cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1620
Views
0
Helpful
3
Replies

Wired WebAuth with NAC Guest Server

Peter Cresswell
Level 5
Level 5

Hi,

I am trying to get wired WebAuth working with NAC Guest Server. In the switch_login.html file example, what should be changed for this line:

ngsOptions.actionUrl = https://1.1.1.1/;

Should this be an IP address on the switch? Shoul I have this pointing to the success.html page like this:

ngsOptions.actionUrl = "https://1.1.1.1/success.html";

When I log on, and accept the AUP, my browser just sits there trying to access Https://1.1.1.1/?redirect-url=blah blah blah

Thanks,

Peter

3 Replies 3

Yes, it should be an address on one of the interfaces on the switch.

Hi,

Thanks very much for taking the time to respond. In the interests of anyone else searching the forum with the same issue as me I'll just clarify my findings.

The 1.1.1.1 address does not have to be an address on the switch. It appears that the switch intercepts all HTTP traffic, in fact creating a loopback with 1.1.1.1 seems to break the functionality.

The problem I was encountering turned out to be a bug in NGS that meant that the portal was submitting a the password to the switch using a variable name that was not expected by IOS.. CSCtj23275


Cheers,


Peter

FYI,

In my case I WAS getting the switch_login.html web page being displayed, but after entering credentials and submitting the Acceptable Use Policy page, I did NOT 'see' any radius traffic between the switch (C2960S 12.2(55)SE3) and the ACS 5.3 radius server?!.

I used the sample .html docs that you can find on the NAC Guest Server in the 'samples' folder on that server. I used WCP app to copy them to my PC/laptop before modifying where relevant and copying to flash on switch and to the wireless 'hotspot' folders on the NGS.

I went through the following document in url below line by line, paragraph by paragraph and found that I had left out the following command in the configuration:

aaa authentication login default group radius

see doc at:

http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/WebAuth/WebAuth_Dep_Guide.html#wp392553

So I added it in and I am now seeing the radius debug traffic being redirected to the ACS by the switch when a user submits the credentials.

!

aaa new-model

!

!

aaa authentication login default group radius

aaa authentication login VTY-USER-LOGIN local

aaa authentication dot1x default group radius

aaa authorization console

aaa authorization exec EXEC-LOCAL local

aaa authorization network default group radius

aaa authorization auth-proxy default group radius

aaa accounting auth-proxy default start-stop group radius

aaa accounting dot1x default start-stop group radius

!

with debug radius enabled:

Feb  1 13:36:09 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/4, changed state to down

TEST-802.1X#

Feb  1 13:36:10 PST: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/4, changed state to down

TEST-802.1X#

Feb  1 13:36:18 PST: %AUTHMGR-5-START: Starting 'dot1x' for client (848f.69f0.fcc7) on Interface Gi1/0/4 AuditSessionID 0AA7404A0000054E16335518

TEST-802.1X#

Feb  1 13:36:20 PST: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/4, changed state to up

Feb  1 13:36:21 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/4, changed state to up

TEST-802.1X#

Feb  1 13:36:27 PST: %DOT1X-5-FAIL: Authentication failed for client (848f.69f0.fcc7) on Interface Gi1/0/4 AuditSessionID

Feb  1 13:36:27 PST: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (848f.69f0.fcc7) on Interface Gi1/0/4 AuditSessionID 0AA7404A0000054E16335518

Feb  1 13:36:27 PST: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (848f.69f0.fcc7) on Interface Gi1/0/4 AuditSessionID 0AA7404A0000054E16335518

Feb  1 13:36:27 PST: %AUTHMGR-5-START: Starting 'mab' for client (848f.69f0.fcc7) on Interface Gi1/0/4 AuditSessionID 0AA7404A0000054E16335518

Feb  1 13:36:27.367 PST: RADIUS/ENCODE(0000058E):Orig. component type = DOT1X

Feb  1 13:36:27.367 PST: RADIUS(0000058E): Config NAS IP: 10.167.64.74

Feb  1 13:36:27.367 PST: RADIUS/ENCODE(0000058E): acct_session_id: 1421

Feb  1 13:36:27.367 PST: RADIUS(0000058E): sending

Feb  1 13:36:27.367 PST: RADIUS(0000058E): Send Access-Request to 10.167.77.70:1645 id 1645/14, len 211

Feb  1 13:36:27.372 PST: RADIUS:  authenticator 2E F0 62 2D 43 D9 7D 2A - 7C 88 0A 52 B9 6E 78 A8

Feb  1 13:36:27.372 PST: RADIUS:  User-Name           [1]   14  "848f69f0fcc7"

Feb  1 13:36:27.372 PST: RADIUS:  User-Password       [2]   18  *

Feb  1 13:36:27.372 PST: RADIUS:  Service-Type        [6]   6   Call Check                [10]

Feb  1 13:36:27.372 PST: RADIUS:  Framed-MTU          [12]  6   1500                     

Feb  1 13:36:27.372 PST: RADIUS:  Called-Station-Id   [30]  19  "20-37-06-C8-68-84"

Feb  1 13:36:27.372 PST: RADIUS:  Calling-Station-Id  [31]  19  "84-8F-69-F0-FC-C7"

Feb  1 13:36:27.372 PST: RADIUS:  Message-Authenticato[80]  18 

Feb  1 13:36:27.372 PST: RADIUS:   11 20 B4 9A B6 E2 56 30 AC EC 43 CD 17 13 3E 14             [  V0C>]

Feb  1 13:36:27.372 PST: RADIUS:  EAP-Key-Name        [102] 2   *

Feb  1 13:36:27.372 PST: RADIUS:  Vendor, Cisco       [26]  49 

Feb  1 13:36:27.372 PST: RADIUS:   Cisco AVpair       [1]   43  "audit-session-id=0AA7404A0000054E16335518"

Feb  1 13:36:27.372 PST: RADIUS:  NAS-Port-Type       [61]  6   Ethernet                  [15]

Feb  1 13:36:27.372 PST: RADIUS:  NAS-Port            [5]   6   50104                    

Feb  1 13:36:27.372 PST: RADIUS:  NAS-Port-Id         [87]  22  "GigabitEthernet1/0/4"

Feb  1 13:36:27.372 PST: RADIUS:  NAS-IP-Address      [4]   6   10.167.64.74             

Feb  1 13:36:27.372 PST: RADIUS(0000058E): Started 5 sec timeout

Feb  1 13:36:27.377 PST: RADIUS: Received from id 1645/14 10.167.77.70:1645, Access-Reject, len 38

Feb  1 13:36:27.377 PST: RADIUS:  authenticator 68 CE 3D C8 C3 BC B2 69 - DB 33 F5 C0 FF 30 D6 33

Feb  1 13:36:27.377 PST: RADIUS:  Message-Authenticato[80]  18 

Feb  1 13:36:27.377 PST: RADIUS:   82 3D 31 0A C7 A2 E0 62 D5 B7 6B 26 B8 A0 0B 46            [ =1bk&F]

Feb  1 13:36:27.377 PST: RADIUS(0000058E): Received from id 1645/14

Feb  1 13:36:27 PST: %MAB-5-FAIL: Authentication failed for client (848f.69f0.fcc7) on Interface Gi1/0/4 AuditSessionID 0AA7404A0000054E16335518

Feb  1 13:36:27 PST: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (848f.69f0.fcc7) on Interface Gi1/0/4 AuditSessionID 0AA7404A0000054E16335518

Feb  1 13:36:27 PST: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (848f.69f0.fcc7) on Interface Gi1/0/4 AuditSessionID 0AA7404A0000054E16335518

Feb  1 13:36:27 PST: %AUTHMGR-5-START: Starting 'webauth' for client (848f.69f0.fcc7) on Interface Gi1/0/4 AuditSessionID 0AA7404A0000054E16335518

Feb  1 13:36:27 PST: %AUTHMGR-7-RESULT: Authentication result 'success' from 'webauth' for client (848f.69f0.fcc7) on Interface Gi1/0/4 AuditSessionID 0AA7404A0000054E16335518

Feb  1 13:36:27 PST: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (848f.69f0.fcc7) on Interface Gi1/0/4 AuditSessionID 0AA7404A0000054E16335518

Feb  1 13:36:27.933 PST: RADIUS/ENCODE(0000058E):Orig. component type = DOT1X

Feb  1 13:36:27.933 PST: RADIUS(0000058E): Config NAS IP: 10.167.64.74

Feb  1 13:36:27.933 PST: RADIUS(0000058E): sending

Feb  1 13:36:27.933 PST: RADIUS(0000058E): Send Accounting-Request to 10.167.77.70:1646 id 1646/151, len 100

Feb  1 13:36:27.933 PST: RADIUS:  authenticator D0 F0 04 F3 A5 08 90 BE - A9 07 8D 32 1B 0E 93 AC

Feb  1 13:36:27.933 PST: RADIUS:  Acct-Session-Id     [44]  10  "0000058D"

Feb  1 13:36:27.933 PST: RADIUS:  Framed-IP-Address   [8]   6   10.167.72.52             

Feb  1 13:36:27.933 PST: RADIUS:  Acct-Authentic      [45]  6   RADIUS                    [1]

Feb  1 13:36:27.933 PST: RADIUS:  Acct-Status-Type    [40]  6   Start                     [1]

Feb  1 13:36:27.933 PST: RADIUS:  NAS-Port-Type       [61]  6   Ethernet                  [15]

Feb  1 13:36:27.933 PST: RADIUS:  NAS-Port            [5]   6   50104                    

Feb  1 13:36:27.933 PST: RADIUS:  NAS-Port-Id         [87]  22  "GigabitEthernet1/0/4"

Feb  1 13:36:27.933 PST: RADIUS:  Service-Type        [6]   6   Framed                    [2]

Feb  1 13:36:27.933 PST: RADIUS:  NAS-IP-Address      [4]   6   10.167.64.74             

Feb  1 13:36:27.933 PST: RADIUS:  Acct-Delay-Time     [41]  6   0                        

TEST-802.1X#

Feb  1 13:36:27.938 PST: RADIUS(0000058E): Started 5 sec timeout

Feb  1 13:36:27.938 PST: RADIUS: Received from id 1646/151 10.167.77.70:1646, Accounting-response, len 20

Feb  1 13:36:27.938 PST: RADIUS:  authenticator C2 DC 8D C7 B1 35 67 D9 - 28 2B 56 E4 4A 1E AD 65

At this point the user enters the credentials on the switch_login.html page and the clicks Submit on the Acceptable Use Policy splash page.

TEST-802.1X#

Feb  1 13:36:41.413 PST: RADIUS/ENCODE(0000058F):Orig. component type = AUTH_PROXY

Feb  1 13:36:41.413 PST: RADIUS(0000058F): Config NAS IP: 10.167.64.74

Feb  1 13:36:41.413 PST: RADIUS/ENCODE(0000058F): acct_session_id: 1422

Feb  1 13:36:41.413 PST: RADIUS(0000058F): sending

Feb  1 13:36:41.413 PST: RADIUS(0000058F): Send Access-Request to 10.167.77.70:1645 id 1645/15, len 176

Feb  1 13:36:41.413 PST: RADIUS:  authenticator 6D 34 7E D6 34 B5 CB AC - 09 1F AC 5A 34 97 7D 6B

Feb  1 13:36:41.413 PST: RADIUS:  User-Name           [1]   11  "testuser1"

Feb  1 13:36:41.413 PST: RADIUS:  User-Password       [2]   18  *

Feb  1 13:36:41.413 PST: RADIUS:  Calling-Station-Id  [31]  14  "ip|G

Feb  1 13:36:41.413 PST: RADIUS:  Service-Type        [6]   6   Outbound                  [5]

Feb  1 13:36:41.413 PST: RADIUS:  Message-Authenticato[80]  18 

Feb  1 13:36:41.413 PST: RADIUS:   F8 4D 85 64 05 5E C9 1D D8 11 B2 A3 1A 3A 76 E0             [ Md^:v]

Feb  1 13:36:41.413 PST: RADIUS:  Vendor, Cisco       [26]  49 

Feb  1 13:36:41.418 PST: RADIUS:   Cisco AVpair       [1]   43  "audit-session-id=0AA7404A0000054E16335518"

Feb  1 13:36:41.418 PST: RADIUS:  NAS-Port-Type       [61]  6   Ethernet                  [15]

Feb  1 13:36:41.418 PST: RADIUS:  NAS-Port            [5]   6   50104                    

Feb  1 13:36:41.418 PST: RADIUS:  NAS-Port-Id         [87]  22  "GigabitEthernet1/0/4"

Feb  1 13:36:41.418 PST: RADIUS:  NAS-IP-Address      [4]   6   10.167.64.74             

Feb  1 13:36:41.418 PST: RADIUS(0000058F): Started 5 sec timeout

Feb  1 13:36:41.424 PST: RADIUS: Received from id 1645/15 10.167.77.70:1645, Access-Accept, len 173

Feb  1 13:36:41.424 PST: RADIUS:  authenticator 28 48 DE B5 1A 0A 71 5A - 3B 8B 7A 12 FB EA 01 58

Feb  1 13:36:41.424 PST: RADIUS:  User-Name           [1]   11  "testuser1"

Feb  1 13:36:41.424 PST: RADIUS:  Class               [25]  28 

Feb  1 13:36:41.424 PST: RADIUS:   43 41 43 53 3A 78 62 63 2D 61 63 73 2F 31 31 36  [CACS:xbc-acs/116]

Feb  1 13:36:41.424 PST: RADIUS:   34 37 33 32 33 39 2F 31 36 36        [ 473239/166]

Feb  1 13:36:41.424 PST: RADIUS:  Session-Timeout     [27]  6   3600                     

Feb  1 13:36:41.424 PST: RADIUS:  Termination-Action  [29]  6   1                        

Feb  1 13:36:41.424 PST: RADIUS:  Message-Authenticato[80]  18 

Feb  1 13:36:41.424 PST: RADIUS:   10 80 26 5D 02 C5 15 0C A8 16 AA 35 14 C9 4F 14              [ &]5O]

Feb  1 13:36:41.424 PST: RADIUS:  Vendor, Cisco       [26]  19 

Feb  1 13:36:41.429 PST: RADIUS:   Cisco AVpair       [1]   13  "priv-lvl=15"

Feb  1 13:36:41.429 PST: RADIUS:  Vendor, Cisco       [26]  65 

Feb  1 13:36:41.429 PST: RADIUS:   Cisco AVpair       [1]   59  "ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-GuestACL-4eefc9a0"

Feb  1 13:36:41.429 PST: RADIUS(0000058F): Received from id 1645/15

Feb  1 13:36:41.439 PST: RADIUS/ENCODE(0000058F):Orig. component type = AUTH_PROXY

Feb  1 13:36:41.439 PST: RADIUS(0000058F): Config NAS IP: 10.167.64.74

Feb  1 13:36:41.439 PST: RADIUS(0000058F): sending

Feb  1 13:36:41.439 PST: RADIUS/ENCODE(00000000):Orig. component type = INVALID

Feb  1 13:36:41.444 PST: RADIUS(00000000): Config NAS IP: 10.167.64.74

Feb  1 13:36:41.444 PST: RADIUS(00000000): sending

Feb  1 13:36:41.450 PST: RADIUS(0000058F): Send Accounting-Request to 10.167.77.70:1646 id 1646/152, len 119

Feb  1 13:36:41.450 PST: RADIUS:  authenticator 23 E3 DA C3 06 5B 37 20 - 67 E2 96 C5 90 1C 71 33

