Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Web Auth on catalyst 3750

Hi, I'm using catalyst 3750s and cisco acs 4.1 to authenticate clients but I need help. The docs tell how to configure basic web auth on ports but I need more details as I'm very new to this. For example, do I need an external webserver to serve the login page? Does anyone have an example of a login page code/script to share? How do I configure the web redirection?

I'll appreciate any help. Thanks

4 REPLIES
Cisco Employee

Re: Web Auth on catalyst 3750

You don't need an external webserver and you don't need to configure redirection. When you configure web auth, the 3750 itself acts as a webserver and presents a default login page to the end user to enter his/her credentials.

Hope that helps.

Shelly

New Member

Re: Web Auth on catalyst 3750

Thanks. I'll try it and see. Wish me luck.

New Member

Re: Web Auth on catalyst 3750

Ok, I may not have explained myself properly. This is required to give clients Internet Access but only if they authenticate first against a radius server (The ACS) Not all clients will have 802.1x clients so I am considering the web authentication method. So when a client connects his laptop to the switch via ethernet he gets an IP Address via DHCP but then needs to authenticate against a radius server before he can get access to the Internet.

I have configured as to the directions in the documentation. I am getting the IP Address via DHCP but when I launch a browser nothing happens (I am of the opinion that I should get some default login page) The only login page I get is if I point my browser to the switch IP Address but this only grants me access to the switch itself. This is my config:

aaa new-model

aaa authentication login default local group radius

aaa authorization network default local group radius

aaa authorization auth-proxy default group radius

!

aaa session-id common

switch 1 provision ws-c3750-24ts

system mtu routing 1500

ip subnet-zero

ip routing

ip admission name cwc2007 proxy http

ip dhcp excluded-address 192.168.10.1

!

ip dhcp pool cwc2007

network 192.168.10.0 255.255.255.0

dns-server 196.3.132.1 196.3.132.4

default-router 192.168.10.1

domain-name tstt.net.tt

!

ip device tracking

!

!

!

!

!

no file verify auto

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

!

interface Loopback0

ip address 10.0.0.1 255.255.255.255

!

interface FastEthernet1/0/1

switchport access vlan 10

switchport mode access

ip admission cwc2007

!

interface FastEthernet1/0/2

switchport access vlan 10

switchport mode access

ip admission cwc2007

!

interface FastEthernet1/0/3

switchport access vlan 10

switchport mode access

ip admission cwc2007

!

interface FastEthernet1/0/4

switchport access vlan 10

switchport mode access

ip admission cwc2007

!

interface FastEthernet1/0/5

switchport access vlan 10

switchport mode access

ip admission cwc2007

!

interface FastEthernet1/0/6

switchport access vlan 10

switchport mode access

ip admission cwc2007

!

interface FastEthernet1/0/7

switchport access vlan 10

switchport mode access

ip admission cwc2007

!

interface FastEthernet1/0/8

switchport access vlan 10

switchport mode access

ip admission cwc2007

!

interface FastEthernet1/0/9

switchport access vlan 10

switchport mode access

ip admission cwc2007

!

interface FastEthernet1/0/10

switchport access vlan 10

switchport mode access

ip admission cwc2007

!

interface FastEthernet1/0/11

switchport access vlan 10

switchport mode access

ip admission cwc2007

!

interface FastEthernet1/0/12

switchport access vlan 10

switchport mode access

ip admission cwc2007

!

interface FastEthernet1/0/13

!

interface FastEthernet1/0/14

!

interface FastEthernet1/0/15

!

interface FastEthernet1/0/16

!

interface FastEthernet1/0/17

!

interface FastEthernet1/0/18

!

interface FastEthernet1/0/19

!

interface FastEthernet1/0/20

!

interface FastEthernet1/0/21

!

interface FastEthernet1/0/22

!

interface FastEthernet1/0/23

switchport access vlan 101

switchport mode access

!

interface FastEthernet1/0/24

switchport access vlan 100

switchport mode access

!

interface GigabitEthernet1/0/1

!

interface GigabitEthernet1/0/2

!

interface Vlan1

no ip address

shutdown

!

interface Vlan10

ip address 192.168.10.1 255.255.255.0

!

interface Vlan100

ip address 10.1.1.3 255.255.255.0

!

interface Vlan101

ip address 201.238.75.157 255.255.255.252

!

!

ip classless

ip http server

ip http secure-server

!

!

!

radius-server attribute 8 include-in-access-req

radius-server host 192.168.1.60 auth-port 1645 acct-port 1646 key ****

radius-server source-ports 1645-1646

radius-server vsa send authentication

!

control-plane

!

Maybe I am missing an ACL or something?

Cisco Employee

Re: Web Auth on catalyst 3750

Right, you need an ACL. Otherwise all traffic is allowed through the port and not intercepted for web auth. Try adding something like this:

ip access-list extended POLICY1

permit udp any any eq bootps

deny ip any any log

interface FastEthernet1/0/1

ip access-group POLICY1 in

switchport access vlan 10

switchport mode access

ip admission cwc2007

...etc

Hope that helps.

Shelly

458
Views
0
Helpful
4
Replies