Web authentication Catalyst 2960
Hello
I am trying to configure Web authentication relief on a catalyst 2960 switch. The goal is to authenticate customers via web authentication that are consistent (the part of 802. 1 x works fine) not 802. 1 x and allow them access to the network. The problem is that the web authentication seems to fail.
The equipment about my question: switch catalyst 2960 (version: 122 - 37.SE) and a FreeRadius.
Here's what happens:
The authentication window will appear in my browser and the access request is sent to the RADIUS.
The term RADIUS replies with an Access-Accept. Debugging running on the switch show that all this information is coming properly authentication and switch outputs debug a 'status = PASS' and permission to debug outputs a 'status = PASS_ADD'. Despite this the browser on the client generates a message "authentication failure".
I have read the manual and the Cisco attribute value pairs are mentioned: ' priv-lvl = 15' and «proxyacl...»» ». They are required to make it work? Given that I'm not setting up any authentication switch connection via RADIUS.
Any suggestions?
Thanks in advance
Yes, they are mandatory.
If priv-lvl = 15 is not returned to the switch, the user will see? Authentication failed? and the access list will not apply. If the source in the statements of proxyacl field is not? everything? or there are other errors of syntax, the user will see? Successful authentication? but the access list will not apply and the user will be denied access to the network.
Not sure about the configuration of specific FreeRADIUS, but you need to set up the? [026\009\001] Cisco av pair VSA. It should look like:
Priv-lvl = 15
proxyacl #10 = ip permit a whole
Let me know if this lets you squared
Tags: Cisco Security
Similar Questions
-
Bundle of Web authentication on a WLAN controller integrated Catalyst 3750
We have set up a wifi zone based on a few 1131AG access points and a few Cisco 3750 integrated WLAN controllers. We are now trying to use web authentication for our comments area. No problem by defining a WLAN of COMMENTS and the associated VLAN. We have also managed to download a custom controller authentication web page.
However, when I try to display the custom page, both controllers of show me the internal default page (preview and during the phase of actual authentication).
Global web authentication settings are the following: Security--> Auth Web--> Web Login Page--> custom (downloaded).
On the controller software version is 4.2.112.0, and the page is an HTML page.
Reveal any help be appreciated.
Kind regards
Sonia
What you need to do is set internally (by default) and hit apply, then play again to custom and click on apply. You can still see the defaul if you use the preview, but if you associate the SSID and open your web browser, you should get the webauth page. I hope this helps.
-
Setup
Cisco Catalyst 2960-S running 15.0.2 - SE8
Under Centos freeRadius 6.4 RADIUS server
Client (supplicant) running Windows 7
When Windows client is connected to the port (port 12 in my setup) with authentication of 802. 1 x active switch, show of Wireshark that catalyst sends ask EAP and the client responds with EAP response. But it made not the request to the Radius server. The RADIUS test utility 'aaa RADIUS testuser password new-code test group' works.
Here is my config running. Any advice would be greatly appreciated.
#show running mySwitch-
mySwitch #show running-config
Building configuration...Current configuration: 2094 bytes
!
version 12.2
no service button
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
hostname myswitch
!
boot-start-marker
boot-end-marker
!
activate the password secret 5 $1$ Z1z6$ kqvVYRQdVRZ0h8aDTV5DR0 enable password!
!
!
AAA new-model
!
!
AAA dot1x group group radius aaa accounting dot1x default start-stop radius authentication group!
!
!
AAA - the id of the joint session
1 supply ws-c2960s-24ts-l switch
!
!
!
!
!
control-dot1x system-auth
pvst spanning-tree mode
spanning tree extend id-system
!
!
!
!
internal allocation policy of VLAN no ascendant interface FastEthernet0 no stop ip address!
GigabitEthernet1/0/1 interface
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
switchport mode access
Auto control of the port of authentication
dot1x EAP authenticator
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface Vlan1
IP 10.1.2.12 255.255.255.0
!
IP http server
IP http secure server
activate the IP sla response alerts
recording of debug trap
10.1.2.1 host connection tcp port 514 RADIUS-server host 10.1.2.1 transport auth-port 1812 acct-port 1646 timeout 3 retransmit testing123 key 3.
Line con 0
line vty 0 4
password password
line vty 5 15
password password
!
endinterface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20Have you run wireshark on the server because the request to switch? If so you make sure that there is a response from the server? For Windows network POLICY Server (I've never tried Centos), you must ensure that the request is related to a policy which then authenticates, or denies access. Usually, it is a matter of such attributes and the seller.
Regarding the configuration, it seems a bit out of the AAA. Try to remove the:
line "aaa dot1x group service radius authentication" and this by using instead:
"aaa dot1x default radius authentication group". After the dot1x word you are supposed to provide a list of the authentication or the default Word if you do not want to use a list.
-
Aironet 1252 with catalyst 2960-8TC-L &; 1841 router compatibility
Hello
First of all they are togther a good combination?
I'll buy new ap 1252 and switch catalyst 2960-8TC-L my question can I connect the access point to 1 x 10/100/1000Base-T/SFP (mini-GBIC) (uplink) port?
because to work on ap with capacity 300 Mbps, it needs port 1000, I will use to power ap powerinjector.
It will be 15 sereve pc as a working group and 60 customers on wlan.
Concerning
Saher
Depending on the type of traffic and bandwidth customer requirements demand, you might need a couple more of ap which means you may have to settle for a switch of 24 ports. Cisco recommends 15-25 users by so, but still, you can have more if it's just e-mail and web browsing.
-
Dot1x multidomain on Catalyst 2960
Hello
I improved my 2960 with the latest basic version of LAN 12.2 (46) which includes the authentication of domain Multi (MDA) and I tried to configure what is described here:
http://www.Cisco.com/en/us/Tech/tk389/tk814/technologies_configuration_example09186a00808abf2d.shtml
I have the following exceptions in my configuration:
(1) SE - cat 2960 with the latest version of IOS 12.2 (46) that supports the MDA;
(2) using the Win2K IAS as a server radius. and
(3) third party (Avaya) with active begging dot1x IP phone. I have a PC with ability to dot1x connected to the second port of the IP phone.
That's what I set up on the phone IP port:
interface FastEthernet0/9
switchport access vlan 221
switchport mode access
switchport voice vlan 222
dot1x EAP authenticator
self control-port dot1x
multi-domain host-mode dot1x
protect the dot1x violation-mode
dot1x reauth-deadline 30
dot1x re-authentication
spanning tree portfast
I also configured the server Radius IAS Win2K to send RADIUS 'cisco-av-pair attribute' tell the authenticator (Cisco Catalyst 2960) that a supplicant (IP phone) is authorized on the voice VLAN as described in config-notes above link.
When the supplicant IP phone starts to authenticate, he succeeds, but that the port does not allow the field of VOICE, even though the 2960 receives the attribute "cisco-av-pair" of the Radius Server RADIUS. I confirmed the reception of this attribute of debugging on the switch.
RADIUS: Receipt of id 160.2.100.74:1645 1645/64, Access-Accept, len
110
17:02:38: RADIUS: authenticator 7 d AC 50 FE 14 B4 FC DC - 3A A4 E5 3F 1E 76 62
C3
17:02:38: RADIUS: EAP-Message [79] 6
17:02:38: RADIUS: 03 05 00 04
17:02:38: RADIUS: [25] in class 32
17:02:38: RADIUS: 44 05 05 A2 00 00 01 37 00 01 A0 02 64 4A C9 01 1 33 79 52
D8 58 00 00 00 00 00 00 1 b E7 [D7dJ3yRX]
17:02:38: RADIUS: seller, Cisco [26] 34
17:02:38: RAY: Cisco-AVpair [1] 28 'device-traffic-class = voice.
17:02:38: RADIUS: Message-Authenticato [80] 18
17:02:38: RADIUS: D9 42 78 88 26 5A 65 83 68 B0 E0 C7 AF 5TH 0F 51 [B
[x & Zeh ^ Q]
17:02:38: RADIUS (00000009): receipt of id 1645/64
17:02:38: RADIUS/DECODE: EAP-Message fragments, 4, total 4 bytes
Cat2960 #show dot1x int fa0/9 details
Dot1x FastEthernet0/9 information
-----------------------------------
EAP AUTHENTICATOR =
PortControl = AUTO
ControlDirection = both
HostMode = MULTI_DOMAIN
Violation mode = PROTECT
A re-authentication = on
QuietPeriod = 60
ServerTimeout = 0
SuppTimeout = 30
ReAuthPeriod = 30 (configured locally)
ReAuthMax = 2
MaxReq = 2
TxPeriod = 30
RateLimitPeriod = 0
Dot1x authenticator customer list
-------------------------------
Domain = DATA
"Supplicant" = 0004.0d9b.46d8
AUTH State = AUTHENTICATED SM
AUTH BEND State IDLE = SM
Port status = AUTHORIZED
ReAuthPeriod = 30
ReAuthAction = is re-authenticated
TimeToNextReauth = 20
Authentication method = Dot1x
Authorized by = authentication server
Policy of VLAN = n/a
I don't think I need CDP to allow the field of voice, if the Radius server sends the attribute "cisco-av-pair".
Have I misunderstood the concept?
Thank you!
You can share the config switch?
Missing for example aaa authorization network default radius group?