Feb  1 13:36:41.450 PST: RADIUS:  Acct-Session-Id     [44]  10  "0000058E"

Feb  1 13:36:41.450 PST: RADIUS:  Calling-Station-Id  [31]  14  "10.167.72.52"

Feb  1 13:36:41.450 PST: RADIUS:  User-Name           [1]   11  "testuser1"

Feb  1 13:36:41.450 PST: RADIUS:  Acct-Authentic      [45]  6   RADIUS                    [1]

Feb  1 13:36:41.455 PST: RADIUS:  Acct-Status-Type    [40]  6   Start                     [1]

Feb  1 13:36:41.455 PST: RADIUS:  NAS-Port-Type       [61]  6   Ethernet                  [15]

Feb  1 13:36:41.455 PST: RADIUS:  NAS-Port            [5]   6   50104                    

Feb  1 13:36:41.455 PST: RADIUS:  NAS-Port-Id         [87]  22  "GigabitEthernet1/0/4"

Feb  1 13:36:41.455 PST: RADIUS:  Service-Type        [6]   6   Outbound                  [5]

Feb  1 13:36:41.455 PST: RADIUS:  NAS-IP-Address      [4]   6   10.167.64.74             

Feb  1 13:36:41.455 PST: RADIUS:  Acct-Delay-Time     [41]  6   0                        

Feb  1 13:36:41.455 PST: RADIUS(0000058F): Started 5 sec timeout

Feb  1 13:36:41.455 PST: RADIUS(00000000): Send Access-Request to 10.167.77.70:1645 id 1645/16, len 137

Feb  1 13:36:41.455 PST: RADIUS:  authenticator 02 B0 50 47 EE CC FB 54 - 2A B6 14 23 63 86 DE 18

Feb  1 13:36:41.455 PST: RADIUS:  NAS-IP-Address      [4]   6   10.167.64.74             

Feb  1 13:36:41.455 PST: RADIUS:  User-Name           [1]   31  "#ACSACL#-IP-GuestACL-4eefc9a0"

Feb  1 13:36:41.455 PST: RADIUS:  Vendor, Cisco       [26]  32 

Feb  1 13:36:41.455 PST: RADIUS:   Cisco AVpair       [1]   26  "aaa:service=ip_admission"

Feb  1 13:36:41.455 PST: RADIUS:  Vendor, Cisco       [26]  30 

Feb  1 13:36:41.455 PST: RADIUS:   Cisco AVpair       [1]   24  "aaa:event=acl-download"

Feb  1 13:36:41.455 PST: RADIUS:  Message-Authenticato[80]  18 

Feb  1 13:36:41.455 PST: RADIUS:   15 EC 10 E7 2F 67 33 DD BC B5 AE 11 E3 C3 19 E1               [ /g3]

Feb  1 13:36:41.455 PST: RADIUS(00000000): Started 5 sec timeout

Feb  1 13:36:41.455 PST: RADIUS: Received from id 1646/152 10.167.77.70:1646, Accounting-response, len 20

Feb  1 13:36:41.455 PST: RADIUS:  authenticator AB 0F 81 95 71 A9 61 E0 - 5B B5 D3 2E 8D A2 68 98

Feb  1 13:36:41.460 PST: RADIUS: Received from id 1645/16 10.167.77.70:1645, Access-Accept, len 560

Feb  1 13:36:41.460 PST: RADIUS:  authenticator 64 53 94 79 CF CD 05 B0 - ED 12 5C 5B A0 AB 4F FA

Feb  1 13:36:41.460 PST: RADIUS:  User-Name           [1]   31  "#ACSACL#-IP-GuestACL-4eefc9a0"

Feb  1 13:36:41.460 PST: RADIUS:  Class               [25]  28 

Feb  1 13:36:41.460 PST: RADIUS:   43 41 43 53 3A 78 62 63 2D 61 63 73 2F 31 31 36  [CACS:xbc-acs/116]

