Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

web authentication as a fallback method for Cisco ISE

 

Hi,

Please help to share how to configure wired dot1x fallback to web authentication. I could not find any documentation how to configure the ise to do the web authentication. for my switchport i configured this:

 

switchport mode access

switchport access vlan 135
ip access-group PREAUTH in
authentication event fail action next-method
authentication host-mode multi-auth
authentication open
authentication order dot1x web
authentication priority dot1x web
authentication port-control auto
authentication violation restrict
dot1x fallback WEB_FALLBACK
dot1x max-reauth-req 1
dot1x pae authenticator
spanning-tree portfast
spanning-tree bpduguard enable

!

ip access-list extended PREAUTH
permit udp any eq bootpc any eq bootps
permit icmp any any
permit tcp any host 172.21.2.82 eq www

!

ip admission name WEB_ADMISSION proxy http

fallback profile WEB_FALLBACK
ip admission WEB_ADMISSION

!

Please advice how to configure the ISE to make the fallback successful.

Thanks

 

regards,

Mike

  • AAA Identity and NAC
1 REPLY
Gold

Try this Configuration

Try this Configuration Process

The following example shows a WebAuth fallback profile:
  ip admission name IP_ADMIN_RULE proxy http

  ip access-list extended PRE_WEBAUTH_POLICY

   permit udp any any eq bootps

  permit udp any any eq domain

  fallback profile WEB_AUTH_PROFILE

  ip access-group PRE_WEBAUTH_POLICY in

  ip admission IP_ADMIN_RULE

 
The following example shows all the required elements of a configuration for IEEE 802.1X with WebAuth fallback in the order they would appear in the command-line interface (CLI):
aaa new-model
!
aaa authentication dot1x default group radius
aaa authentication login default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting dot1x default start-stop group radius
aaa accounting auth-proxy default start-stop group radius
!
ip device tracking
ip admission name IP_ADMIN_RULE proxy http
!
fallback profile WEB_AUTH_PROFILE
ip access-group PRE_WEBAUTH_POLICY in
ip admission IP_ADMIN_RULE
!
dot1x system-auth-control
!

 

      interface Gigabit 1/0/5

switchport mode access
switchport access vlan 30
authentication port-control auto
authentication fallback WEB_AUTH_PROFILE
dot1x pae-authenticator
dot1x tx-period 5
!
ip http server
ip http secure-server
!
ip access-list extended PRE_WEBAUTH_POLICY
permit udp any any eq bootps
permit udp any any eq domain!

     radius-server host 10.100.10.117 key cisco123

     radius-server vsa send authentication

 

http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/app_note_c27-577494.html

190
Views
5
Helpful
1
Replies
This widget could not be displayed.