Him trying to test this feature and I'm having a hard time.
Him geting log like this with result code 1 0 and -1. What are those result code.
Dec 12 11:49:25: ip_admission_det:Validate IP=10.10.2.12 with static rule rule1 on FastEthernet1/0/2. Result
Second, I cant get the web authentication to work and I did everything by the book. I think there s something missing in the DOC
If anyone have a working example for the switch config, that would be great!
This config is working for me:
aaa authentication login default group radius
aaa authentication login LINE-CON none
aaa authorization auth-proxy default group radius
ip admission name RULE1 proxy http
ip device tracking
switchport access vlan 10
switchport mode access
ip access-group POLICY1 in
ip admission RULE1
ip access-list extended POLICY1
permit udp any any eq bootps
deny ip any any log
radius-server attribute 8 include-in-access-req
radius-server host 10.100.100.110 auth-port 1645 acct-port 1646 key ***
radius-server vsa send authentication
Hope that helps.
Hey Shelly, you're a GENIUS! I got the web redirection to work and I am getting the login page when I launch the browser. I am still getting a failed authentication though with a message about the certificate (something about the serial number of the AAA client) I just need to get past this stage and I'll be good.
Have you ever used a similar method to authenticate clients connecting to a wireless access point?
Cool! Glad that worked. Haven't seen any messages about certificates before...is this something you get from "debug radius authentication"?
Haven't tried this with wireless yet, sorry.
I've come across this forum entry and have the problem that web authentication doesn't work in my setup. Running IOS 12.2(37)SE1 on Cat3560.
I've sticked to the config guide for enabling web authentication and applied more or less the very same commands that scadora posted here. The thing is I don't get to the web authentication prompt when using the web browser, yet at least I get an IP address. No error msg appears on the client.
It is important to note that we're using a Microsoft IAS as RADIUS server. I suspect an authentication problem at the point where the switch initially sends an authentication msg upon the plug-in of the network cable (keyword 'attribute 8 include-in-access-req', which reports the IP address of the client to the RADIUS server even before web login). The server denies this request.
The debug output of the switch can be found in the attachment 'Troubleshooting Web Authentication RADIUS Attribute 8.TXT':
The error in the IAS event log can be found in the file 'Troubleshooting Web Authentication IAS.txt'.
Note that we haven't set up any user called "IGEM\Gast" knowingly for this setup. It also doesn't appear in the initial switch RADIUS packet.
Question: Does anybody have experience with MS IAS and web authentication in combination? Any hint why this is failing?
The initial switch RADIUS packet you show in the first attachment is for the automatic mac check that is performed (in case this is a printer or non-browser device). This would not have any effect on the subsequent Web Authentication. It doesn't look like Web-Auth is being triggered at all. Can you post your config? There might be something wrong with your device tracking or ip admission config. Also, what url are you typing into the browser? At least so far, I don't see any evidence that IAS is causing the problem.
I just don't get why there is an automatic MAC check happening, we didn't configure the port to do so. Yes, we're running 802.1x port authentication next to that but that's not the case for port 20, where we're running the Web Authentication tests.
Please check the attached file for the config excerpt.
The IP tracking log output you've seen corresponds to ports that aren't enabled for Web Authentication; one additional thing I don't understand.
It doesn't matter what URL I type into the browser, it may either be a name or a random IP; I expect the Web Authentication process to intercept any kind of web traffic.
The automatic MAC check happens by default if you're doing standalone web-auth (which you are on port 20). You don't configure it (alas, you can't even turn it of), it just happens.
As for your config, try enabling "ip http server".
I agree that Web-Auth should get triggered by name or ip. However, you have to configure it to do so. Before the authentication succeeds and the RADIUS server sends down the rest of the access-list, the port is completely controlled by port acl. The acl on your port as it stands will drop all dns traffic, so the browser won't be able to resolve any fqdns. Hence, I suggested adding the line for dns.
Hope that helps,
Your input helped me to get closer to the solution. Meanwhile, I solved the problem and web authentication works now.
I had to take care of three things:
1. The customer had an access-class sitting on the http server that filtered source addresses very restricively. In order to allow every possible source address to be able to web authenticate, we had to remove the ACL.
2. The customer used 'ip http secure-server', which prevents triggering web authentication through normal port 80 traffic. We kept this feature running for security reasons but with the hint in mind to trigger web authentication only through 443.
3. We finally figured out how to pass on the AV pairs 'priv-lvl=15' and
'proxyacl#1=permit ip any any' from Microsoft IAS to the switch.
Thanks for your help once again!
Have you configured the ACS to send the AV-Pairs down with the Access-Accept? I don't see them in the Radius debug. You need priv-lvl=15 and an proxyacl that will open up the port (since the original access-group restricted the traffic).
You configure the AV pairs in either User Setup or Group Setup on the ACS. I've attached a screenshot.
Hope that helps,
Ok, I did that but still is not working. Question, is the client supposed to be prompted to accept a certificate? My browser homepage is set to google. When I'm prompted to accept the cert a message comes up saying that the cert presented is from the 3750 switch and not the original site (google)
Not sure if my ACS is configured correctly either.
Sorry -- no clue where your cert problem is coming from! I can't see how it would have anything to do with Web-Auth since it doesn't use certs. Have you tried other sites besides Google?
For the ACS config, check your radius debug again and make sure you see the priv-lvl=15 and proxyacl coming back. Something like this:
00:13:24: RADIUS: Received from id 1645/12 10.100.100.110:1645, Access-Accept, len 116
00:13:24: RADIUS: authenticator 2C 57 80 7B CB 81 20 59 - 6B 86 C2 16 F2 FA F1 BA
00:13:24: RADIUS: Vendor, Cisco  19
00:13:24: RADIUS: Cisco AVpair  13 "priv-lvl=15"
00:13:24: RADIUS: Vendor, Cisco  37
00:13:24: RADIUS: Cisco AVpair  31 "proxyacl#10=permit ip any any"
You can also do a "show access-list" to verify that your "permit ip any any" has been added to the access-list on the interface (the source any will be changed to the ip address of your end host).
After that, I'm kindof out of ideas! You might put a sniffer like wireshark on the end host and try to look at the packets coming from the 3750 to figure out the cert thing.
What I see happening is as soon as the client gets a DHCP address, some authentication request is sent to the radius server using the client MAC address as the username. An access reject comes back. I need to try and stop the switch from sending these authentication requests and have the requests initiate only when the client launches the browser and enters the username and password. Can you share your switch config with me to see if I'm missing anything?
008521: Feb 2 08:59:45: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan11, changed state to up
008522: Feb 2 08:59:46: %LINK-3-UPDOWN: Interface FastEthernet1/0/11, changed state to up
008523: 2d06h: AAA/BIND(000000A1): Bind i/f
008524: 2d06h: AAA/ACCT/HC(000000A1): Register AUTH_PROXY/0389BE4C 0bit/s, assuming 100Mbit/s, poll every 5m 0s
008525: 2d06h: AAA/ACCT/HC(000000A1): Update AUTH_PROXY/0389BE4C
008526: 2d06h: AAA/ACCT/HC(000000A1): AUTH_PROXY/0389BE4C [init-sess] (rx/tx) base 0/0 pre 0/0 call 0/0
008527: 2d06h: AAA/ACCT/HC(000000A1): AUTH_PROXY/0389BE4C [init-sess] (rx/tx) adjusted, pre 0/0 call 0/0
008528: 2d06h: AAA/ACCT/EVENT/(000000A1): CALL START