Feb  1 13:36:41.460 PST: RADIUS:   34 37 33 32 33 39 2F 31 36 38        [ 473239/168]

Feb  1 13:36:41.460 PST: RADIUS:  Message-Authenticato[80]  18 

Feb  1 13:36:41.460 PST: RADIUS:   A1 E6 37 EB 60 3A 28 35 92 56 C5 A9 27 7D 2C E9         [ 7`:(5V'},]

Feb  1 13:36:41.460 PST: RADIUS:  Vendor, Cisco       [26]  38 

Feb  1 13:36:41.460 PST: RADIUS:   Cisco AVpair       [1]   32  "ip:inacl#1=remark **Allow DHCP"

Feb  1 13:36:41.460 PST: RADIUS:  Vendor, Cisco       [26]  57 

Feb  1 13:36:41.460 PST: RADIUS:   Cisco AVpair       [1]   51  "ip:inacl#2=permit udp any eq bootpc any eq bootps"

Feb  1 13:36:41.460 PST: RADIUS:  Vendor, Cisco       [26]  37 

Feb  1 13:36:41.460 PST: RADIUS:   Cisco AVpair       [1]   31  "ip:inacl#3=remark **Allow DNS"

Feb  1 13:36:41.460 PST: RADIUS:  Vendor, Cisco       [26]  47 

Feb  1 13:36:41.460 PST: RADIUS:   Cisco AVpair       [1]   41  "ip:inacl#4=permit udp any any eq domain"

Feb  1 13:36:41.460 PST: RADIUS:  Vendor, Cisco       [26]  61 

Feb  1 13:36:41.460 PST: RADIUS:   Cisco AVpair       [1]   55  "ip:inacl#5=remark **Deny access to Corporate Networks"

Feb  1 13:36:41.460 PST: RADIUS:  Vendor, Cisco       [26]  53 

Feb  1 13:36:41.460 PST: RADIUS:   Cisco AVpair       [1]   47  "ip:inacl#6=deny ip any 10.0.0.0 0.255.255.255"

Feb  1 13:36:41.460 PST: RADIUS:  Vendor, Cisco       [26]  45 

Feb  1 13:36:41.460 PST: RADIUS:   Cisco AVpair       [1]   39  "ip:inacl#7=remark **Permit icmp pings"

Feb  1 13:36:41.460 PST: RADIUS:  Vendor, Cisco       [26]  38 

Feb  1 13:36:41.460 PST: RADIUS:   Cisco AVpair       [1]   32  "ip:inacl#8=permit icmp any any"

Feb  1 13:36:41.460 PST: RADIUS:  Vendor, Cisco       [26]  50 

TEST-802.1X#

Feb  1 13:36:41.460 PST: RADIUS:   Cisco AVpair       [1]   44  "ip:inacl#9=remark **Permit everything else"

Feb  1 13:36:41.460 PST: RADIUS:  Vendor, Cisco       [26]  37 

Feb  1 13:36:41.460 PST: RADIUS:   Cisco AVpair       [1]   31  "ip:inacl#10=permit ip any any"

Feb  1 13:36:41.465 PST: RADIUS(00000000): Received from id 1645/16

TEST-802.1X#

TEST-802.1X#

TEST-802.1X# 

interface config looks like:

!

interface GigabitEthernet1/0/4

description **User/IPphone/Guest

switchport access vlan 702

switchport mode access

switchport voice vlan 704

ip access-group PRE-AUTH in

srr-queue bandwidth share 1 30 35 5

queue-set 2

priority-queue out

authentication event fail action next-method

authentication event server dead action authorize

authentication host-mode multi-auth

authentication open

authentication order dot1x mab webauth

authentication priority dot1x mab webauth

authentication port-control auto

authentication fallback WEB_AUTH_PROFILE

mab

mls qos trust device cisco-phone

mls qos trust cos

dot1x pae authenticator

dot1x timeout tx-period 3

auto qos voip cisco-phone

spanning-tree portfast

service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY

!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: