Hi Tyson I verified "ip admission" with http on L2 port in the IPexpert lab.
It works just like the admission on routers. The only needed is ip device tracking. Enabled admission on f0/15 of cat3 and started http across. It was redirected to http proxy authentication window. With regards Kings On Fri, Apr 9, 2010 at 10:03 PM, Kingsley Charles < [email protected]> wrote: > Hi Tyson > > I have not used DHCP and snooping. > > > With regards > Kings > > On Fri, Apr 9, 2010 at 8:50 PM, Tyson Scott <[email protected]> wrote: > >> Kingsley, >> >> >> >> As stated in my previous emails as well. I have never configured it. So >> I am not sure. NAC L2 and Auth proxy function at two different layers. NAC >> L2 is layer 2. Auth Proxy functions at layer 3. I read thru the document >> quickly and what enables it to function at layer 3 is the device tracking >> feature which maps the L3 back to the L2 port. So the question would be are >> you using static or dynamic addressing. If you are using dynamic addressing >> then you must also enable DHCP snooping. I can look at this Monday and test >> it out but I have not configured it before so I am unsure of the answer to >> give you for this without doing it myself. I have only tested every other >> variant on the webpage. >> >> >> >> Please respond with whether or not you are using DHCP in conjunction with >> this? >> >> >> >> Regards, >> >> >> >> Tyson Scott - CCIE #13513 R&S, Security, and SP >> >> Technical Instructor - IPexpert, Inc. >> >> Mailto: [email protected] >> >> Telephone: +1.810.326.1444, ext. 208 >> >> Live Assistance, Please visit: www.ipexpert.com/chat >> >> eFax: +1.810.454.0130 >> >> >> >> IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, >> Audio Tools, Online Hardware Rental and Classroom Training for the Cisco >> CCIE (R&S, Voice, Security & Service Provider) certification(s) with >> training locations throughout the United States, Europe, South Asia and >> Australia. Be sure to visit our online communities at >> www.ipexpert.com/communities and our public website at www.ipexpert.com >> >> >> >> *From:* Kingsley Charles [mailto:[email protected]] >> *Sent:* Friday, April 09, 2010 11:03 AM >> >> *To:* Tyson Scott >> *Cc:* [email protected] >> *Subject:* Re: [OSL | CCIE_Security] ip admission on switch >> >> >> >> Hi Tyson >> >> >> >> If you can apply eou admission (NAC L2 IP) on the L2 interface then >> certainly you can also apply http admission on the L2 interfaces. >> >> >> >> Please find the config below: >> >> Switch(config)# *aaa new-model* >> >> Switch(config)# *aaa authentication login default group radius * >> >> Switch(config)# *aaa authorization auth-proxy default group radius* >> >> Switch(config)# *radius-server host 1.1.1.2 key key1* >> >> Switch(config)# *radius-server attribute 8 include-in-access-req* >> >> Switch(config)# *radius-server vsa send authentication* >> >> Switch(config)# *ip device tracking* >> >> Switch(config) *end* >> >> *Switch# configure terminal* >> >> *Switch(config)# ip admission name rule1 proxy http* >> >> *Switch(config)# interface gigabit0/1* >> >> *Switch(config-if)# switchport mode access * >> >> *Switch(config-if)# ip access-group policy1 in * >> >> *Switch(config-if)# ip admission rule1 * >> >> *Switch(config-if)# end* >> >> * * >> >> *http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_46_se/configuration/guide/sw8021x.html* >> >> * * >> >> * * >> >> *With regards* >> >> *Kings* >> >> * * >> >> >> >> >> On Fri, Apr 9, 2010 at 7:47 PM, Tyson Scott <[email protected]> wrote: >> >> Sorry, let me say... I forgot about even doing that task. It has been too >> long I guess ;). >> >> >> >> As stated in my first email the admission is not applied to the L2 >> interface though. It uses the fallback profile. >> >> >> >> >> >> >> >> Regards, >> >> >> >> Tyson Scott - CCIE #13513 R&S, Security, and SP >> >> Technical Instructor - IPexpert, Inc. >> >> Mailto: [email protected] >> >> Telephone: +1.810.326.1444, ext. 208 >> >> Live Assistance, Please visit: www.ipexpert.com/chat >> >> eFax: +1.810.454.0130 >> >> >> >> IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, >> Audio Tools, Online Hardware Rental and Classroom Training for the Cisco >> CCIE (R&S, Voice, Security & Service Provider) certification(s) with >> training locations throughout the United States, Europe, South Asia and >> Australia. Be sure to visit our online communities at >> www.ipexpert.com/communities and our public website at www.ipexpert.com >> >> >> >> *From:* Kingsley Charles [mailto:[email protected]] >> >> *Sent:* Friday, April 09, 2010 4:33 AM >> *To:* Tyson Scott >> >> *Cc:* [email protected] >> *Subject:* Re: [OSL | CCIE_Security] ip admission on switch >> >> >> >> Hi Tyson >> >> >> >> The auth-proxy is given in vol 3 Lab 3 (section 5.3) but with dot1x >> fallback. >> >> >> >> >> >> With regards >> >> Kings >> >> On Fri, Apr 9, 2010 at 1:57 PM, Tyson Scott <[email protected]> wrote: >> >> Kingsley, >> >> >> >> Attribute 6 is the service-type. " >> http://www.iana.org/assignments/radius-types"; >> >> >> >> You could try moving it to the L3 VLAN interface on the switch and see if >> it is supported there but to be honest I have never tried it before. I >> believe the feature to be limited to L3 support and you are applying it to a >> L2 interface. IP admission is also used for L2 IP NAC and you may find it >> to be the case that the auth-proxy commands are remnant commands that don't >> really work. But please let us know your results. I think we will all be >> interested. >> >> >> >> Regards, >> >> >> >> Tyson Scott - CCIE #13513 R&S, Security, and SP >> >> Technical Instructor - IPexpert, Inc. >> >> Mailto: [email protected] >> >> Telephone: +1.810.326.1444, ext. 208 >> >> Live Assistance, Please visit: www.ipexpert.com/chat >> >> eFax: +1.810.454.0130 >> >> >> >> IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, >> Audio Tools, Online Hardware Rental and Classroom Training for the Cisco >> CCIE (R&S, Voice, Security & Service Provider) certification(s) with >> training locations throughout the United States, Europe, South Asia and >> Australia. Be sure to visit our online communities at >> www.ipexpert.com/communities and our public website at www.ipexpert.com >> >> >> >> *From:* [email protected] [mailto: >> [email protected]] *On Behalf Of *Kingsley >> Charles >> *Sent:* Friday, April 09, 2010 4:19 AM >> *To:* [email protected] >> *Subject:* [OSL | CCIE_Security] ip admission on switch >> >> >> >> Hi all >> >> >> >> I am trying for http auth-proxy on a switch. I don't get prompted for >> username/password on the browser as we get on router auth-proxy. The switch >> is sending mac address for authentication. >> >> >> >> f1/0/6 is connected to a XP PC. >> >> >> >> Any thoughts? >> >> >> >> Also, please let me know what does "radius-server attribute 6 >> on-for-login-auth" do? >> >> >> >> >> >> >> >> *Config* >> >> >> >> ip device tracking >> ip admission name king proxy http list 123 >> >> >> >> interface FastEthernet1/0/6 >> switchport access vlan 4 >> switchport mode access >> ip admission king >> >> >> >> *Debugs* >> >> >> >> >> >> 1w3d: RADIUS: authenticator FB D8 DE 61 A8 E2 F9 11 - 4B 3F F0 7F E5 CC >> C5 08 >> 1w3d: RADIUS: Calling-Station-Id [31] 16 "0008.a145.f40c" >> 1w3d: RADIUS: Service-Type [6] 6 Call Check >> [10] >> 1w3d: RADIUS: NAS-Port-Type [61] 6 Ethernet >> [15] >> 1w3d: RADIUS: Message-Authenticato[80] 18 >> 1w3d: RADIUS: 30 54 6D 6E 1E A8 24 2C 01 7C 68 C5 D4 5D 41 19 [ >> 0Tmn$,| >> h]A] >> 1w3d: RADIUS: NAS-Port-Type [61] 6 Async [0] >> 1w3d: RADIUS: NAS-Port [5] 6 0 >> 1w3d: RADIUS: NAS-Port-Id [87] 19 "FastEthernet1/0/6" >> 1w3d: RADIUS: NAS-IP-Address [4] 6 10.20.30.43 >> 1w3d: RADIUS: Received from id 1645/82 10.20.30.45:1645, Access-Reject, >> len 50 >> 1w3d: RADIUS: authenticator 50 91 59 89 0D 19 25 CA - 68 0D C3 56 C6 21 >> FF BB >> 1w3d: RADIUS: Reply-Message [18] 12 >> 1w3d: RADIUS: 52 65 6A 65 63 74 65 64 0A 0D [ Rejected] >> 1w3d: RADIUS: Message-Authenticato[80] 18 >> 1w3d: RADIUS: C7 2E 1B 58 EF A7 A7 56 1C 61 47 21 F8 81 AC 1D >> [ .XV >> aG!] >> 1w3d: RADIUS(000002C6): Received from id 1645/82 >> 1w3d: RADIUS/DECODE: Reply-Message fragments, 10, total 10 bytes >> 1w3d: NRH reply fail for 10.20.30.44 >> 1w3d: Apply HTTP_INTERCEPT for host 10.20.30.44 >> >> >> >> With regards >> >> Kings >> >> >> >> >> > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