-
6248 FI Cisco's UCS with Cisco catalyst 2960 connectivity
In our environment, UCS, connects the two fabric as a Cisco Nexus 9 k switch upstream with vPC and it works well. But we need to isolate some virtual servers on the blades of the UCS on an entirely separate DMZ switch which is Cisco catalyst 2960.
(1) so can we connect cables separate physical twinax of FI uplink ports to catalyst 2960 and connectivity to the servers in the DMZ keeping YEW to nexus connectivity as it is?
(2) in this case, as there are 2 switches to nexus core 1 and 2 so we will require 2 cisco catalyst 2960 for disjoint such a network? or otherwise we can connect A FI and FI B to one on his 2 numbers 2960 switch. Gig SFP ports + 10?
(3) also suggest things must be taken in charge, the best guides practice or an illustration in this context.
The assignment is static and cannot be changed.
location 1 - uplink 1
slot 2 - uplink 2...
If a property has no blade, the corresponding uplink is not used and that can not be changed!
This dedication of uplinks of IOM is of course a lot of resources: cables, ports on FI, allowed port,...
-
WLC (foreign-anchor), problem with external web authentication->; ISE
Hello guys
I am designing a platform for a network of comments, which must be isolated from the LAN, the following facilities:
- ISE 1.2 (SNS-3415-K9 Cisco)
- WLC 7.0.230.0 (Cisco 5508 controller)---> foreign wlc
- WLC 7.0.230.0 (Cisco 5508 controller)---> wlc anchor.
The PAES tunnel between wlc is successfully completed.
The wireless client gets the IP address of the anchor wlc (DHCP server).
Test 1:
I have set up the ANCHOR WLC with local web authentication (internal), the wireless client is authenticated by WLC and successfully navigate.
Test 2:
Configure the authentication web external anchor (ISE) WLC. Configure a user to the portal comments ISE.
The wireless client gets the IP address of the anchor wlc (DHCP server), attempting to engage not display comments portal.
Debugging a wireless client, try to connect to the guest network is attached.
That's right... they have a version of code required minimum supported for this.
Thank you
Scott
Help others using the system of rating and marking answers questions like "answered."
-
Assignment of VLAN dynamic of the Web authentication
In a firmware WLC 4402 v.5.2.157 is possible to assign users to one VLAN dynamic based on the RADIUS response received from ACS?
Yes and no. You can do for a WLAN 802.1 x internal, that the customer does not get an IP address, until they have completed the authentication process. To do this, you use 64/65/81, 64 802, 65 VLAN and to 81 use the name of the interface, not the number VLAN. you will also need to make sure you have AAA Overrided activated under the WLAN.
If, as is said for Web authentication, the answer is no. The client has an IP address before being validated by the AAA server.
HTH,
Steve
-
Web authentication passthrough with input from the e-mail
Is it possible to use a custom login.html page when web auth/passthrough is used with the input of the email? I have a requirement to have just the users to register with an e-mail address and I need to provide a custom page.
I receive custom login pages, but I can't figure out how to make a customized with only e-mail login.html page entry.
Any help is appreciated.
Thank you
Kurt
You should also check wireless downloads. In the area where you can find the code of the controller to download, you can also find a 'Wireless LAN Controller Web authentication Bundle' containing several samples of html, including e-mail data.
This link might work, maybe not:
-
Independent WAP Web authentication?
Is it possible to do the redirection of web authentication using 1131 s independent or that the function is available with WLAN controllers?
Hello
Authentication on the Web is only a solution for a unified environment (WLC). Autonomous aPs cannot perform this function.
-Patrick Croak
TAC wireless
-
How acess catalyst 2960-s
The main method of management is the Cisco Network Assistant however if you need to use the console port, then use the supplied RJ45 to DB9 cable to connect to a local serial port.
Software wise, that it is possible to extract the 2 files HyperTerminal from a CD in Windows XP to run on a Win7 PC. The best alternative is a PuTTY terminal emulator.
-
Ie9 beta does not have the web authentication
Hello
/ * Style definitions * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 cm 5.4pt cm 0 5.4pt ; mso-para-margin : 0 cm ; mso-para-marge-bottom : .0001pt ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-fareast-font-family : SimSun ; mso-fareast-theme-font : minor-fareast ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : Arial ; mso-bidi-theme-font : minor-bidi ;}
I have a question:
We had a user who defines the Cisco web-authentuicated WiFi SSID as network Public in the firewall of Windows 7 and when he tried to connect to WiFi, it appears a troubleshooting page and said: "Connection to Web pages are currently redirected to a different Web page." It uses IE9 beta. Most likely the browser it's a MiTM attack.
Apart from declaring (SSID) network as a private network secure, y at - there another solution?
Our goal is to get the users (which come from major conferences) on the network without them having to change a lot of things on their laptops. They would be naturally defined as a Public network.
Thank you
Suman
The concept of web authentication IS a man in the Middle somehow attack... And IE9 is not a browser supported either.
I don't know what makes IE cause this error exactly well. You have a DNS host name and the certificate on your webauth?
Nicolas
-
not visible on the switch Catalyst 2960 vNIC...
Dear all,
I configured the UCS chassis with 5 blades and installed the esxi on all five blades...
I created a VNIC 10 per server and by now I have ip for esxi management by combining two NICs for and YEW is connected to the switch catalyst 2960. The uplinks are 1 Gig at the END and at the end of the switch... and I made these trunk at the end of the switch, all permitted the VLAN on the trunk link
I have configured all the VLANS on during vNIC based on a model and all of those selected. vlan1 is the vlan by default & selected the same.
Please help me to solve the problem... I got tired of all the means & could not able to find a solution.
Kind regards
Gopi G
Greetings.
Please confirm you learn your esxi mgmt addresses (VMK0 will inherit mac vnic UCSM) on FI: #connect nxos
#See table of mac addresses
Do the same on your 2960 switches. You see the mac addresses on the ports of 2960 connected for the UCSM uplinks?
Your uplinks UCSM go the 2960 into a port channel?
Thank you
Kirk
-
The web authentication.
I want to configure a switch for IEEE 802 authentication port. 1 x with web authentication as a means of rescue.
Can anyone provide an example of a valid configuration?
Only web authentication does not work!
Switch #sh run
Building configuration...
Current configuration: 3012 bytes
!
version 12.2
no service button
horodateurs service debug uptime
Log service timestamps uptime
no password encryption service
!
Switch host name
!
!
AAA new-model
Group AAA authentication login default RADIUS
connection of line-con AAA authentication, no
Group AAA dot1x default authentication RADIUS
Group AAA authorization auth-proxy default RADIUS
!
AAA - the id of the joint session
switch 1 supply ws-c3750 - 48P
mtu 1500 routing system
IP subnet zero
IP - cisco.com domain name
property intellectual admission name rule1 http proxy
!
!
!
!
control-dot1x system-auth
!
!
!
!
!
!
Profile relief aid
IP access-group Policy1 in
rule1 admission IP
!
pvst spanning-tree mode
spanning tree extend id-system
!
internal allocation policy of VLAN ascendant
!
!
!
!
interface FastEthernet1/0/1
switchport access vlan 142
switchport mode access
!
interface FastEthernet1/0/47
switchport access vlan 142
switchport mode access
dot1x EAP authenticator
self control-port dot1x
relief aid dot1x
!
interface Vlan1
no ip address
Shutdown
!
interface Vlan142
IP 10.1.254.1 255.255.255.0
!
IP classless
!
peche1 extended IP access list
allow udp any any eq bootps
deny ip any any newspaper
!
Server RADIUS attribute 8 include-in-access-req
secret key of acct-port 1645 auth-10.1.254.187 - RADIUS server host port 1646
Server RADIUS ports source-1645-1646
RADIUS vsa server send authentication
!
control plan
!
!
Line con 0
line vty 5 15
!
end
Try adding this:
analysis of IP device
In addition, if you want your users to web-auth to use DNS to resolve URLS, you probably want to add something like this to Policy1:
allow udp any any eq field
Don't forget that you need to wait until the 802. 1 X times out (90 seconds by default) for Web-Auth to kick.
Shelly
-
Hello
Can someone tell me a method of turning off the function of the Mode button on a catalyst 2960 to stop this reboot of the switch after being detained for 10 seconds? Even with a config full on the switch, the function "reset" always seems to bypass the config and clear/reload the switch.
Is it possible to disable this feature in the software?
Thank you very much
Charlie Read
Try the following command: no express installation
See the following link for more details on the order.
I hope this helps.
Steve
Maybe you are looking for
-
How to add an email address to a group in the address book?
When I look at the ad group, I don't see how to add an address to the group.
-
Video problem with Satellite X 200-25 G (PSPB9E)
Hello I have this laptop about a year, and I have a problem with (real) Windows Vista, Windows XP (with the video driver change). Video driver is newest without problems, except one. I work with SolidWorks, and the problem is that in this product. Yo
-
How can I prevent email Spoofing
People in my contact list become e-Mails allegedly from me asking them to click on a link. I believe that my email address was used by spammers, where, in order to hide their identity, they will be sent spam that appears to come from me. They can do
-
XP Home for my Acer Lap top 5s
I have an Acer Lap Top 5 years with Windows XP Home edition. The hard drive failed and I had to replace. I tried using the recovery disk provided by the mfg, but they do not work. I followed the instructions exactly, but nothing. I entered my s/n
-
Comment to return to normal mode on vista sp2
I'm blocking mode without echec.donc no possibility to restore or to use a driver or access a windows udap. What to do please. Thank you