About web authentication.

Answered Question

I want to configure a switch port for IEEE 802.1x authentication with web authentication as a fallback method.

Can someone provide a valid configuration example?

Only web authentication doesn't work!

Switch#sh run

Building configuration...

Current configuration : 3012 bytes

!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname Switch

!

!

aaa new-model

aaa authentication login default group radius

aaa authentication login line-con none

aaa authentication dot1x default group radius

aaa authorization auth-proxy default group radius

!

aaa session-id common

switch 1 provision ws-c3750-48p

system mtu routing 1500

ip subnet-zero

ip domain-name cisco.com

ip admission name rule1 proxy http

!

!

!

!

dot1x system-auth-control

!

!

!

!

!

!

fallback profile fallback

ip access-group policy1 in

ip admission rule1

!

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

!

!

!

interface FastEthernet1/0/1

switchport access vlan 142

switchport mode access

!

interface FastEthernet1/0/47

switchport access vlan 142

switchport mode access

dot1x pae authenticator

dot1x port-control auto

dot1x fallback fallback

!

interface Vlan1

no ip address

shutdown

!

interface Vlan142

ip address 10.1.254.1 255.255.255.0

!

ip classless

!

ip access-list extended policy1

permit udp any any eq bootps

deny ip any any log

!

radius-server attribute 8 include-in-access-req

radius-server host 10.1.254.187 auth-port 1645 acct-port 1646 key secret

radius-server source-ports 1645-1646

radius-server vsa send authentication

!

control-plane

!

!

line con 0

line vty 5 15

!

end

I have this problem too.
0 votes
Correct Answer by scadora about 9 years 3 months ago

Try adding this:

ip device tracking

Also, if you want your web-auth users to be able to use DNS to resolve URLs, you probably want to add something like this to policy1:

permit udp any any eq domain

Remember you'll have to wait until 802.1X times out (90 sec by default) for Web-Auth to kick in.

Shelly

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
scadora Fri, 09/07/2007 - 08:12

Try adding this:

ip device tracking

Also, if you want your web-auth users to be able to use DNS to resolve URLs, you probably want to add something like this to policy1:

permit udp any any eq domain

Remember you'll have to wait until 802.1X times out (90 sec by default) for Web-Auth to kick in.

Shelly

scadora Mon, 09/10/2007 - 07:03

Hi, Andrea.

Unfortunately, personalization is not currently supported. But tell your Cisco account team you want it! They should advocate for you.

Shelly

Actions

This Discussion