admission name cwc2007 proxy http
ip dhcp excluded-address 192.168.10.1
!
ip dhcp pool cwc2007
network 192.168.10.0 255.255.255.0
dns-server 196.3.132.1 196.3.132.4
default-router 192.168.10.1
domain-name tstt.net.tt
!
ip device tracking
!
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
interface Loopback0
ip address 10.0.0.1 255.255.255.255
!
interface FastEthernet1/0/1
switchport access vlan 10
switchport mode access
ip admission cwc2007
!
interface FastEthernet1/0/2
switchport access vlan 10
switchport mode access
ip admission cwc2007
!
interface FastEthernet1/0/3
switchport access vlan 10
switchport mode access
ip admission cwc2007
!
interface FastEthernet1/0/4
switchport access vlan 10
switchport mode access
ip admission cwc2007
!
interface FastEthernet1/0/5
switchport access vlan 10
switchport mode access
ip admission cwc2007
!
interface FastEthernet1/0/6
switchport access vlan 10
switchport mode access
ip admission cwc2007
!
interface FastEthernet1/0/7
switchport access vlan 10
switchport mode access
ip admission cwc2007
!
interface FastEthernet1/0/8
switchport access vlan 10
switchport mode access
ip admission cwc2007
!
interface FastEthernet1/0/9
switchport access vlan 10
switchport mode access
ip admission cwc2007
!
interface FastEthernet1/0/10
switchport access vlan 10
switchport mode access
ip admission cwc2007
!
interface FastEthernet1/0/11
switchport access vlan 10
switchport mode access
ip admission cwc2007
!
interface FastEthernet1/0/12
switchport access vlan 10
switchport mode access
ip admission cwc2007
!
interface FastEthernet1/0/13
!
interface FastEthernet1/0/14
!
interface FastEthernet1/0/15
!
interface FastEthernet1/0/16
!
interface FastEthernet1/0/17
!
interface FastEthernet1/0/18
!
interface FastEthernet1/0/19
!
interface FastEthernet1/0/20
!
interface FastEthernet1/0/21
!
interface FastEthernet1/0/22
!
interface FastEthernet1/0/23
switchport access vlan 101
switchport mode access
!
interface FastEthernet1/0/24
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
ip address 192.168.10.1 255.255.255.0
!
interface Vlan100
ip address 10.1.1.3 255.255.255.0
!
interface Vlan101
ip address 201.238.75.157 255.255.255.252
!
!
ip classless
ip http server
ip http secure-server
!
!
!
radius-server attribute 8 include-in-access-req
radius-server host 192.168.1.60 auth-port 1645 acct-port 1646 key ****
radius-server source-ports 1645-1646
radius-server vsa send authentication
!
control-plane
!
Maybe I am missing an ACL or something?
02-01-2007 07:56 AM
Right, you need an ACL. Otherwise all traffic is allowed through the port and not intercepted for web auth. Try adding something like this:
ip access-list extended POLICY1
permit udp any any eq bootps
deny ip any any log
interface FastEthernet1/0/1
ip access-group POLICY1 in
switchport access vlan 10
switchport mode access
ip admission cwc2007
...etc
Hope that helps.
Shelly
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide