Hi guys,
I'm having difficulties to configure dot1x with webauth fallback.
Dot1x for clients with supplicant works fine, but when I connect a non
supplicant client webauth fallback fails to work.
Once the dot1x timers expire the switchport fallbacks to webauth
authentication method, I can see that from the sh dot1x interface output
and debugs. After that if I open a browser and try to navigate I'm asked
for authentication.
I enter the credentials then instead of the authentication successful or
failed message I got a popup with error HTTP 500 "The website cannot
display the page"
Below you can see the config and the debug outputs from the switch. On the
ACS reports I cannot see any authentication success or failure for these
webauth attempts.
Can somebody give me a hint please?
Thanks!
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa session-id common
ip http authentication aaa
ip device tracking
ip admission name ADMISSION proxy http
dot1x system-auth-control
fallback profile FALLBACK
ip access-group 100 in
ip admission ADMISSION
interface FastEthernet0/15
description TEST PC
switchport access vlan 5
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x violation-mode protect
dot1x fallback FALLBACK
spanning-tree portfast
access-list 100 permit icmp any any
Dot1x Authenticator Client List
-------------------------------
Domain = DATA
Supplicant = 00e0.4c03.5787
Auth SM State = AUTHENTICATED
Auth BEND SM State = IDLE
Port Status = AUTHORIZED
Authentication Method = WebAuth
Authorized By = Authentication Server
Vlan Policy = N/A
Debug output from:
AAA Authentication debugging is on
AAA Authorization debugging is on
Radius protocol debugging is on
Dot1x events debugging is on
*Mar 1 00:26:04.785: AAA: parse name=FastEthernet0/15 idb type=-1 tty=-1
*Mar 1 00:26:04.785: AAA: name=FastEthernet0/15 flags=0x15 type=16 shelf=0
slot=0 adapter=0 port=15 channel=0
*Mar 1 00:26:04.785: AAA: parse name=<no string> idb type=-1 tty=-1
*Mar 1 00:26:04.785: AAA/MEMORY: create_user (0x3B09448) user='NULL'
ruser='NULL' ds0=0 port='FastEthernet0/15' rem_addr='8.9.5.10'
authen_type=ASCII service=LOGIN priv=0 initial_task_id='0', vrf= (id=0)
*Mar 1 00:26:04.785: AAA/AUTHEN/START (2551531521):
port='FastEthernet0/15' list='default' action=LOGIN service=LOGIN
*Mar 1 00:26:04.785: AAA/AUTHEN/START (2551531521): console login -
default to "no auth required"
*Mar 1 00:26:04.785: AAA/AUTHEN/START (2551531521): Method=NONE
*Mar 1 00:26:04.785: AAA/AUTHEN (2551531521): status = PASS
*Mar 1 00:26:04.785: FastEthernet0/15 AAA/AUTHOR/HTTP (2683369798):
Port='FastEthernet0/15' list='default' service=AUTH-PROXY
*Mar 1 00:26:04.785: AAA/AUTHOR/HTTP: FastEthernet0/15 (2683369798) user=''
*Mar 1 00:26:04.785: FastEthernet0/15 AAA/AUTHOR/HTTP (2683369798): send
AV service=auth-proxy
*Mar 1 00:26:04.785: FastEthernet0/15 AAA/AUTHOR/HTTP (2683369798): send
AV cmd*
*Mar 1 00:26:04.785: FastEthernet0/15 AAA/AUTHOR/HTTP (2683369798): found
list "default"
*Mar 1 00:26:04.785: FastEthernet0/15 AAA/AUTHOR/HTTP (2683369798):
Method=radius (radius)
*Mar 1 00:26:04.785: RADIUS: authenticating to get author data
*Mar 1 00:26:04.785: RADIUS: failed to get authorization data: authen
status = 4
*Mar 1 00:26:04.785: AAA/AUTHOR (2683369798): Post authorization status =
ERROR
*Mar 1 00:26:04.785: FastEthernet0/15 AAA/AUTHOR/HTTP (2683369798):
Method=NOT_SET
*Mar 1 00:26:04.785: FastEthernet0/15 AAA/AUTHOR/HTTP (2683369798): no
methods left to try
*Mar 1 00:26:04.785: AAA/AUTHOR (2683369798): Post authorization status =
ERROR
CAT3#test aaa group radius server 10.0.0.100 dot1x cisco new-code
User successfully authenticated
*Mar 1 01:02:08.165: RADIUS: authenticator BB F3 45 A4 1C 79 E0 77 - 0C
9D 62 C4 0B 1A 81 A0
*Mar 1 01:02:08.165: RADIUS: User-Password [2] 18 *
*Mar 1 01:02:08.165: RADIUS: User-Name [1] 7 "dot1x"
*Mar 1 01:02:08.165: RADIUS: NAS-IP-Address [4] 6 10.0.0.254
*Mar 1 01:02:08.190: RADIUS: Received from id 1645/3 10.0.0.100:1645,
Access-Accept, len 146
*Mar 1 01:02:08.190: RADIUS: authenticator 50 A2 6F 25 59 7B 45 73 - 53
D3 75 F5 C7 1A 62 6E
*Mar 1 01:02:08.190: RADIUS: Framed-IP-Address [8] 6 255.255.255.255
*Mar 1 01:02:08.190: RADIUS: Vendor, Cisco [26] 30
*Mar 1 01:02:08.190: RADIUS: Cisco AVpair [1] 24
"auth-proxy:priv-lvl=15"
*Mar 1 01:02:08.190: RADIUS: Vendor, Cisco [26] 47
*Mar 1 01:02:08.190: RADIUS: Cisco AVpair [1] 41
"auth-proxy:proxyacl#1=permit ip any any"
*Mar 1 01:02:08.190: RADIUS: Tunnel-Type [64] 6
01:VLAN [13]
*Mar 1 01:02:08.190: RADIUS: Tunnel-Medium-Type [65] 6
01:ALL_802 [6]
*Mar 1 01:02:08.190: RADIUS: Tunnel-Private-Group[81] 5 01:"10"
*Mar 1 01:02:08.190: RADIUS: Class [25] 26
*Mar 1 01:02:08.190: RADIUS: 43 41 43 53 3A 30 2F 34 64 66 2F 61 30 30
30 30 [CACS:0/4df/a0000]
*Mar 1 01:02:08.190: RADIUS: 66 65 2F 64 6F 74 31 78 [ fe/dot1x]
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com