Hi Tyson If you can apply eou admission (NAC L2 IP) on the L2 interface then certainly you can also apply http admission on the L2 interfaces.
Please find the config below: Switch(config)# aaa new-model Switch(config)# aaa authentication login default group radius Switch(config)# aaa authorization auth-proxy default group radius Switch(config)# radius-server host 1.1.1.2 key key1 Switch(config)# radius-server attribute 8 include-in-access-req Switch(config)# radius-server vsa send authentication Switch(config)# ip device tracking Switch(config) end Switch# configure terminal Switch(config)# ip admission name rule1 proxy http Switch(config)# interface gigabit0/1 Switch(config-if)# switchport mode access Switch(config-if)# ip access-group policy1 in Switch(config-if)# ip admission rule1 Switch(config-if)# end http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_46_se/configuration/guide/sw8021x.html With regards Kings On Fri, Apr 9, 2010 at 7:47 PM, Tyson Scott <[email protected]> wrote: > Sorry, let me say... I forgot about even doing that task. It has been > too long I guess ;). > > > > As stated in my first email the admission is not applied to the L2 > interface though. It uses the fallback profile. > > > > > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Technical Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* Kingsley Charles [mailto:[email protected]] > *Sent:* Friday, April 09, 2010 4:33 AM > *To:* Tyson Scott > *Cc:* [email protected] > *Subject:* Re: [OSL | CCIE_Security] ip admission on switch > > > > Hi Tyson > > > > The auth-proxy is given in vol 3 Lab 3 (section 5.3) but with dot1x > fallback. > > > > > > With regards > > Kings > > On Fri, Apr 9, 2010 at 1:57 PM, Tyson Scott <[email protected]> wrote: > > Kingsley, > > > > Attribute 6 is the service-type. " > http://www.iana.org/assignments/radius-types"; > > > > You could try moving it to the L3 VLAN interface on the switch and see if > it is supported there but to be honest I have never tried it before. I > believe the feature to be limited to L3 support and you are applying it to a > L2 interface. IP admission is also used for L2 IP NAC and you may find it > to be the case that the auth-proxy commands are remnant commands that don't > really work. But please let us know your results. I think we will all be > interested. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Technical Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Kingsley Charles > *Sent:* Friday, April 09, 2010 4:19 AM > *To:* [email protected] > *Subject:* [OSL | CCIE_Security] ip admission on switch > > > > Hi all > > > > I am trying for http auth-proxy on a switch. I don't get prompted for > username/password on the browser as we get on router auth-proxy. The switch > is sending mac address for authentication. > > > > f1/0/6 is connected to a XP PC. > > > > Any thoughts? > > > > Also, please let me know what does "radius-server attribute 6 > on-for-login-auth" do? > > > > > > > > *Config* > > > > ip device tracking > ip admission name king proxy http list 123 > > > > interface FastEthernet1/0/6 > switchport access vlan 4 > switchport mode access > ip admission king > > > > *Debugs* > > > > > > 1w3d: RADIUS: authenticator FB D8 DE 61 A8 E2 F9 11 - 4B 3F F0 7F E5 CC C5 > 08 > 1w3d: RADIUS: Calling-Station-Id [31] 16 "0008.a145.f40c" > 1w3d: RADIUS: Service-Type [6] 6 Call Check [10] > 1w3d: RADIUS: NAS-Port-Type [61] 6 Ethernet [15] > 1w3d: RADIUS: Message-Authenticato[80] 18 > 1w3d: RADIUS: 30 54 6D 6E 1E A8 24 2C 01 7C 68 C5 D4 5D 41 19 [ > 0Tmn$,| > h]A] > 1w3d: RADIUS: NAS-Port-Type [61] 6 Async [0] > 1w3d: RADIUS: NAS-Port [5] 6 0 > 1w3d: RADIUS: NAS-Port-Id [87] 19 "FastEthernet1/0/6" > 1w3d: RADIUS: NAS-IP-Address [4] 6 10.20.30.43 > 1w3d: RADIUS: Received from id 1645/82 10.20.30.45:1645, Access-Reject, > len 50 > 1w3d: RADIUS: authenticator 50 91 59 89 0D 19 25 CA - 68 0D C3 56 C6 21 FF > BB > 1w3d: RADIUS: Reply-Message [18] 12 > 1w3d: RADIUS: 52 65 6A 65 63 74 65 64 0A 0D [ Rejected] > 1w3d: RADIUS: Message-Authenticato[80] 18 > 1w3d: RADIUS: C7 2E 1B 58 EF A7 A7 56 1C 61 47 21 F8 81 AC 1D > [ .XV > aG!] > 1w3d: RADIUS(000002C6): Received from id 1645/82 > 1w3d: RADIUS/DECODE: Reply-Message fragments, 10, total 10 bytes > 1w3d: NRH reply fail for 10.20.30.44 > 1w3d: Apply HTTP_INTERCEPT for host 10.20.30.44 > > > > With regards > > Kings > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
