06-18-2007 03:42 AM - edited 03-10-2019 03:13 PM
Hi,
I am trying to configure fallback Web Authentication on a catalyst 2960 switch. The goal is to authenticate clients via web authentication who are not 802.1x compliant (the 802.1x part is working fine) and allow them restricted access to the network. The problem is that the web authentication seems to fail.
The equipment regarding my question : catalyst 2960 switch (version : 122-37.SE) and a FreeRadius.
Here's what happens :
The authentication window pops up in my browser and the Access-Request is sent to the RADIUS.
The RADIUS in term responds with a Access-Accept. The debugs running on the switch show that all this information arrives correctly at the switch and the Authentication debug outputs a 'status = PASS' and the Authorization debug outputs a 'status = PASS_ADD'. In spite of this the browser on the client outputs a 'Authentication failed' message.
I've read the manual and the Cisco-attribute Value pairs were mentioned : 'priv-lvl=15' and 'proxyacl ...'. Are these mandatory for it to work? Since I'm not configuring any switch login authentication via RADIUS.
Any suggestions ?
Thanx in advance
Solved! Go to Solution.
06-18-2007 05:47 AM
Yes, they are mandatory.
If priv-lvl=15 is not returned to the switch, the user will see ?Authentication Failed? and the access-list will not be applied. If the source field in the proxyacl statements is not ?any? or there are other syntax errors, the user will see ?Authentication Successful? but the access-list will not be applied and the user will be denied access to the network.
Not sure about the specific FreeRADIUS config, but you need to setup the ?[026\009\001] cisco-av-pair VSA. It would look something like:
priv-lvl=15
proxyacl#10=permit ip any any
Let me know if this gets you squared away,
06-18-2007 05:47 AM
Yes, they are mandatory.
If priv-lvl=15 is not returned to the switch, the user will see ?Authentication Failed? and the access-list will not be applied. If the source field in the proxyacl statements is not ?any? or there are other syntax errors, the user will see ?Authentication Successful? but the access-list will not be applied and the user will be denied access to the network.
Not sure about the specific FreeRADIUS config, but you need to setup the ?[026\009\001] cisco-av-pair VSA. It would look something like:
priv-lvl=15
proxyacl#10=permit ip any any
Let me know if this gets you squared away,
06-18-2007 06:48 AM
It works ! Thank you very much!
After getting the syntax right for sending multiple av-attributes with the FreeRadius it worked immediately.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide