Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

WebAuthentication in 12.2(35) on 3750

Hi,

Him trying to test this feature and I'm having a hard time.

Him geting log like this with result code 1 0 and -1. What are those result code.

Dec 12 11:49:25: ip_admission_det:Validate IP=10.10.2.12 with static rule rule1 on FastEthernet1/0/2. Result

=1

Second, I cant get the web authentication to work and I did everything by the book. I think there s something missing in the DOC

If anyone have a working example for the switch config, that would be great!

33 REPLIES
New Member

Re: WebAuthentication in 12.2(35) on 3750

Did you ever get this to work? I'm trying to do it and getting the same problem you had.

Cisco Employee

Re: WebAuthentication in 12.2(35) on 3750

This config is working for me:

aaa new-model

aaa authentication login default group radius

aaa authentication login LINE-CON none

aaa authorization auth-proxy default group radius

ip admission name RULE1 proxy http

ip device tracking

interface GigabitEthernet1/0/5

switchport access vlan 10

switchport mode access

ip access-group POLICY1 in

spanning-tree portfast

ip admission RULE1

!

ip access-list extended POLICY1

permit udp any any eq bootps

deny ip any any log

!

radius-server attribute 8 include-in-access-req

radius-server host 10.100.100.110 auth-port 1645 acct-port 1646 key ***

radius-server vsa send authentication

Hope that helps.

Shelly

New Member

Re: WebAuthentication in 12.2(35) on 3750

Hey Shelly, you're a GENIUS! I got the web redirection to work and I am getting the login page when I launch the browser. I am still getting a failed authentication though with a message about the certificate (something about the serial number of the AAA client) I just need to get past this stage and I'll be good.

Have you ever used a similar method to authenticate clients connecting to a wireless access point?

Cisco Employee

Re: WebAuthentication in 12.2(35) on 3750

Cool! Glad that worked. Haven't seen any messages about certificates before...is this something you get from "debug radius authentication"?

Haven't tried this with wireless yet, sorry.

New Member

Re: WebAuthentication in 12.2(35) on 3750

Hi

I've come across this forum entry and have the problem that web authentication doesn't work in my setup. Running IOS 12.2(37)SE1 on Cat3560.

I've sticked to the config guide for enabling web authentication and applied more or less the very same commands that scadora posted here. The thing is I don't get to the web authentication prompt when using the web browser, yet at least I get an IP address. No error msg appears on the client.

It is important to note that we're using a Microsoft IAS as RADIUS server. I suspect an authentication problem at the point where the switch initially sends an authentication msg upon the plug-in of the network cable (keyword 'attribute 8 include-in-access-req', which reports the IP address of the client to the RADIUS server even before web login). The server denies this request.

The debug output of the switch can be found in the attachment 'Troubleshooting Web Authentication RADIUS Attribute 8.TXT':

The error in the IAS event log can be found in the file 'Troubleshooting Web Authentication IAS.txt'.

Note that we haven't set up any user called "IGEM\Gast" knowingly for this setup. It also doesn't appear in the initial switch RADIUS packet.

Question: Does anybody have experience with MS IAS and web authentication in combination? Any hint why this is failing?

Thanks

Toni

Cisco Employee

Re: WebAuthentication in 12.2(35) on 3750

The initial switch RADIUS packet you show in the first attachment is for the automatic mac check that is performed (in case this is a printer or non-browser device). This would not have any effect on the subsequent Web Authentication. It doesn't look like Web-Auth is being triggered at all. Can you post your config? There might be something wrong with your device tracking or ip admission config. Also, what url are you typing into the browser? At least so far, I don't see any evidence that IAS is causing the problem.

Shelly

New Member

Re: WebAuthentication in 12.2(35) on 3750

Shelly

I just don't get why there is an automatic MAC check happening, we didn't configure the port to do so. Yes, we're running 802.1x port authentication next to that but that's not the case for port 20, where we're running the Web Authentication tests.

Please check the attached file for the config excerpt.

The IP tracking log output you've seen corresponds to ports that aren't enabled for Web Authentication; one additional thing I don't understand.

It doesn't matter what URL I type into the browser, it may either be a name or a random IP; I expect the Web Authentication process to intercept any kind of web traffic.

Regards

Toni

Cisco Employee

Re: WebAuthentication in 12.2(35) on 3750

Hi, Toni.

The automatic MAC check happens by default if you're doing standalone web-auth (which you are on port 20). You don't configure it (alas, you can't even turn it of), it just happens.

As for your config, try enabling "ip http server".

I agree that Web-Auth should get triggered by name or ip. However, you have to configure it to do so. Before the authentication succeeds and the RADIUS server sends down the rest of the access-list, the port is completely controlled by port acl. The acl on your port as it stands will drop all dns traffic, so the browser won't be able to resolve any fqdns. Hence, I suggested adding the line for dns.

