Kingsley,
Volume 2 Lab 3 is for dot1x web fallback authentication. IP admission is not used in that task. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our public website at <http://www.ipexpert.com/> www.ipexpert.com From: Kingsley Charles [mailto:[email protected]] Sent: Friday, April 09, 2010 4:33 AM To: Tyson Scott Cc: [email protected] Subject: Re: [OSL | CCIE_Security] ip admission on switch Hi Tyson The auth-proxy is given in vol 3 Lab 3 (section 5.3) but with dot1x fallback. With regards Kings On Fri, Apr 9, 2010 at 1:57 PM, Tyson Scott <[email protected]> wrote: Kingsley, Attribute 6 is the service-type. "http://www.iana.org/assignments/radius-types"; You could try moving it to the L3 VLAN interface on the switch and see if it is supported there but to be honest I have never tried it before. I believe the feature to be limited to L3 support and you are applying it to a L2 interface. IP admission is also used for L2 IP NAC and you may find it to be the case that the auth-proxy commands are remnant commands that don't really work. But please let us know your results. I think we will all be interested. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com <http://www.ipexpert.com/> From: [email protected] [mailto:[email protected]] On Behalf Of Kingsley Charles Sent: Friday, April 09, 2010 4:19 AM To: [email protected] Subject: [OSL | CCIE_Security] ip admission on switch Hi all I am trying for http auth-proxy on a switch. I don't get prompted for username/password on the browser as we get on router auth-proxy. The switch is sending mac address for authentication. f1/0/6 is connected to a XP PC. Any thoughts? Also, please let me know what does "radius-server attribute 6 on-for-login-auth" do? Config ip device tracking ip admission name king proxy http list 123 interface FastEthernet1/0/6 switchport access vlan 4 switchport mode access ip admission king Debugs 1w3d: RADIUS: authenticator FB D8 DE 61 A8 E2 F9 11 - 4B 3F F0 7F E5 CC C5 08 1w3d: RADIUS: Calling-Station-Id [31] 16 "0008.a145.f40c" 1w3d: RADIUS: Service-Type [6] 6 Call Check [10] 1w3d: RADIUS: NAS-Port-Type [61] 6 Ethernet [15] 1w3d: RADIUS: Message-Authenticato[80] 18 1w3d: RADIUS: 30 54 6D 6E 1E A8 24 2C 01 7C 68 C5 D4 5D 41 19 [ 0Tmn$,| h]A] 1w3d: RADIUS: NAS-Port-Type [61] 6 Async [0] 1w3d: RADIUS: NAS-Port [5] 6 0 1w3d: RADIUS: NAS-Port-Id [87] 19 "FastEthernet1/0/6" 1w3d: RADIUS: NAS-IP-Address [4] 6 10.20.30.43 1w3d: RADIUS: Received from id 1645/82 10.20.30.45:1645 <http://10.20.30.45:1645/> , Access-Reject, len 50 1w3d: RADIUS: authenticator 50 91 59 89 0D 19 25 CA - 68 0D C3 56 C6 21 FF BB 1w3d: RADIUS: Reply-Message [18] 12 1w3d: RADIUS: 52 65 6A 65 63 74 65 64 0A 0D [ Rejected] 1w3d: RADIUS: Message-Authenticato[80] 18 1w3d: RADIUS: C7 2E 1B 58 EF A7 A7 56 1C 61 47 21 F8 81 AC 1D [ .XV aG!] 1w3d: RADIUS(000002C6): Received from id 1645/82 1w3d: RADIUS/DECODE: Reply-Message fragments, 10, total 10 bytes 1w3d: NRH reply fail for 10.20.30.44 1w3d: Apply HTTP_INTERCEPT for host 10.20.30.44 With regards Kings
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
