According to my limited knowledge, Web-Auth can be a fallback from dot1x or MAB. The default sequence of fallback for the switch, provided all the methods are configured, is dot1x authentication followed by MAB if dot1x times out, and if MAB fails then that is followed by WebAuth. It is also important to note that Web-Auth and Guest VLAN are mutually exclusive.
So, depending on your configuration you could wait for 90sec+ for dot1x to expire and then have Webauth ready to go. I experienced problems with Webauth as it does not seem to be triggered by HTTP when I have static IP address configured. From the other hand, to have DHCP assigned IP address I need to change timers for dot1x so that it times out quickly and the host can get an IP address. Regards, Piotr 2011/6/25 Tyson Scott <[email protected]> > To add from when I added it to the lab. It doesn't work very well until > 12.2.50. With the ability to prioritize the authentication method using the > command "authentication order [dot1x|mab|webauth]".**** > > ** ** > > When I put it in the lab I noticed you had to wait a significant amount of > time for the dot1x timeout before webauth would be used. It is better to > change the order based on the network connection device location to utilize > this function. i.e. printers or other non-supplicant devices on the network > utilizing MAB as first priority. Which can go back to the trustsec (i.e. > ISE) that was talked about in the other email.**** > > ** ** > > Regards,**** > > **** > > Tyson Scott - CCIE #13513 R&S, Security, and SP > Managing Partner / Sr. Instructor - IPexpert, Inc. > Mailto: [email protected] > Telephone: +1.810.326.1444, ext. 208 > Live Assistance, Please visit: www.ipexpert.com/chat > eFax: +1.810.454.0130**** > > ** ** > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com*** > * > > ** ** > > *From:* Tyson Scott [mailto:[email protected]] > *Sent:* Saturday, June 25, 2011 2:39 AM > *To:* 'Piotr Matusiak'; 'Tyson Scott' > > *Cc:* 'Bruno'; 'CCIE Security Maillist' > *Subject:* RE: [OSL | CCIE_Security] dot1x fallback / webauth**** > > ** ** > > Piotr,**** > > ** ** > > That's right. I guess I was thinking about the ability to prioritize which > method to use first now that you bring that up. I even forgot that I put > this in our workbook. It is in Volume 2 Lab 13. Thanks for correcting me. > **** > > ** ** > > Regards,**** > > **** > > Tyson Scott - CCIE #13513 R&S, Security, and SP > Managing Partner / Sr. Instructor - IPexpert, Inc. > Mailto: [email protected] > Telephone: +1.810.326.1444, ext. 208 > Live Assistance, Please visit: www.ipexpert.com/chat > eFax: +1.810.454.0130**** > > ** ** > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com*** > * > > ** ** > > *From:* Piotr Matusiak [mailto:[email protected]] > *Sent:* Saturday, June 25, 2011 2:32 AM > *To:* Tyson Scott > *Cc:* Bruno; CCIE Security Maillist > *Subject:* Re: [OSL | CCIE_Security] dot1x fallback / webauth**** > > ** ** > > Tyson, > > It was introduced in 12.2(35)SE as per this document: > > http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_35_se/command/reference/cli1.html#wp8920738 > > Regards, > Piotr**** > > 2011/6/25 Tyson Scott <[email protected]>**** > > Piotr,**** > > **** > > You can correct me if I am wrong but I think dot1x fallback is introduced > on the 3560 with 12.2(50)SE. The test is 12.2(44)SE. So I think this is > safe to ignore.**** > > **** > > But in the real work this is a very handy feature.**** > > **** > > Regards,**** > > **** > > Tyson Scott - CCIE #13513 R&S, Security, and SP > Managing Partner / Sr. Instructor - IPexpert, Inc. > Mailto: [email protected] > Telephone: +1.810.326.1444, ext. 208 > Live Assistance, Please visit: www.ipexpert.com/chat > eFax: +1.810.454.0130**** > > **** > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com*** > * > > **** > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Piotr Matusiak > *Sent:* Wednesday, June 22, 2011 4:50 PM > *To:* Bruno > *Cc:* CCIE Security Maillist > *Subject:* Re: [OSL | CCIE_Security] dot1x fallback / webauth**** > > **** > > Yes.**** > > 2011/6/22 Bruno <[email protected]>**** > > Is this feature available for either 3550 and 3560? > > > -- > Bruno Fagioli (by Jaunty Jackalope) > Cisco Security Professional > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com**** > > **** > > ** ** >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
