Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Web Authentication Catalyst 2960

Hi,

I am trying to configure fallback Web Authentication on a catalyst 2960 switch. The goal is to authenticate clients via web authentication who are not 802.1x compliant (the 802.1x part is working fine) and allow them restricted access to the network. The problem is that the web authentication seems to fail.

The equipment regarding my question : catalyst 2960 switch (version : 122-37.SE) and a FreeRadius.

Here's what happens :

The authentication window pops up in my browser and the Access-Request is sent to the RADIUS.

The RADIUS in term responds with a Access-Accept. The debugs running on the switch show that all this information arrives correctly at the switch and the Authentication debug outputs a 'status = PASS' and the Authorization debug outputs a 'status = PASS_ADD'. In spite of this the browser on the client outputs a 'Authentication failed' message.

I've read the manual and the Cisco-attribute Value pairs were mentioned : 'priv-lvl=15' and 'proxyacl ...'. Are these mandatory for it to work? Since I'm not configuring any switch login authentication via RADIUS.

Any suggestions ?

Thanx in advance

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Web Authentication Catalyst 2960

Yes, they are mandatory.

If priv-lvl=15 is not returned to the switch, the user will see ?Authentication Failed? and the access-list will not be applied. If the source field in the proxyacl statements is not ?any? or there are other syntax errors, the user will see ?Authentication Successful? but the access-list will not be applied and the user will be denied access to the network.

Not sure about the specific FreeRADIUS config, but you need to setup the ?[026\009\001] cisco-av-pair VSA. It would look something like:

priv-lvl=15

proxyacl#10=permit ip any any

Let me know if this gets you squared away,

2 REPLIES
Cisco Employee

Re: Web Authentication Catalyst 2960

Yes, they are mandatory.

If priv-lvl=15 is not returned to the switch, the user will see ?Authentication Failed? and the access-list will not be applied. If the source field in the proxyacl statements is not ?any? or there are other syntax errors, the user will see ?Authentication Successful? but the access-list will not be applied and the user will be denied access to the network.

Not sure about the specific FreeRADIUS config, but you need to setup the ?[026\009\001] cisco-av-pair VSA. It would look something like:

priv-lvl=15

proxyacl#10=permit ip any any

Let me know if this gets you squared away,

Re: Web Authentication Catalyst 2960

It works ! Thank you very much!

After getting the syntax right for sending multiple av-attributes with the FreeRadius it worked immediately.

805
Views
0
Helpful
2
Replies
CreatePlease to create content