First a little background. I am trying to configure web auth as the primary means of authentication and not as a fallback to dot1x. I am using ver 12.2(50)SE4. My backend is an ACS server that ties into AD (i am however using TACACS rather than RADIUS). Everything works fine but when I switch on dhcp snooping my auth sessions expires and i have to re-auth. This happens half way through the lease time. My config for web auth and dhcp snooping is as follows:
aaa authentication login default group tacacs+ local aaa authorization exec default group tacacs+ local aaa authorization network default group tacacs+ local aaa authorization auth-proxy default group tacacs+ aaa accounting auth-proxy default start-stop group tacacs+ aaa accounting network default start-stop group tacacs+
ip dhcp snooping vlan xxx no ip dhcp snooping information option ip dhcp snooping ip device tracking
ip auth-proxy watch-list enable ip auth-proxy watch-list expiry-time 1 ip auth-proxy proxy http login expired page file flash:expired.html ip auth-proxy proxy http login page file flash:webAuthTest1.html ip auth-proxy proxy http success page file flash:success.html ip auth-proxy proxy http failure page file flash:failed.html ip auth-proxy auth-proxy-audit ip admission source-interface Vlanyyy ip admission watch-list enable ip admission watch-list expiry-time 1 ip admission proxy http login expired page file flash:expired.html ip admission proxy http login page file flash:webAuthTest1.html ip admission proxy http success page file flash:success.html ip admission proxy http failure page file flash:failed.html ip admission auth-proxy-audit ip admission name WEBAUTH proxy http inactivity-time 60 list 101
interface GigabitEthernet0/1 switchport access vlan XXX switchport mode access ip access-group 102 in authentication order webauth authentication priority webauth no mdix auto storm-control unicast level pps 10k 9.5k storm-control action trap spanning-tree portfast ip admission WEBAUTH
interface GigabitEthernet0/24 switchport trunk encapsulation dot1q switchport mode trunk srr-queue bandwidth share 10 10 60 20 srr-queue bandwidth shape 10 0 0 0 queue-set 2 mls qos trust cos auto qos voip trust ip dhcp snooping trust
ip http server
access-list 101 deny ip any host Z.Z.Z.Z log <----another http server with all images access-list 101 deny tcp any host Z.Z.Z.Z log access-list 101 deny udp any host Z.Z.Z.Z log access-list 101 permit ip any any
access-list 102 permit udp any any eq bootps access-list 102 permit udp any any eq domain
Following are the debugs from dhcp snooping and ip admission:
May 21 11:06:05.050: DHCP_SNOOPING: checking expired snoop binding entries May 21 11:07:40.052: DHCP_SNOOPING: add binding on port GigabitEthernet0/1. May 21 11:07:40.052: DHCP_SNOOPING: dhcp binding entry already exists, update binding lease time to (900) seconds
May 21 11:07:40.052: DHCP_SNOOPING_SW no entry found for my.machine.mac 0.0.0.xxx GigabitEthernet0/1 May 21 11:07:40.052: DHCP_SNOOPING_SW host tracking not found for update add dynamic (my.machine.ip, 0.0.0.0, my.machine.mac) vlan xxx May 21 11:07:40.052: AUTH_PROXY: Acct Stop event:unique-id=615 1w3d: %AP-6-AUTH_PROXY_AUDIT_STOP: initiator (my.machine.ip) send 4 packets 840 bytes; duration time 1w3d| AUDITSESSID=0A00002400000228376E77FF May 21 11:07:40.052: ip_admission_det:my.machine.mac(my.machine.ip): Activate session creation May 21 11:07:40.052: AUTH-PROXY:NAS-Port details sent to AAA slot/adapter/port_ext = 0/0/0
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...