Solved: About web authentication.

andrea.meconi · ‎09-07-2007

I want to configure a switch port for IEEE 802.1x authentication with web authentication as a fallback method.

Can someone provide a valid configuration example?

Only web authentication doesn't work!

Switch#sh run

Building configuration...

Current configuration : 3012 bytes

!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname Switch

!

aaa new-model

aaa authentication login default group radius

aaa authentication login line-con none

aaa authentication dot1x default group radius

aaa authorization auth-proxy default group radius

!

aaa session-id common

switch 1 provision ws-c3750-48p

system mtu routing 1500

ip subnet-zero

ip domain-name cisco.com

ip admission name rule1 proxy http

!

dot1x system-auth-control

!

fallback profile fallback

ip access-group policy1 in

ip admission rule1

!

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

interface FastEthernet1/0/1

switchport access vlan 142

switchport mode access

!

interface FastEthernet1/0/47

switchport access vlan 142

switchport mode access

dot1x pae authenticator

dot1x port-control auto

dot1x fallback fallback

!

interface Vlan1

no ip address

shutdown

!

interface Vlan142

ip address 10.1.254.1 255.255.255.0

!

ip classless

!

ip access-list extended policy1

permit udp any any eq bootps

deny ip any any log

!

radius-server attribute 8 include-in-access-req

radius-server host 10.1.254.187 auth-port 1645 acct-port 1646 key secret

radius-server source-ports 1645-1646

radius-server vsa send authentication

!

control-plane

!

line con 0

line vty 5 15

!

end

scadora · ‎09-07-2007

Try adding this:

ip device tracking

Also, if you want your web-auth users to be able to use DNS to resolve URLs, you probably want to add something like this to policy1:

permit udp any any eq domain

Remember you'll have to wait until 802.1X times out (90 sec by default) for Web-Auth to kick in.

Shelly

View solution in original post

scadora · ‎09-07-2007

Try adding this:

ip device tracking

Also, if you want your web-auth users to be able to use DNS to resolve URLs, you probably want to add something like this to policy1:

permit udp any any eq domain

Remember you'll have to wait until 802.1X times out (90 sec by default) for Web-Auth to kick in.

Shelly

andrea.meconi · ‎09-10-2007

Many thanks for your help Shelly!

Do you known how to personalize the authentication proxy login page?

Regards,

Andrea.

andrea.meconi · ‎09-10-2007

Shelly,

if you want you can use the "ip admission auth-proxy-banner" command to add a banner.

Bye.

Andrea.

scadora · ‎09-10-2007

Sounds good to me!

Shelly

scadora · ‎09-10-2007

Hi, Andrea.

Unfortunately, personalization is not currently supported. But tell your Cisco account team you want it! They should advocate for you.

Shelly