Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1134
Views
0
Helpful
2
Replies

Web Authentication Catalyst 2960

Go to solution
jeroen.steverlinck
Level 1
Level 1

‎06-18-2007 03:42 AM - edited ‎03-10-2019 03:13 PM

Hi,

I am trying to configure fallback Web Authentication on a catalyst 2960 switch. The goal is to authenticate clients via web authentication who are not 802.1x compliant (the 802.1x part is working fine) and allow them restricted access to the network. The problem is that the web authentication seems to fail.

The equipment regarding my question : catalyst 2960 switch (version : 122-37.SE) and a FreeRadius.

Here's what happens :

The authentication window pops up in my browser and the Access-Request is sent to the RADIUS.

The RADIUS in term responds with a Access-Accept. The debugs running on the switch show that all this information arrives correctly at the switch and the Authentication debug outputs a 'status = PASS' and the Authorization debug outputs a 'status = PASS_ADD'. In spite of this the browser on the client outputs a 'Authentication failed' message.

I've read the manual and the Cisco-attribute Value pairs were mentioned : 'priv-lvl=15' and 'proxyacl ...'. Are these mandatory for it to work? Since I'm not configuring any switch login authentication via RADIUS.

Any suggestions ?

Thanx in advance

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jafrazie
Cisco Employee
Cisco Employee

‎06-18-2007 05:47 AM

Yes, they are mandatory.

If priv-lvl=15 is not returned to the switch, the user will see ?Authentication Failed? and the access-list will not be applied. If the source field in the proxyacl statements is not ?any? or there are other syntax errors, the user will see ?Authentication Successful? but the access-list will not be applied and the user will be denied access to the network.

Not sure about the specific FreeRADIUS config, but you need to setup the ?[026\009\001] cisco-av-pair VSA. It would look something like:

priv-lvl=15

proxyacl#10=permit ip any any

Let me know if this gets you squared away,

View solution in original post

0 Helpful
2 Replies 2

Go to solution
jafrazie
Cisco Employee
Cisco Employee

‎06-18-2007 05:47 AM

Yes, they are mandatory.

If priv-lvl=15 is not returned to the switch, the user will see ?Authentication Failed? and the access-list will not be applied. If the source field in the proxyacl statements is not ?any? or there are other syntax errors, the user will see ?Authentication Successful? but the access-list will not be applied and the user will be denied access to the network.

Not sure about the specific FreeRADIUS config, but you need to setup the ?[026\009\001] cisco-av-pair VSA. It would look something like:

priv-lvl=15

proxyacl#10=permit ip any any

Let me know if this gets you squared away,

0 Helpful

Go to solution
jeroen.steverlinck
Level 1
Level 1
In response to jafrazie

‎06-18-2007 06:48 AM

It works ! Thank you very much!

After getting the syntax right for sending multiple av-attributes with the FreeRadius it worked immediately.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents