Sorry -- no clue where your cert problem is coming from! I can't see how it would have anything to do with Web-Auth since it doesn't use certs. Have you tried other sites besides Google?

For the ACS config, check your radius debug again and make sure you see the priv-lvl=15 and proxyacl coming back. Something like this:

00:13:24: RADIUS: Received from id 1645/12 10.100.100.110:1645, Access-Accept, len 116

00:13:24: RADIUS: authenticator 2C 57 80 7B CB 81 20 59 - 6B 86 C2 16 F2 FA F1 BA

00:13:24: RADIUS: Vendor, Cisco [26] 19

00:13:24: RADIUS: Cisco AVpair [1] 13 "priv-lvl=15"

00:13:24: RADIUS: Vendor, Cisco [26] 37

00:13:24: RADIUS: Cisco AVpair [1] 31 "proxyacl#10=permit ip any any"

You can also do a "show access-list" to verify that your "permit ip any any" has been added to the access-list on the interface (the source any will be changed to the ip address of your end host).

After that, I'm kindof out of ideas! You might put a sniffer like wireshark on the end host and try to look at the packets coming from the 3750 to figure out the cert thing.

Good luck!

What I see happening is as soon as the client gets a DHCP address, some authentication request is sent to the radius server using the client MAC address as the username. An access reject comes back. I need to try and stop the switch from sending these authentication requests and have the requests initiate only when the client launches the browser and enters the username and password. Can you share your switch config with me to see if I'm missing anything?

008521: Feb 2 08:59:45: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan11, changed state to up

008522: Feb 2 08:59:46: %LINK-3-UPDOWN: Interface FastEthernet1/0/11, changed state to up

008523: 2d06h: AAA/BIND(000000A1): Bind i/f

008524: 2d06h: AAA/ACCT/HC(000000A1): Register AUTH_PROXY/0389BE4C 0bit/s, assuming 100Mbit/s, poll every 5m 0s

008525: 2d06h: AAA/ACCT/HC(000000A1): Update AUTH_PROXY/0389BE4C

008526: 2d06h: AAA/ACCT/HC(000000A1): AUTH_PROXY/0389BE4C [init-sess] (rx/tx) base 0/0 pre 0/0 call 0/0

008527: 2d06h: AAA/ACCT/HC(000000A1): AUTH_PROXY/0389BE4C [init-sess] (rx/tx) adjusted, pre 0/0 call 0/0

008528: 2d06h: AAA/ACCT/EVENT/(000000A1): CALL START

008529: 2d06h: Getting session id for NET(000000A1) : db=39147A8

008530: 2d06h: AAA/ACCT(00000000): add node, session 160

008531: 2d06h: AAA/ACCT/NET(000000A1): add, count 1

008532: 2d06h: AAA/AUTHEN/LOGIN (000000A1): Pick method list 'default'

008533: 2d06h: RADIUS/ENCODE(000000A1): dropping service type, "radius-server attribute 6 on-for-login-auth" is off

008534: 2d06h: RADIUS(000000A1): Config NAS IP: 192.168.1.6

008535: 2d06h: Getting session id for EXEC(000000A1) : db=39147A8

008536: 2d06h: RADIUS/ENCODE(000000A1): acct_session_id: 160

008537: 2d06h: RADIUS(000000A1): sending

008538: 2d06h: RADIUS(000000A1): Send Access-Request to 196.3.132.3:1645 id 1645/156, len 84

008539: 2d06h: RADIUS: authenticator 6E 0E 55 89 79 F9 67 24 - DD B0 60 3A 6E 46 57 DA

008540: 2d06h: RADIUS: Framed-IP-Address [8] 6 192.168.9.2

008541: 2d06h: RADIUS: Calling-Station-Id [31] 16 "0014.229b.2d1f"

008542: 2d06h: RADIUS: Service-Type [6] 6 Call Check [10]

008543: 2d06h: RADIUS: NAS-Port-Type [61] 6 Eth [15]

008544: 2d06h: RADIUS: Message-Authenticato[80] 18

008545: 2d06h: RADIUS: 62 C9 B0 22 E4 D0 72 6A 4F C9 7A FF 61 2D A9 BB [b??"??rjO?z?a-??]

008546: 2d06h: RADIUS: NAS-Port-Type [61] 6 Async [0]

008547: 2d06h: RADIUS: NAS-IP-Address [4] 6 192.168.1.6

008548: 2d06h: RADIUS: Received from id 1645/156 196.3.132.3:1645, Access-Reject, len 50

008549: 2d06h: RADIUS: authenticator CF 57 33 6B 15 F2 7B C0 - 24 E3 7B C0 E0 30 49 78

008550: 2d06h: RADIUS: Reply-Message [18] 12

008551: 2d06h: RADIUS: 52 65 6A 65 63 74 65 64 0A 0D [Rejected??]

008552: 2d06h: RADIUS: Message-Authenticato[80] 18

008553: 2d06h: RADIUS: 8B DA 74 EA 42 8D 7E 42 EB 43 C6 A1 BB 9D 9F 47 [??t?B?~B?C?????G]

008554: 2d06h: RADIUS(000000A1): Received from id 1645/156

008555: 2d06h: RADIUS/DECODE: Reply-Message fragments, 10, total 10 bytes

This is normal and should not affect web-auth. I see the same thing. The switch does a mac-check in case this is a printer or something without a browser. Web-auth will proceed normally after this.

Ok, but even after this when I do the web login, the switch is not sending any requests to the radius server. I even put a sniffer on the network and did nt capture any packets.

Would you mind sharing a sample config with me?

That's odd, because in that debug you posted earlier, it does appear that the switch is sending a request to the radius server and getting a response. It's right here:

001153: 1d03h: RADIUS(00000000): Send Access-Request to 192.168.1.60:1645 id 1645/17, len 112

001154: 1d03h: RADIUS: authenticator 0A 6E D0 CE E4 F0 58 00 - 08 7E 4B 0B A4 FE 9B 62

001155: 1d03h: RADIUS: NAS-IP-Address [4] 6 192.168.1.6

001156: 1d03h: RADIUS: Vendor, Cisco [26] 35

001157: 1d03h: RADIUS: cisco-nas-port [2] 29 "FastEthernet1/0/192.168.9.2"

001158: 1d03h: RADIUS: NAS-Port-Type [61] 6 Async [0]

001159: 1d03h: RADIUS: User-Name [1] 8 "vishnu"

001160: 1d03h: RADIUS: Calling-Station-Id [31] 13 "192.168.9.2"

001161: 1d03h: RADIUS: User-Password [2] 18 *

001162: 1d03h: RADIUS: Service-Type [6] 6 Outbound [5]

001163: 1d03h: RADIUS: Received from id 1645/17 192.168.1.60:1645, Access-Accept, len 54

001164: 1d03h: RADIUS: authenticator 6C 05 BD 01 59 73 DA 9A - 36 F2 5C 8D 54 77 B1 93

001165: 1d03h: RADIUS: Framed-IP-Address [8] 6 255.255.255.255

001166: 1d03h: RADIUS: Class [25] 28

001167: 1d03h: RADIUS: 43 41 43 53 3A 30 2F 32 36 31 2F 63 30 61 38 30 [CACS:0/261/c0a80]

001168: 1d03h: RADIUS: 31 30 36 2F 76 69 73 68 6E 75 [106/vishnu]

001169: 1d03h: RADIUS: saved authorization data for user 3D6BC28 at 3A2DB08

The only problem with this was that the ACS did not send back the right attributes in the Accept. But the switch was sending exactly what it needed to. Perhaps something changed in your config to make it stop doing this? I posted a sample config in an earlier post. That's all I did for web-auth.

Hi all:

Server months ago,I tried a web authentication lab with Cisco 3560, it worked!

But now I do the same lab with Cisco 3750 and reinstall a new Cisco ACS server,the problem I encountered is that my IE prompts username/password authentication window,and I keyed in the right username/password, and my IE tried to access the Web server that I am trying to,but the result is disappointing.I checked the ACS log and the ACS actually authenticates my username/password,but somehow I don't see any new access-group configured in proxyacl# assigned to my Cisco3750.

I do almost the same config as "scadora " did.

I wonder it is the ACS that has something wrong!

Double check the attributes that the ACS is configured to send back to the switch. You must send back at least 2 Cisco av-pairs:

1) priv-lvl=15 (syntax must be exact!)

2) one or more proxyacl entries with the exact format "proxyacl#N=[permit|deny] ip any X" where N is any number and X is any host address or subnet. Double check the syntax here, too. If the source address is not "any" it will not work!

Hope that helps. If you can get a sniffer trace of the Access-Accept returned from the ACS, that's the best way to confirm which attributes are actually being sent to the switch.

Shelly

Please refer to my configuration and debug.

Besides I already added the two essential parameters in my ACS.

What else do I need to care?

The RADIUS debug here only shows a Access-Reject for an automatic MAC check, not a Web Auth attempt. Were you able to enter a username and password on this attempt? It would be good to see the RADIUS debug for that.

I'm a little confused here because you have multiple "show run" outputs in this file, some of which have "ip admission name Rule1 proxy http" and some of which don't. Assuming that that it is in there, then your config looks okay. At this point, I would do a "show ip admission cache" -- if you don't see the host's ip address there, then the switch has not seen an ARP or DHCP packet from the host and it can't do Web-Auth.

Shelly

1.Yes,I could enter username and password whenever my IE shows username and password columns.Now that it didn't provide web-auth,how could it shows username and password column?

2.Yes, I only enable web authentication on interface Gi 1/0/5.

3.All configurations that I provided is the same.

4.As I do "show ip admission cache",I can see the host's IP address.

Now I cleared all config and redo all config again! Please check it!

I do not see anything obviously wrong with your config. I also don't see any RADIUS messages for the actual Web Authentication attempt (after entering username and password). The only RADIUS debug in this file is for the automatic MAC check. If you can capture the RADIUS debug for the Web-Auth attempt, it will help debug the problem further.

Shelly

how do I disable the automatic MAC check and how do I enable the debug of RADIUS?

What I provided is the console shows after I do a

"debug radius" command and trying to open my IE and enter username and password.

Do I need to provide you my ACS config?

Maybe I will do it with live window capturing.

You can't disable the automatic MAC check, but it shouldn't hurt anything.

I'm sorry but I'm starting to run out of ideas here! The switch apparently is not sending RADIUS messages to the server for the Web Auth (it would show up in the RADIUS debug you have enabled, similar to the MAC check RADIUS message that is shown)

The last thing I can suggest is to remove these two lines from your WEBAuth ACL and try it again:

permit tcp any host 172.16.7.181 eq www

permit tcp any host 172.16.7.181 eq 443

Shelly