Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

RADIUS: Authenticate LAN Users via Cisco 2911

Hello,

I'm pretty sure it won't be possible to do what I want to do, but I thought I'd ask the experts anyway...

We have remote users that dial-in over ISDN to a Cisco 2911. We have configured AAA to pass the authentication off to a RADIUS server. Once successfully authenticated, the router permits the users to access a single web server. This all works great.

However, we need to do some testing in our test environment, but unfortunately we don't have an ISDN line to test with. We have created a little environment in our LAB using a 2911, a switch, a RADIUS server & web server. I was hoping that we could simply create a "user" VLAN off the back of the 2911 to simulate our remote users, and access the web site from the test usr PC's over the LAN. I was hoping that the 2911 would be able to intercept the connection and pass the authentication off to the RADIUS server (as it does with the PPP ISDN traffic). But I cannot find anyway to do this, because I can only configure AAA to offload either PPP traffic or telnet/ssh connections to the router itself.

In summary what I want is for a user to access an internal web site over a LAN interface of a 2911 - but have the 2911 authenticate the user via a remote RADIUS server first. Is there a way to configure a 2911 (or any router!) to do this?

Is the answer to configure port-based authentication (802.1X) on the switch?

Thanks,

James.

3 REPLIES
Silver

Re: RADIUS: Authenticate LAN Users via Cisco 2911

Hello,

You might want to check the IOS feature called "Web-based Authentication". I am attaching the .pdf configuration guide.

If this was helpful please rate.

Regards.

Community Member

RADIUS: Authenticate LAN Users via Cisco 2911

Hi,

Thanks for the response. This looks to be only configurable on a Cisco switch - is there any way to configure Web Based Authentication on a Cisco 2911 router?

NB. We have non-Cisco switches in our LAB, but I may be able to get hold of some if needed.....

Thanks,

James.

Silver

RADIUS: Authenticate LAN Users via Cisco 2911

Hello James,

I have not had a chance to look for the Router configuration document, however, for one of my certificate exams I did configure Authentication Proxy on an IOS router. The config for that lab was:

aaa new-model

!

!

aaa authentication login default group tacacs+ local

aaa authorization auth-proxy default group tacacs+ local

!

!

aaa session-id common

ip auth-proxy name AUTHPROXY http inactivity-time 60

!

interface FastEthernet0/0

ip address 192.168.250.19 255.255.255.0

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 192.168.200.120 255.255.255.0

ip access-group 110 in

ip nat inside

ip virtual-reassembly

ip auth-proxy AUTHPROXY

duplex auto

speed auto

ip route 0.0.0.0 0.0.0.0 192.168.250.1

ip http server

ip http authentication aaa

no ip http secure-server

!

!

ip nat inside source list nat interface FastEthernet0/0 overload

!

ip access-list extended nat

permit ip 192.168.200.0 0.0.0.255 any

access-list 110 permit ip any any

!

tacacs-server host 192.168.250.20

tacacs-server key cisco123

end

Please check if the commands are supported on your router as well.

If this ws helpful please rate.

Regards.

1579
Views
0
Helpful
3
Replies
CreatePlease to create content