Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1042
Views
5
Helpful
1
Replies

web authentication as a fallback method for Cisco ISE

mjrmontemayor
Level 1
Level 1

‎06-12-2014 11:19 PM - edited ‎03-10-2019 09:47 PM

 

Hi,

Please help to share how to configure wired dot1x fallback to web authentication. I could not find any documentation how to configure the ise to do the web authentication. for my switchport i configured this:

 

switchport mode access

switchport access vlan 135
ip access-group PREAUTH in
authentication event fail action next-method
authentication host-mode multi-auth
authentication open
authentication order dot1x web
authentication priority dot1x web
authentication port-control auto
authentication violation restrict
dot1x fallback WEB_FALLBACK
dot1x max-reauth-req 1
dot1x pae authenticator
spanning-tree portfast
spanning-tree bpduguard enable

!

ip access-list extended PREAUTH
permit udp any eq bootpc any eq bootps
permit icmp any any
permit tcp any host 172.21.2.82 eq www

!

ip admission name WEB_ADMISSION proxy http

fallback profile WEB_FALLBACK
ip admission WEB_ADMISSION

!

Please advice how to configure the ISE to make the fallback successful.

Thanks

 

regards,

Mike

Labels:
0 Helpful
1 Reply 1

mohanak
Cisco Employee
Cisco Employee

‎06-13-2014 03:05 AM

Try this Configuration Process

The following example shows a WebAuth fallback profile:
  ip admission name IP_ADMIN_RULE proxy http

  ip access-list extended PRE_WEBAUTH_POLICY

   permit udp any any eq bootps

  permit udp any any eq domain

  fallback profile WEB_AUTH_PROFILE

  ip access-group PRE_WEBAUTH_POLICY in

  ip admission IP_ADMIN_RULE

 
The following example shows all the required elements of a configuration for IEEE 802.1X with WebAuth fallback in the order they would appear in the command-line interface (CLI):
aaa new-model
!
aaa authentication dot1x default group radius
aaa authentication login default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting dot1x default start-stop group radius
aaa accounting auth-proxy default start-stop group radius
!
ip device tracking
ip admission name IP_ADMIN_RULE proxy http
!
fallback profile WEB_AUTH_PROFILE
ip access-group PRE_WEBAUTH_POLICY in
ip admission IP_ADMIN_RULE
!
dot1x system-auth-control
!

 

      interface Gigabit 1/0/5

switchport mode access
switchport access vlan 30
authentication port-control auto
authentication fallback WEB_AUTH_PROFILE
dot1x pae-authenticator
dot1x tx-period 5
!
ip http server
ip http secure-server
!
ip access-list extended PRE_WEBAUTH_POLICY
permit udp any any eq bootps
permit udp any any eq domain!

     radius-server host 10.100.10.117 key cisco123

     radius-server vsa send authentication

 

http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/app_note_c27-577494.html

Customers Also Viewed These Support Documents