Web auth (on 3560)issue with dhcp snooping

usamapervaiz · ‎05-21-2010

Hello all,

First a little background. I am trying to configure web auth as the primary means of authentication and not as a fallback to dot1x. I am using ver 12.2(50)SE4. My backend is an ACS server that ties into AD (i am however using TACACS rather than RADIUS). Everything works fine but when I switch on dhcp snooping my auth sessions expires and i have to re-auth. This happens half way through the lease time. My config for web auth and dhcp snooping is as follows:

aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa authorization network default group tacacs+ local
aaa authorization auth-proxy default group tacacs+
aaa accounting auth-proxy default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+

!

ip dhcp snooping vlan xxx
no ip dhcp snooping information option
ip dhcp snooping
ip device tracking

ip auth-proxy watch-list enable
ip auth-proxy watch-list expiry-time 1
ip auth-proxy proxy http login expired page file flash:expired.html
ip auth-proxy proxy http login page file flash:webAuthTest1.html
ip auth-proxy proxy http success page file flash:success.html
ip auth-proxy proxy http failure page file flash:failed.html
ip auth-proxy auth-proxy-audit
ip admission source-interface Vlanyyy
ip admission watch-list enable
ip admission watch-list expiry-time 1
ip admission proxy http login expired page file flash:expired.html
ip admission proxy http login page file flash:webAuthTest1.html
ip admission proxy http success page file flash:success.html
ip admission proxy http failure page file flash:failed.html
ip admission auth-proxy-audit
ip admission name WEBAUTH proxy http inactivity-time 60 list 101

!

interface GigabitEthernet0/1
switchport access vlan XXX
switchport mode access
ip access-group 102 in
authentication order webauth
authentication priority webauth
no mdix auto
storm-control unicast level pps 10k 9.5k
storm-control action trap
spanning-tree portfast
ip admission WEBAUTH

!

interface GigabitEthernet0/24
switchport trunk encapsulation dot1q
switchport mode trunk
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
queue-set 2
mls qos trust cos
auto qos voip trust
ip dhcp snooping trust

!

ip http server

!

access-list 101 deny   ip any host Z.Z.Z.Z log           <----another http server with all images
access-list 101 deny   tcp any host Z.Z.Z.Z log
access-list 101 deny   udp any host Z.Z.Z.Z log
access-list 101 permit ip any any

access-list 102 permit udp any any eq bootps
access-list 102 permit udp any any eq domain

Following are the debugs from dhcp snooping and ip admission:

May 21 11:06:05.050: DHCP_SNOOPING: checking expired snoop binding entries
May 21 11:07:40.052: DHCP_SNOOPING: add binding on port GigabitEthernet0/1.
May 21 11:07:40.052: DHCP_SNOOPING: dhcp binding entry already exists, update binding lease time to (900) seconds

May 21 11:07:40.052: DHCP_SNOOPING_SW no entry found for my.machine.mac 0.0.0.xxx GigabitEthernet0/1
May 21 11:07:40.052: DHCP_SNOOPING_SW host tracking not found for update add dynamic (my.machine.ip, 0.0.0.0, my.machine.mac) vlan xxx
May 21 11:07:40.052: AUTH_PROXY: Acct Stop event:unique-id=615
1w3d: %AP-6-AUTH_PROXY_AUDIT_STOP: initiator (my.machine.ip) send 4 packets 840 bytes; duration time 1w3d|
AUDITSESSID=0A00002400000228376E77FF
May 21 11:07:40.052: ip_admission_det:my.machine.mac(my.machine.ip): Activate session creation
May 21 11:07:40.052: AUTH-PROXY:NAS-Port details sent to AAA slot/adapter/port_ext = 0/0/0

any and all help will be appreciated!

Thanks.

usamapervaiz · ‎05-22-2010

Still having the issue and I am all outta ideas.

Anyone has any suggestions?

Thanks!