09-07-2007 04:40 AM - edited 02-21-2020 10:19 AM
I want to configure a switch port for IEEE 802.1x authentication with web authentication as a fallback method.
Can someone provide a valid configuration example?
Only web authentication doesn't work!
Switch#sh run
Building configuration...
Current configuration : 3012 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
!
aaa new-model
aaa authentication login default group radius
aaa authentication login line-con none
aaa authentication dot1x default group radius
aaa authorization auth-proxy default group radius
!
aaa session-id common
switch 1 provision ws-c3750-48p
system mtu routing 1500
ip subnet-zero
ip domain-name cisco.com
ip admission name rule1 proxy http
!
!
!
!
dot1x system-auth-control
!
!
!
!
!
!
fallback profile fallback
ip access-group policy1 in
ip admission rule1
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
interface FastEthernet1/0/1
switchport access vlan 142
switchport mode access
!
interface FastEthernet1/0/47
switchport access vlan 142
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x fallback fallback
!
interface Vlan1
no ip address
shutdown
!
interface Vlan142
ip address 10.1.254.1 255.255.255.0
!
ip classless
!
ip access-list extended policy1
permit udp any any eq bootps
deny ip any any log
!
radius-server attribute 8 include-in-access-req
radius-server host 10.1.254.187 auth-port 1645 acct-port 1646 key secret
radius-server source-ports 1645-1646
radius-server vsa send authentication
!
control-plane
!
!
line con 0
line vty 5 15
!
end
Solved! Go to Solution.
09-07-2007 08:12 AM
Try adding this:
ip device tracking
Also, if you want your web-auth users to be able to use DNS to resolve URLs, you probably want to add something like this to policy1:
permit udp any any eq domain
Remember you'll have to wait until 802.1X times out (90 sec by default) for Web-Auth to kick in.
Shelly
09-07-2007 08:12 AM
Try adding this:
ip device tracking
Also, if you want your web-auth users to be able to use DNS to resolve URLs, you probably want to add something like this to policy1:
permit udp any any eq domain
Remember you'll have to wait until 802.1X times out (90 sec by default) for Web-Auth to kick in.
Shelly
09-10-2007 12:59 AM
Many thanks for your help Shelly!
Do you known how to personalize the authentication proxy login page?
Regards,
Andrea.
09-10-2007 05:43 AM
Shelly,
if you want you can use the "ip admission auth-proxy-banner" command to add a banner.
Bye.
Andrea.
09-10-2007 09:11 AM
Sounds good to me!
Shelly
09-10-2007 07:03 AM
Hi, Andrea.
Unfortunately, personalization is not currently supported. But tell your Cisco account team you want it! They should advocate for you.
Shelly
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: