Kingsley,
As stated in my previous emails as well. I have never configured it. So I am not sure. NAC L2 and Auth proxy function at two different layers. NAC L2 is layer 2. Auth Proxy functions at layer 3. I read thru the document quickly and what enables it to function at layer 3 is the device tracking feature which maps the L3 back to the L2 port. So the question would be are you using static or dynamic addressing. If you are using dynamic addressing then you must also enable DHCP snooping. I can look at this Monday and test it out but I have not configured it before so I am unsure of the answer to give you for this without doing it myself. I have only tested every other variant on the webpage. Please respond with whether or not you are using DHCP in conjunction with this? Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our public website at <http://www.ipexpert.com/> www.ipexpert.com From: Kingsley Charles [mailto:[email protected]] Sent: Friday, April 09, 2010 11:03 AM To: Tyson Scott Cc: [email protected] Subject: Re: [OSL | CCIE_Security] ip admission on switch Hi Tyson If you can apply eou admission (NAC L2 IP) on the L2 interface then certainly you can also apply http admission on the L2 interfaces. Please find the config below: Switch(config)# aaa new-model Switch(config)# aaa authentication login default group radius Switch(config)# aaa authorization auth-proxy default group radius Switch(config)# radius-server host 1.1.1.2 key key1 Switch(config)# radius-server attribute 8 include-in-access-req Switch(config)# radius-server vsa send authentication Switch(config)# ip device tracking Switch(config) end Switch# configure terminal Switch(config)# ip admission name rule1 proxy http Switch(config)# interface gigabit0/1 Switch(config-if)# switchport mode access Switch(config-if)# ip access-group policy1 in Switch(config-if)# ip admission rule1 Switch(config-if)# end http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/1 2.2_46_se/configuration/guide/sw8021x.html With regards Kings On Fri, Apr 9, 2010 at 7:47 PM, Tyson Scott <[email protected]> wrote: Sorry, let me say... I forgot about even doing that task. It has been too long I guess ;). As stated in my first email the admission is not applied to the L2 interface though. It uses the fallback profile. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com <http://www.ipexpert.com/> From: Kingsley Charles [mailto:[email protected]] Sent: Friday, April 09, 2010 4:33 AM To: Tyson Scott Cc: [email protected] Subject: Re: [OSL | CCIE_Security] ip admission on switch Hi Tyson The auth-proxy is given in vol 3 Lab 3 (section 5.3) but with dot1x fallback. With regards Kings On Fri, Apr 9, 2010 at 1:57 PM, Tyson Scott <[email protected]> wrote: Kingsley, Attribute 6 is the service-type. "http://www.iana.org/assignments/radius-types"; You could try moving it to the L3 VLAN interface on the switch and see if it is supported there but to be honest I have never tried it before. I believe the feature to be limited to L3 support and you are applying it to a L2 interface. IP admission is also used for L2 IP NAC and you may find it to be the case that the auth-proxy commands are remnant commands that don't really work. But please let us know your results. I think we will all be interested. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com <http://www.ipexpert.com/> From: [email protected] [mailto:[email protected]] On Behalf Of Kingsley Charles Sent: Friday, April 09, 2010 4:19 AM To: [email protected] Subject: [OSL | CCIE_Security] ip admission on switch Hi all I am trying for http auth-proxy on a switch. I don't get prompted for username/password on the browser as we get on router auth-proxy. The switch is sending mac address for authentication. f1/0/6 is connected to a XP PC. Any thoughts? Also, please let me know what does "radius-server attribute 6 on-for-login-auth" do? Config ip device tracking ip admission name king proxy http list 123 interface FastEthernet1/0/6 switchport access vlan 4 switchport mode access ip admission king Debugs 1w3d: RADIUS: authenticator FB D8 DE 61 A8 E2 F9 11 - 4B 3F F0 7F E5 CC C5 08 1w3d: RADIUS: Calling-Station-Id [31] 16 "0008.a145.f40c" 1w3d: RADIUS: Service-Type [6] 6 Call Check [10] 1w3d: RADIUS: NAS-Port-Type [61] 6 Ethernet [15] 1w3d: RADIUS: Message-Authenticato[80] 18 1w3d: RADIUS: 30 54 6D 6E 1E A8 24 2C 01 7C 68 C5 D4 5D 41 19 [ 0Tmn$,| h]A] 1w3d: RADIUS: NAS-Port-Type [61] 6 Async [0] 1w3d: RADIUS: NAS-Port [5] 6 0 1w3d: RADIUS: NAS-Port-Id [87] 19 "FastEthernet1/0/6" 1w3d: RADIUS: NAS-IP-Address [4] 6 10.20.30.43 1w3d: RADIUS: Received from id 1645/82 10.20.30.45:1645 <http://10.20.30.45:1645/> , Access-Reject, len 50 1w3d: RADIUS: authenticator 50 91 59 89 0D 19 25 CA - 68 0D C3 56 C6 21 FF BB 1w3d: RADIUS: Reply-Message [18] 12 1w3d: RADIUS: 52 65 6A 65 63 74 65 64 0A 0D [ Rejected] 1w3d: RADIUS: Message-Authenticato[80] 18 1w3d: RADIUS: C7 2E 1B 58 EF A7 A7 56 1C 61 47 21 F8 81 AC 1D [ .XV aG!] 1w3d: RADIUS(000002C6): Received from id 1645/82 1w3d: RADIUS/DECODE: Reply-Message fragments, 10, total 10 bytes 1w3d: NRH reply fail for 10.20.30.44 1w3d: Apply HTTP_INTERCEPT for host 10.20.30.44 With regards Kings
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
