Most of the times, it hasn't worked for me. There is some issue. With regards Kings
On Thu, Jul 5, 2012 at 12:26 AM, Imre Oszkar <[email protected]> wrote: > Hi guys, > > I'm having difficulties to configure dot1x with webauth fallback. > Dot1x for clients with supplicant works fine, but when I connect a non > supplicant client webauth fallback fails to work. > > Once the dot1x timers expire the switchport fallbacks to webauth > authentication method, I can see that from the sh dot1x interface output > and debugs. After that if I open a browser and try to navigate I'm asked > for authentication. > I enter the credentials then instead of the authentication successful or > failed message I got a popup with error HTTP 500 "The website cannot > display the page" > > Below you can see the config and the debug outputs from the switch. On the > ACS reports I cannot see any authentication success or failure for these > webauth attempts. > > > Can somebody give me a hint please? > > Thanks! > > > > aaa new-model > aaa authentication dot1x default group radius > aaa authorization network default group radius > aaa authorization auth-proxy default group radius > aaa session-id common > > ip http authentication aaa > > ip device tracking > ip admission name ADMISSION proxy http > > dot1x system-auth-control > > > fallback profile FALLBACK > ip access-group 100 in > ip admission ADMISSION > > > interface FastEthernet0/15 > description TEST PC > switchport access vlan 5 > switchport mode access > dot1x pae authenticator > dot1x port-control auto > dot1x violation-mode protect > dot1x fallback FALLBACK > spanning-tree portfast > > access-list 100 permit icmp any any > > > > > > Dot1x Authenticator Client List > ------------------------------- > Domain = DATA > Supplicant = 00e0.4c03.5787 > Auth SM State = AUTHENTICATED > Auth BEND SM State = IDLE > > Port Status = AUTHORIZED > Authentication Method = WebAuth > Authorized By = Authentication Server > Vlan Policy = N/A > > > Debug output from: > AAA Authentication debugging is on > AAA Authorization debugging is on > Radius protocol debugging is on > Dot1x events debugging is on > > > > *Mar 1 00:26:04.785: AAA: parse name=FastEthernet0/15 idb type=-1 tty=-1 > *Mar 1 00:26:04.785: AAA: name=FastEthernet0/15 flags=0x15 type=16 > shelf=0 slot=0 adapter=0 port=15 channel=0 > *Mar 1 00:26:04.785: AAA: parse name=<no string> idb type=-1 tty=-1 > *Mar 1 00:26:04.785: AAA/MEMORY: create_user (0x3B09448) user='NULL' > ruser='NULL' ds0=0 port='FastEthernet0/15' rem_addr='8.9.5.10' > authen_type=ASCII service=LOGIN priv=0 initial_task_id='0', vrf= (id=0) > *Mar 1 00:26:04.785: AAA/AUTHEN/START (2551531521): > port='FastEthernet0/15' list='default' action=LOGIN service=LOGIN > *Mar 1 00:26:04.785: AAA/AUTHEN/START (2551531521): console login - > default to "no auth required" > *Mar 1 00:26:04.785: AAA/AUTHEN/START (2551531521): Method=NONE > *Mar 1 00:26:04.785: AAA/AUTHEN (2551531521): status = PASS > *Mar 1 00:26:04.785: FastEthernet0/15 AAA/AUTHOR/HTTP (2683369798): > Port='FastEthernet0/15' list='default' service=AUTH-PROXY > *Mar 1 00:26:04.785: AAA/AUTHOR/HTTP: FastEthernet0/15 (2683369798) > user='' > *Mar 1 00:26:04.785: FastEthernet0/15 AAA/AUTHOR/HTTP (2683369798): send > AV service=auth-proxy > *Mar 1 00:26:04.785: FastEthernet0/15 AAA/AUTHOR/HTTP (2683369798): send > AV cmd* > *Mar 1 00:26:04.785: FastEthernet0/15 AAA/AUTHOR/HTTP (2683369798): found > list "default" > *Mar 1 00:26:04.785: FastEthernet0/15 AAA/AUTHOR/HTTP (2683369798): > Method=radius (radius) > *Mar 1 00:26:04.785: RADIUS: authenticating to get author data > *Mar 1 00:26:04.785: RADIUS: failed to get authorization data: authen > status = 4 > *Mar 1 00:26:04.785: AAA/AUTHOR (2683369798): Post authorization status = > ERROR > *Mar 1 00:26:04.785: FastEthernet0/15 AAA/AUTHOR/HTTP (2683369798): > Method=NOT_SET > *Mar 1 00:26:04.785: FastEthernet0/15 AAA/AUTHOR/HTTP (2683369798): no > methods left to try > *Mar 1 00:26:04.785: AAA/AUTHOR (2683369798): Post authorization status = > ERROR > > > > CAT3#test aaa group radius server 10.0.0.100 dot1x cisco new-code > User successfully authenticated > > *Mar 1 01:02:08.165: RADIUS: authenticator BB F3 45 A4 1C 79 E0 77 - 0C > 9D 62 C4 0B 1A 81 A0 > *Mar 1 01:02:08.165: RADIUS: User-Password [2] 18 * > *Mar 1 01:02:08.165: RADIUS: User-Name [1] 7 "dot1x" > *Mar 1 01:02:08.165: RADIUS: NAS-IP-Address [4] 6 10.0.0.254 > *Mar 1 01:02:08.190: RADIUS: Received from id 1645/3 10.0.0.100:1645, > Access-Accept, len 146 > *Mar 1 01:02:08.190: RADIUS: authenticator 50 A2 6F 25 59 7B 45 73 - 53 > D3 75 F5 C7 1A 62 6E > *Mar 1 01:02:08.190: RADIUS: Framed-IP-Address [8] 6 > 255.255.255.255 > *Mar 1 01:02:08.190: RADIUS: Vendor, Cisco [26] 30 > *Mar 1 01:02:08.190: RADIUS: Cisco AVpair [1] 24 > "auth-proxy:priv-lvl=15" > *Mar 1 01:02:08.190: RADIUS: Vendor, Cisco [26] 47 > *Mar 1 01:02:08.190: RADIUS: Cisco AVpair [1] 41 > "auth-proxy:proxyacl#1=permit ip any any" > *Mar 1 01:02:08.190: RADIUS: Tunnel-Type [64] 6 > 01:VLAN [13] > *Mar 1 01:02:08.190: RADIUS: Tunnel-Medium-Type [65] 6 > 01:ALL_802 [6] > *Mar 1 01:02:08.190: RADIUS: Tunnel-Private-Group[81] 5 01:"10" > *Mar 1 01:02:08.190: RADIUS: Class [25] 26 > *Mar 1 01:02:08.190: RADIUS: 43 41 43 53 3A 30 2F 34 64 66 2F 61 30 30 > 30 30 [CACS:0/4df/a0000] > *Mar 1 01:02:08.190: RADIUS: 66 65 2F 64 6F 74 31 78 [ > fe/dot1x] > > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
