Hi Tyson I have not used DHCP and snooping.
With regards Kings On Fri, Apr 9, 2010 at 8:50 PM, Tyson Scott <[email protected]> wrote: > Kingsley, > > > > As stated in my previous emails as well. I have never configured it. So I > am not sure. NAC L2 and Auth proxy function at two different layers. NAC > L2 is layer 2. Auth Proxy functions at layer 3. I read thru the document > quickly and what enables it to function at layer 3 is the device tracking > feature which maps the L3 back to the L2 port. So the question would be are > you using static or dynamic addressing. If you are using dynamic addressing > then you must also enable DHCP snooping. I can look at this Monday and test > it out but I have not configured it before so I am unsure of the answer to > give you for this without doing it myself. I have only tested every other > variant on the webpage. > > > > Please respond with whether or not you are using DHCP in conjunction with > this? > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Technical Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* Kingsley Charles [mailto:[email protected]] > *Sent:* Friday, April 09, 2010 11:03 AM > > *To:* Tyson Scott > *Cc:* [email protected] > *Subject:* Re: [OSL | CCIE_Security] ip admission on switch > > > > Hi Tyson > > > > If you can apply eou admission (NAC L2 IP) on the L2 interface then > certainly you can also apply http admission on the L2 interfaces. > > > > Please find the config below: > > Switch(config)# *aaa new-model* > > Switch(config)# *aaa authentication login default group radius * > > Switch(config)# *aaa authorization auth-proxy default group radius* > > Switch(config)# *radius-server host 1.1.1.2 key key1* > > Switch(config)# *radius-server attribute 8 include-in-access-req* > > Switch(config)# *radius-server vsa send authentication* > > Switch(config)# *ip device tracking* > > Switch(config) *end* > > *Switch# configure terminal* > > *Switch(config)# ip admission name rule1 proxy http* > > *Switch(config)# interface gigabit0/1* > > *Switch(config-if)# switchport mode access * > > *Switch(config-if)# ip access-group policy1 in * > > *Switch(config-if)# ip admission rule1 * > > *Switch(config-if)# end* > > * * > > *http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_46_se/configuration/guide/sw8021x.html* > > * * > > * * > > *With regards* > > *Kings* > > * * > > > > > On Fri, Apr 9, 2010 at 7:47 PM, Tyson Scott <[email protected]> wrote: > > Sorry, let me say... I forgot about even doing that task. It has been too > long I guess ;). > > > > As stated in my first email the admission is not applied to the L2 > interface though. It uses the fallback profile. > > > > > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Technical Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* Kingsley Charles [mailto:[email protected]] > > *Sent:* Friday, April 09, 2010 4:33 AM > *To:* Tyson Scott > > *Cc:* [email protected] > *Subject:* Re: [OSL | CCIE_Security] ip admission on switch > > > > Hi Tyson > > > > The auth-proxy is given in vol 3 Lab 3 (section 5.3) but with dot1x > fallback. > > > > > > With regards > > Kings > > On Fri, Apr 9, 2010 at 1:57 PM, Tyson Scott <[email protected]> wrote: > > Kingsley, > > > > Attribute 6 is the service-type. " > http://www.iana.org/assignments/radius-types"; > > > > You could try moving it to the L3 VLAN interface on the switch and see if > it is supported there but to be honest I have never tried it before. I > believe the feature to be limited to L3 support and you are applying it to a > L2 interface. IP admission is also used for L2 IP NAC and you may find it > to be the case that the auth-proxy commands are remnant commands that don't > really work. But please let us know your results. I think we will all be > interested. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Technical Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Kingsley Charles > *Sent:* Friday, April 09, 2010 4:19 AM > *To:* [email protected] > *Subject:* [OSL | CCIE_Security] ip admission on switch > > > > Hi all > > > > I am trying for http auth-proxy on a switch. I don't get prompted for > username/password on the browser as we get on router auth-proxy. The switch > is sending mac address for authentication. > > > > f1/0/6 is connected to a XP PC. > > > > Any thoughts? > > > > Also, please let me know what does "radius-server attribute 6 > on-for-login-auth" do? > > > > > > > > *Config* > > > > ip device tracking > ip admission name king proxy http list 123 > > > > interface FastEthernet1/0/6 > switchport access vlan 4 > switchport mode access > ip admission king > > > > *Debugs* > > > > > > 1w3d: RADIUS: authenticator FB D8 DE 61 A8 E2 F9 11 - 4B 3F F0 7F E5 CC C5 > 08 > 1w3d: RADIUS: Calling-Station-Id [31] 16 "0008.a145.f40c" > 1w3d: RADIUS: Service-Type [6] 6 Call Check [10] > 1w3d: RADIUS: NAS-Port-Type [61] 6 Ethernet [15] > 1w3d: RADIUS: Message-Authenticato[80] 18 > 1w3d: RADIUS: 30 54 6D 6E 1E A8 24 2C 01 7C 68 C5 D4 5D 41 19 [ > 0Tmn$,| > h]A] > 1w3d: RADIUS: NAS-Port-Type [61] 6 Async [0] > 1w3d: RADIUS: NAS-Port [5] 6 0 > 1w3d: RADIUS: NAS-Port-Id [87] 19 "FastEthernet1/0/6" > 1w3d: RADIUS: NAS-IP-Address [4] 6 10.20.30.43 > 1w3d: RADIUS: Received from id 1645/82 10.20.30.45:1645, Access-Reject, > len 50 > 1w3d: RADIUS: authenticator 50 91 59 89 0D 19 25 CA - 68 0D C3 56 C6 21 FF > BB > 1w3d: RADIUS: Reply-Message [18] 12 > 1w3d: RADIUS: 52 65 6A 65 63 74 65 64 0A 0D [ Rejected] > 1w3d: RADIUS: Message-Authenticato[80] 18 > 1w3d: RADIUS: C7 2E 1B 58 EF A7 A7 56 1C 61 47 21 F8 81 AC 1D > [ .XV > aG!] > 1w3d: RADIUS(000002C6): Received from id 1645/82 > 1w3d: RADIUS/DECODE: Reply-Message fragments, 10, total 10 bytes > 1w3d: NRH reply fail for 10.20.30.44 > 1w3d: Apply HTTP_INTERCEPT for host 10.20.30.44 > > > > With regards > > Kings > > > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