Hope that helps,

Shelly

New Member

Re: WebAuthentication in 12.2(35) on 3750

Hi Shelly

Your input helped me to get closer to the solution. Meanwhile, I solved the problem and web authentication works now.

I had to take care of three things:

1. The customer had an access-class sitting on the http server that filtered source addresses very restricively. In order to allow every possible source address to be able to web authenticate, we had to remove the ACL.

2. The customer used 'ip http secure-server', which prevents triggering web authentication through normal port 80 traffic. We kept this feature running for security reasons but with the hint in mind to trigger web authentication only through 443.

3. We finally figured out how to pass on the AV pairs 'priv-lvl=15' and

'proxyacl#1=permit ip any any' from Microsoft IAS to the switch.

Thanks for your help once again!

Toni

Re: WebAuthentication in 12.2(35) on 3750

No, even my Cisco Sale Eng. has given up. If you manage to make this work, tell me !

Cisco Employee

Re: WebAuthentication in 12.2(35) on 3750

Can you post your config and the output of debug radius authentication when you attempt web-auth?

New Member

Re: WebAuthentication in 12.2(35) on 3750

This is the config and the debug radius/aaa auth/aaa acct as I attempt logins on both Fa1/0/11 and Fa1/0/12. Port Fa1/0/12 has no ACL attached to it. My username is "vishnu"

Cisco Employee

Re: WebAuthentication in 12.2(35) on 3750

Have you configured the ACS to send the AV-Pairs down with the Access-Accept? I don't see them in the Radius debug. You need priv-lvl=15 and an proxyacl that will open up the port (since the original access-group restricted the traffic).

You configure the AV pairs in either User Setup or Group Setup on the ACS. I've attached a screenshot.

Hope that helps,

Shelly

New Member

Re: WebAuthentication in 12.2(35) on 3750

Ok, I did that but still is not working. Question, is the client supposed to be prompted to accept a certificate? My browser homepage is set to google. When I'm prompted to accept the cert a message comes up saying that the cert presented is from the 3750 switch and not the original site (google)

Not sure if my ACS is configured correctly either.

Cisco Employee

Re: WebAuthentication in 12.2(35) on 3750

Sorry -- no clue where your cert problem is coming from! I can't see how it would have anything to do with Web-Auth since it doesn't use certs. Have you tried other sites besides Google?

For the ACS config, check your radius debug again and make sure you see the priv-lvl=15 and proxyacl coming back. Something like this:

00:13:24: RADIUS: Received from id 1645/12 10.100.100.110:1645, Access-Accept, len 116

00:13:24: RADIUS: authenticator 2C 57 80 7B CB 81 20 59 - 6B 86 C2 16 F2 FA F1 BA

00:13:24: RADIUS: Vendor, Cisco [26] 19

00:13:24: RADIUS: Cisco AVpair [1] 13 "priv-lvl=15"

00:13:24: RADIUS: Vendor, Cisco [26] 37

00:13:24: RADIUS: Cisco AVpair [1] 31 "proxyacl#10=permit ip any any"

You can also do a "show access-list" to verify that your "permit ip any any" has been added to the access-list on the interface (the source any will be changed to the ip address of your end host).

After that, I'm kindof out of ideas! You might put a sniffer like wireshark on the end host and try to look at the packets coming from the 3750 to figure out the cert thing.

Good luck!

New Member

Re: WebAuthentication in 12.2(35) on 3750

What I see happening is as soon as the client gets a DHCP address, some authentication request is sent to the radius server using the client MAC address as the username. An access reject comes back. I need to try and stop the switch from sending these authentication requests and have the requests initiate only when the client launches the browser and enters the username and password. Can you share your switch config with me to see if I'm missing anything?

008521: Feb 2 08:59:45: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan11, changed state to up

008522: Feb 2 08:59:46: %LINK-3-UPDOWN: Interface FastEthernet1/0/11, changed state to up

008523: 2d06h: AAA/BIND(000000A1): Bind i/f

008524: 2d06h: AAA/ACCT/HC(000000A1): Register AUTH_PROXY/0389BE4C 0bit/s, assuming 100Mbit/s, poll every 5m 0s

008525: 2d06h: AAA/ACCT/HC(000000A1): Update AUTH_PROXY/0389BE4C

008526: 2d06h: AAA/ACCT/HC(000000A1): AUTH_PROXY/0389BE4C [init-sess] (rx/tx) base 0/0 pre 0/0 call 0/0

008527: 2d06h: AAA/ACCT/HC(000000A1): AUTH_PROXY/0389BE4C [init-sess] (rx/tx) adjusted, pre 0/0 call 0/0