008529: 2d06h: Getting session id for NET(000000A1) : db=39147A8
008530: 2d06h: AAA/ACCT(00000000): add node, session 160
008531: 2d06h: AAA/ACCT/NET(000000A1): add, count 1
008532: 2d06h: AAA/AUTHEN/LOGIN (000000A1): Pick method list 'default'
008533: 2d06h: RADIUS/ENCODE(000000A1): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
008534: 2d06h: RADIUS(000000A1): Config NAS IP: 192.168.1.6
008535: 2d06h: Getting session id for EXEC(000000A1) : db=39147A8
008536: 2d06h: RADIUS/ENCODE(000000A1): acct_session_id: 160
008537: 2d06h: RADIUS(000000A1): sending
008538: 2d06h: RADIUS(000000A1): Send Access-Request to 220.127.116.11:1645 id 1645/156, len 84
008539: 2d06h: RADIUS: authenticator 6E 0E 55 89 79 F9 67 24 - DD B0 60 3A 6E 46 57 DA
008540: 2d06h: RADIUS: Framed-IP-Address  6 192.168.9.2
008541: 2d06h: RADIUS: Calling-Station-Id  16 "0014.229b.2d1f"
008542: 2d06h: RADIUS: Service-Type  6 Call Check 
008543: 2d06h: RADIUS: NAS-Port-Type  6 Eth 
008544: 2d06h: RADIUS: Message-Authenticato 18
008545: 2d06h: RADIUS: 62 C9 B0 22 E4 D0 72 6A 4F C9 7A FF 61 2D A9 BB [b??"??rjO?z?a-??]
008546: 2d06h: RADIUS: NAS-Port-Type  6 Async 
008547: 2d06h: RADIUS: NAS-IP-Address  6 192.168.1.6
008548: 2d06h: RADIUS: Received from id 1645/156 18.104.22.168:1645, Access-Reject, len 50
008549: 2d06h: RADIUS: authenticator CF 57 33 6B 15 F2 7B C0 - 24 E3 7B C0 E0 30 49 78
008550: 2d06h: RADIUS: Reply-Message  12
008551: 2d06h: RADIUS: 52 65 6A 65 63 74 65 64 0A 0D [Rejected??]
008552: 2d06h: RADIUS: Message-Authenticato 18
008553: 2d06h: RADIUS: 8B DA 74 EA 42 8D 7E 42 EB 43 C6 A1 BB 9D 9F 47 [??t?B?~B?C?????G]
008554: 2d06h: RADIUS(000000A1): Received from id 1645/156
008555: 2d06h: RADIUS/DECODE: Reply-Message fragments, 10, total 10 bytes
This is normal and should not affect web-auth. I see the same thing. The switch does a mac-check in case this is a printer or something without a browser. Web-auth will proceed normally after this.
Ok, but even after this when I do the web login, the switch is not sending any requests to the radius server. I even put a sniffer on the network and did nt capture any packets.
Would you mind sharing a sample config with me?
That's odd, because in that debug you posted earlier, it does appear that the switch is sending a request to the radius server and getting a response. It's right here:
001153: 1d03h: RADIUS(00000000): Send Access-Request to 192.168.1.60:1645 id 1645/17, len 112
001154: 1d03h: RADIUS: authenticator 0A 6E D0 CE E4 F0 58 00 - 08 7E 4B 0B A4 FE 9B 62
001155: 1d03h: RADIUS: NAS-IP-Address  6 192.168.1.6
001156: 1d03h: RADIUS: Vendor, Cisco  35
001157: 1d03h: RADIUS: cisco-nas-port  29 "FastEthernet1/0/192.168.9.2"
001158: 1d03h: RADIUS: NAS-Port-Type  6 Async 
001159: 1d03h: RADIUS: User-Name  8 "vishnu"
001160: 1d03h: RADIUS: Calling-Station-Id  13 "192.168.9.2"
001161: 1d03h: RADIUS: User-Password  18 *
001162: 1d03h: RADIUS: Service-Type  6 Outbound 
001163: 1d03h: RADIUS: Received from id 1645/17 192.168.1.60:1645, Access-Accept, len 54
001164: 1d03h: RADIUS: authenticator 6C 05 BD 01 59 73 DA 9A - 36 F2 5C 8D 54 77 B1 93
001165: 1d03h: RADIUS: Framed-IP-Address  6 255.255.255.255
001166: 1d03h: RADIUS: Class  28
001167: 1d03h: RADIUS: 43 41 43 53 3A 30 2F 32 36 31 2F 63 30 61 38 30 [CACS:0/261/c0a80]
001168: 1d03h: RADIUS: 31 30 36 2F 76 69 73 68 6E 75 [106/vishnu]
001169: 1d03h: RADIUS: saved authorization data for user 3D6BC28 at 3A2DB08
The only problem with this was that the ACS did not send back the right attributes in the Accept. But the switch was sending exactly what it needed to. Perhaps something changed in your config to make it stop doing this? I posted a sample config in an earlier post. That's all I did for web-auth.
