Web authentication and ACL on a Cisco switch

aron.bernasconi · ‎10-25-2013

Hi,

I configured web authentication on a 2960S-24TS-L switch in a network where the Radius is a MS Network Policy Server.

My configuration works fine if I the switch runs IOS 12.2(55)SE2, but as soon as I upgrade it to version 15.0(2)SE4 I have the following problem :

When I connect a device to the "service port" (in my config gi 1/0/24), I get the web authentication page and after filling the right credentials, the ACL applied to the port is removed. But if I disconnect the device, the ACL is no more applied to the port. When I re-connect the device a can reach all the network even if the http traffic is redirected to the auth-proxy of the switch.

The following is a part of my configuration :

ip admission name webauth1 proxy http

ip device tracking

!

ip access-list extended pre-webauth1

permit udp any any eq bootps

permit udp any any eq domain

deny ip any any

!

fallback profile webauth1-profile

ip access-group pre-webauth1 in

ip admission webauth1

!

int gi 1/0/24

authentication port-control auto

authentication fallback webauth1-profile

blenka · ‎10-29-2013

please try these commands using your acl made.

Enable IOS http servers for web auth

ip http server

ip http secure-server

ip access-list extended ACL-WEBAUTH-REDIRECT

permit tcp any any eq www

permit tcp any any eq 443

deny ip any any