008528: 2d06h: AAA/ACCT/EVENT/(000000A1): CALL START

008529: 2d06h: Getting session id for NET(000000A1) : db=39147A8

008530: 2d06h: AAA/ACCT(00000000): add node, session 160

008531: 2d06h: AAA/ACCT/NET(000000A1): add, count 1

008532: 2d06h: AAA/AUTHEN/LOGIN (000000A1): Pick method list 'default'

008533: 2d06h: RADIUS/ENCODE(000000A1): dropping service type, "radius-server attribute 6 on-for-login-auth" is off

008534: 2d06h: RADIUS(000000A1): Config NAS IP: 192.168.1.6

008535: 2d06h: Getting session id for EXEC(000000A1) : db=39147A8

008536: 2d06h: RADIUS/ENCODE(000000A1): acct_session_id: 160

008537: 2d06h: RADIUS(000000A1): sending

008538: 2d06h: RADIUS(000000A1): Send Access-Request to 196.3.132.3:1645 id 1645/156, len 84

008539: 2d06h: RADIUS: authenticator 6E 0E 55 89 79 F9 67 24 - DD B0 60 3A 6E 46 57 DA

008540: 2d06h: RADIUS: Framed-IP-Address [8] 6 192.168.9.2

008541: 2d06h: RADIUS: Calling-Station-Id [31] 16 "0014.229b.2d1f"

008542: 2d06h: RADIUS: Service-Type [6] 6 Call Check [10]

008543: 2d06h: RADIUS: NAS-Port-Type [61] 6 Eth [15]

008544: 2d06h: RADIUS: Message-Authenticato[80] 18

008545: 2d06h: RADIUS: 62 C9 B0 22 E4 D0 72 6A 4F C9 7A FF 61 2D A9 BB [b??"??rjO?z?a-??]

008546: 2d06h: RADIUS: NAS-Port-Type [61] 6 Async [0]

008547: 2d06h: RADIUS: NAS-IP-Address [4] 6 192.168.1.6

008548: 2d06h: RADIUS: Received from id 1645/156 196.3.132.3:1645, Access-Reject, len 50

008549: 2d06h: RADIUS: authenticator CF 57 33 6B 15 F2 7B C0 - 24 E3 7B C0 E0 30 49 78

008550: 2d06h: RADIUS: Reply-Message [18] 12

008551: 2d06h: RADIUS: 52 65 6A 65 63 74 65 64 0A 0D [Rejected??]

008552: 2d06h: RADIUS: Message-Authenticato[80] 18

008553: 2d06h: RADIUS: 8B DA 74 EA 42 8D 7E 42 EB 43 C6 A1 BB 9D 9F 47 [??t?B?~B?C?????G]

008554: 2d06h: RADIUS(000000A1): Received from id 1645/156

008555: 2d06h: RADIUS/DECODE: Reply-Message fragments, 10, total 10 bytes

Cisco Employee

Re: WebAuthentication in 12.2(35) on 3750

This is normal and should not affect web-auth. I see the same thing. The switch does a mac-check in case this is a printer or something without a browser. Web-auth will proceed normally after this.

New Member

Re: WebAuthentication in 12.2(35) on 3750

Ok, but even after this when I do the web login, the switch is not sending any requests to the radius server. I even put a sniffer on the network and did nt capture any packets.

Would you mind sharing a sample config with me?

Cisco Employee

Re: WebAuthentication in 12.2(35) on 3750

That's odd, because in that debug you posted earlier, it does appear that the switch is sending a request to the radius server and getting a response. It's right here:

001153: 1d03h: RADIUS(00000000): Send Access-Request to 192.168.1.60:1645 id 1645/17, len 112

001154: 1d03h: RADIUS: authenticator 0A 6E D0 CE E4 F0 58 00 - 08 7E 4B 0B A4 FE 9B 62

001155: 1d03h: RADIUS: NAS-IP-Address [4] 6 192.168.1.6

001156: 1d03h: RADIUS: Vendor, Cisco [26] 35

001157: 1d03h: RADIUS: cisco-nas-port [2] 29 "FastEthernet1/0/192.168.9.2"

001158: 1d03h: RADIUS: NAS-Port-Type [61] 6 Async [0]

001159: 1d03h: RADIUS: User-Name [1] 8 "vishnu"

001160: 1d03h: RADIUS: Calling-Station-Id [31] 13 "192.168.9.2"

001161: 1d03h: RADIUS: User-Password [2] 18 *

001162: 1d03h: RADIUS: Service-Type [6] 6 Outbound [5]

001163: 1d03h: RADIUS: Received from id 1645/17 192.168.1.60:1645, Access-Accept, len 54