Server months ago,I tried a web authentication lab with Cisco 3560, it worked!
But now I do the same lab with Cisco 3750 and reinstall a new Cisco ACS server,the problem I encountered is that my IE prompts username/password authentication window,and I keyed in the right username/password, and my IE tried to access the Web server that I am trying to,but the result is disappointing.I checked the ACS log and the ACS actually authenticates my username/password,but somehow I don't see any new access-group configured in proxyacl# assigned to my Cisco3750.
I do almost the same config as "scadora " did.
I wonder it is the ACS that has something wrong!
Double check the attributes that the ACS is configured to send back to the switch. You must send back at least 2 Cisco av-pairs:
1) priv-lvl=15 (syntax must be exact!)
2) one or more proxyacl entries with the exact format "proxyacl#N=[permit|deny] ip any X" where N is any number and X is any host address or subnet. Double check the syntax here, too. If the source address is not "any" it will not work!
Hope that helps. If you can get a sniffer trace of the Access-Accept returned from the ACS, that's the best way to confirm which attributes are actually being sent to the switch.
The RADIUS debug here only shows a Access-Reject for an automatic MAC check, not a Web Auth attempt. Were you able to enter a username and password on this attempt? It would be good to see the RADIUS debug for that.
I'm a little confused here because you have multiple "show run" outputs in this file, some of which have "ip admission name Rule1 proxy http" and some of which don't. Assuming that that it is in there, then your config looks okay. At this point, I would do a "show ip admission cache" -- if you don't see the host's ip address there, then the switch has not seen an ARP or DHCP packet from the host and it can't do Web-Auth.
1.Yes,I could enter username and password whenever my IE shows username and password columns.Now that it didn't provide web-auth,how could it shows username and password column?
2.Yes, I only enable web authentication on interface Gi 1/0/5.
3.All configurations that I provided is the same.
4.As I do "show ip admission cache",I can see the host's IP address.
I do not see anything obviously wrong with your config. I also don't see any RADIUS messages for the actual Web Authentication attempt (after entering username and password). The only RADIUS debug in this file is for the automatic MAC check. If you can capture the RADIUS debug for the Web-Auth attempt, it will help debug the problem further.
how do I disable the automatic MAC check and how do I enable the debug of RADIUS?
What I provided is the console shows after I do a
"debug radius" command and trying to open my IE and enter username and password.
Do I need to provide you my ACS config?
Maybe I will do it with live window capturing.
You can't disable the automatic MAC check, but it shouldn't hurt anything.
I'm sorry but I'm starting to run out of ideas here! The switch apparently is not sending RADIUS messages to the server for the Web Auth (it would show up in the RADIUS debug you have enabled, similar to the MAC check RADIUS message that is shown)
The last thing I can suggest is to remove these two lines from your WEBAuth ACL and try it again:
permit tcp any host 172.16.7.181 eq www
permit tcp any host 172.16.7.181 eq 443