I am trying to configure fallback Web Authentication on a catalyst 2960 switch. The goal is to authenticate clients via web authentication who are not 802.1x compliant (the 802.1x part is working fine) and allow them restricted access to the network. The problem is that the web authentication seems to fail.
The equipment regarding my question : catalyst 2960 switch (version : 122-37.SE) and a FreeRadius.
Here's what happens :
The authentication window pops up in my browser and the Access-Request is sent to the RADIUS.
The RADIUS in term responds with a Access-Accept. The debugs running on the switch show that all this information arrives correctly at the switch and the Authentication debug outputs a 'status = PASS' and the Authorization debug outputs a 'status = PASS_ADD'. In spite of this the browser on the client outputs a 'Authentication failed' message.
I've read the manual and the Cisco-attribute Value pairs were mentioned : 'priv-lvl=15' and 'proxyacl ...'. Are these mandatory for it to work? Since I'm not configuring any switch login authentication via RADIUS.
Any suggestions ?
Thanx in advance
Yes, they are mandatory.
If priv-lvl=15 is not returned to the switch, the user will see ?Authentication Failed? and the access-list will not be applied. If the source field in the proxyacl statements is not ?any? or there are other syntax errors, the user will see ?Authentication Successful? but the access-list will not be applied and the user will be denied access to the network.
Not sure about the specific FreeRADIUS config, but you need to setup the ?[026\009\001] cisco-av-pair VSA. It would look something like:
proxyacl#10=permit ip any any
Let me know if this gets you squared away,