Thanks.

I wish we could have a consensus on what protocols to use for 802.1x as it will really help implementing this very much needed security solution.

I would be interested to know how you are doing with firewall/Router authentication proxy for wireless access.

What we are trying to do now is that the AP authentication is open, no WEP/WPA key. User must authenticate first with a SecurID token on the router's web page, access is restricted using access lists.

A router is set up as authentication proxy / firewall which sends the request to the RSA + RSA RADIUS server (or the ACS as RADIUS if you wish so), see for a config:

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_configuration_example09186a00800942fd.shtml

(don't forget to add the router as an agent host on the RSA server)

But for the moment this is also failing. We get an "Authentication Failed !" on the client's popup window.

The RSA log monitor shows a successful login, and the cisco router/FW debugging doesn't show error messages and all seems to be ok, the last line we get is "Post authorization status = PASS_ADD" and that's about it, not a single error message, but still authentication fails.

Hi,

We have managed to get the setup working as mentioned with the authentication proxy (see link in previous message).

As the access is controlled with ACL's, you we were also required to config the ACS to push an updated ACL to the router/FW once the user is authenticated, so you can indicate which traffic is allowed and which isn't.

Hopefully this setup can also be used in your scenario so you have at least a way to authenticate guest users without the need to install anything on client side.

I have Cisco 3550 Layer 3 switches and I was wondering if this switch can work as an authentication proxy like the router in your case. It seems to support the auth-proxy commands like in the document you referenced but despite trying several configurations the switch does not intercept any traffic or prompt for user name and password.

There is little in the switch configuration guide for my IOS 12.2.(25)SEE regarding this feature so I have to rely on the referenced document as well as other docs but they all reference this configuration either on a router or Firewall. I wonder if Firewall IOS is required to enable this feature?

In a LAN environment if I need to enable this for a certain VLAN (guest vlan) I will have to do it on the Cisco 6509 core switch?

Afaik Firewall IOS is not needed.

We also tried it with a L3 switch and we didn't succeed.

The L3 switch was installed as DHCP server, we applied the access-list and auth proxy on the guest VLAN interface but it didn't work out: clients could not get an IP via DHCP, and we neither saw the loginscreen.

The router/firewall is now connected to the L3 switch on two ports, with different subnets. So now we route all guest VLAN traffic from the L3 switch to the router, then route back the "access-list processed" traffic to the L3-switch (in an other subnet), then traffic is sent where it needs to be.

So to make things easier you can maybe try first with a separate router (fw) and apply the access-list on the physical incoming interface and see if all goes ok.

(doublepost to be deleted)