001164: 1d03h: RADIUS: authenticator 6C 05 BD 01 59 73 DA 9A - 36 F2 5C 8D 54 77 B1 93

001165: 1d03h: RADIUS: Framed-IP-Address [8] 6 255.255.255.255

001166: 1d03h: RADIUS: Class [25] 28

001167: 1d03h: RADIUS: 43 41 43 53 3A 30 2F 32 36 31 2F 63 30 61 38 30 [CACS:0/261/c0a80]

001168: 1d03h: RADIUS: 31 30 36 2F 76 69 73 68 6E 75 [106/vishnu]

001169: 1d03h: RADIUS: saved authorization data for user 3D6BC28 at 3A2DB08

The only problem with this was that the ACS did not send back the right attributes in the Accept. But the switch was sending exactly what it needed to. Perhaps something changed in your config to make it stop doing this? I posted a sample config in an earlier post. That's all I did for web-auth.

New Member

Re: WebAuthentication in 12.2(35) on 3750

Hi all:

Server months ago,I tried a web authentication lab with Cisco 3560, it worked!

But now I do the same lab with Cisco 3750 and reinstall a new Cisco ACS server,the problem I encountered is that my IE prompts username/password authentication window,and I keyed in the right username/password, and my IE tried to access the Web server that I am trying to,but the result is disappointing.I checked the ACS log and the ACS actually authenticates my username/password,but somehow I don't see any new access-group configured in proxyacl# assigned to my Cisco3750.

I do almost the same config as "scadora " did.

I wonder it is the ACS that has something wrong!

Cisco Employee

Re: WebAuthentication in 12.2(35) on 3750

Double check the attributes that the ACS is configured to send back to the switch. You must send back at least 2 Cisco av-pairs:

1) priv-lvl=15 (syntax must be exact!)

2) one or more proxyacl entries with the exact format "proxyacl#N=[permit|deny] ip any X" where N is any number and X is any host address or subnet. Double check the syntax here, too. If the source address is not "any" it will not work!

Hope that helps. If you can get a sniffer trace of the Access-Accept returned from the ACS, that's the best way to confirm which attributes are actually being sent to the switch.

Shelly

New Member

Re: WebAuthentication in 12.2(35) on 3750

Please refer to my configuration and debug.

Besides I already added the two essential parameters in my ACS.

What else do I need to care?

Cisco Employee

Re: WebAuthentication in 12.2(35) on 3750

The RADIUS debug here only shows a Access-Reject for an automatic MAC check, not a Web Auth attempt. Were you able to enter a username and password on this attempt? It would be good to see the RADIUS debug for that.

I'm a little confused here because you have multiple "show run" outputs in this file, some of which have "ip admission name Rule1 proxy http" and some of which don't. Assuming that that it is in there, then your config looks okay. At this point, I would do a "show ip admission cache" -- if you don't see the host's ip address there, then the switch has not seen an ARP or DHCP packet from the host and it can't do Web-Auth.

Shelly

New Member

Re: WebAuthentication in 12.2(35) on 3750

1.Yes,I could enter username and password whenever my IE shows username and password columns.Now that it didn't provide web-auth,how could it shows username and password column?

2.Yes, I only enable web authentication on interface Gi 1/0/5.

3.All configurations that I provided is the same.

4.As I do "show ip admission cache",I can see the host's IP address.

New Member

Re: WebAuthentication in 12.2(35) on 3750

Now I cleared all config and redo all config again! Please check it!

Cisco Employee

Re: WebAuthentication in 12.2(35) on 3750

I do not see anything obviously wrong with your config. I also don't see any RADIUS messages for the actual Web Authentication attempt (after entering username and password). The only RADIUS debug in this file is for the automatic MAC check. If you can capture the RADIUS debug for the Web-Auth attempt, it will help debug the problem further.

Shelly

New Member

Re: WebAuthentication in 12.2(35) on 3750

how do I disable the automatic MAC check and how do I enable the debug of RADIUS?

What I provided is the console shows after I do a

"debug radius" command and trying to open my IE and enter username and password.

Do I need to provide you my ACS config?

Maybe I will do it with live window capturing.

Cisco Employee

Re: WebAuthentication in 12.2(35) on 3750

You can't disable the automatic MAC check, but it shouldn't hurt anything.

I'm sorry but I'm starting to run out of ideas here! The switch apparently is not sending RADIUS messages to the server for the Web Auth (it would show up in the RADIUS debug you have enabled, similar to the MAC check RADIUS message that is shown)

The last thing I can suggest is to remove these two lines from your WEBAuth ACL and try it again:

permit tcp any host 172.16.7.181 eq www

permit tcp any host 172.16.7.181 eq 443

Shelly

982
Views
0
Helpful
33
Replies
CreatePlease to create content