Thanks Kings! On Thu, Jul 5, 2012 at 11:13 PM, Kingsley Charles < [email protected]> wrote:
> Most of the times, it hasn't worked for me. There is some issue. > > With regards > Kings > > > On Thu, Jul 5, 2012 at 12:26 AM, Imre Oszkar <[email protected]> wrote: > >> Hi guys, >> >> I'm having difficulties to configure dot1x with webauth fallback. >> Dot1x for clients with supplicant works fine, but when I connect a non >> supplicant client webauth fallback fails to work. >> >> Once the dot1x timers expire the switchport fallbacks to webauth >> authentication method, I can see that from the sh dot1x interface output >> and debugs. After that if I open a browser and try to navigate I'm asked >> for authentication. >> I enter the credentials then instead of the authentication successful or >> failed message I got a popup with error HTTP 500 "The website cannot >> display the page" >> >> Below you can see the config and the debug outputs from the switch. On >> the ACS reports I cannot see any authentication success or failure for >> these webauth attempts. >> >> >> Can somebody give me a hint please? >> >> Thanks! >> >> >> >> aaa new-model >> aaa authentication dot1x default group radius >> aaa authorization network default group radius >> aaa authorization auth-proxy default group radius >> aaa session-id common >> >> ip http authentication aaa >> >> ip device tracking >> ip admission name ADMISSION proxy http >> >> dot1x system-auth-control >> >> >> fallback profile FALLBACK >> ip access-group 100 in >> ip admission ADMISSION >> >> >> interface FastEthernet0/15 >> description TEST PC >> switchport access vlan 5 >> switchport mode access >> dot1x pae authenticator >> dot1x port-control auto >> dot1x violation-mode protect >> dot1x fallback FALLBACK >> spanning-tree portfast >> >> access-list 100 permit icmp any any >> >> >> >> >> >> Dot1x Authenticator Client List >> ------------------------------- >> Domain = DATA >> Supplicant = 00e0.4c03.5787 >> Auth SM State = AUTHENTICATED >> Auth BEND SM State = IDLE >> >> Port Status = AUTHORIZED >> Authentication Method = WebAuth >> Authorized By = Authentication Server >> Vlan Policy = N/A >> >> >> Debug output from: >> AAA Authentication debugging is on >> AAA Authorization debugging is on >> Radius protocol debugging is on >> Dot1x events debugging is on >> >> >> >> *Mar 1 00:26:04.785: AAA: parse name=FastEthernet0/15 idb type=-1 tty=-1 >> *Mar 1 00:26:04.785: AAA: name=FastEthernet0/15 flags=0x15 type=16 >> shelf=0 slot=0 adapter=0 port=15 channel=0 >> *Mar 1 00:26:04.785: AAA: parse name=<no string> idb type=-1 tty=-1 >> *Mar 1 00:26:04.785: AAA/MEMORY: create_user (0x3B09448) user='NULL' >> ruser='NULL' ds0=0 port='FastEthernet0/15' rem_addr='8.9.5.10' >> authen_type=ASCII service=LOGIN priv=0 initial_task_id='0', vrf= (id=0) >> *Mar 1 00:26:04.785: AAA/AUTHEN/START (2551531521): >> port='FastEthernet0/15' list='default' action=LOGIN service=LOGIN >> *Mar 1 00:26:04.785: AAA/AUTHEN/START (2551531521): console login - >> default to "no auth required" >> *Mar 1 00:26:04.785: AAA/AUTHEN/START (2551531521): Method=NONE >> *Mar 1 00:26:04.785: AAA/AUTHEN (2551531521): status = PASS >> *Mar 1 00:26:04.785: FastEthernet0/15 AAA/AUTHOR/HTTP (2683369798): >> Port='FastEthernet0/15' list='default' service=AUTH-PROXY >> *Mar 1 00:26:04.785: AAA/AUTHOR/HTTP: FastEthernet0/15 (2683369798) >> user='' >> *Mar 1 00:26:04.785: FastEthernet0/15 AAA/AUTHOR/HTTP (2683369798): send >> AV service=auth-proxy >> *Mar 1 00:26:04.785: FastEthernet0/15 AAA/AUTHOR/HTTP (2683369798): send >> AV cmd* >> *Mar 1 00:26:04.785: FastEthernet0/15 AAA/AUTHOR/HTTP (2683369798): >> found list "default" >> *Mar 1 00:26:04.785: FastEthernet0/15 AAA/AUTHOR/HTTP (2683369798): >> Method=radius (radius) >> *Mar 1 00:26:04.785: RADIUS: authenticating to get author data >> *Mar 1 00:26:04.785: RADIUS: failed to get authorization data: authen >> status = 4 >> *Mar 1 00:26:04.785: AAA/AUTHOR (2683369798): Post authorization status >> = ERROR >> *Mar 1 00:26:04.785: FastEthernet0/15 AAA/AUTHOR/HTTP (2683369798): >> Method=NOT_SET >> *Mar 1 00:26:04.785: FastEthernet0/15 AAA/AUTHOR/HTTP (2683369798): no >> methods left to try >> *Mar 1 00:26:04.785: AAA/AUTHOR (2683369798): Post authorization status >> = ERROR >> >> >> >> CAT3#test aaa group radius server 10.0.0.100 dot1x cisco new-code >> User successfully authenticated >> >> *Mar 1 01:02:08.165: RADIUS: authenticator BB F3 45 A4 1C 79 E0 77 - 0C >> 9D 62 C4 0B 1A 81 A0 >> *Mar 1 01:02:08.165: RADIUS: User-Password [2] 18 * >> *Mar 1 01:02:08.165: RADIUS: User-Name [1] 7 "dot1x" >> *Mar 1 01:02:08.165: RADIUS: NAS-IP-Address [4] 6 10.0.0.254 >> *Mar 1 01:02:08.190: RADIUS: Received from id 1645/3 10.0.0.100:1645, >> Access-Accept, len 146 >> *Mar 1 01:02:08.190: RADIUS: authenticator 50 A2 6F 25 59 7B 45 73 - 53 >> D3 75 F5 C7 1A 62 6E >> *Mar 1 01:02:08.190: RADIUS: Framed-IP-Address [8] 6 >> 255.255.255.255 >> *Mar 1 01:02:08.190: RADIUS: Vendor, Cisco [26] 30 >> *Mar 1 01:02:08.190: RADIUS: Cisco AVpair [1] 24 >> "auth-proxy:priv-lvl=15" >> *Mar 1 01:02:08.190: RADIUS: Vendor, Cisco [26] 47 >> *Mar 1 01:02:08.190: RADIUS: Cisco AVpair [1] 41 >> "auth-proxy:proxyacl#1=permit ip any any" >> *Mar 1 01:02:08.190: RADIUS: Tunnel-Type [64] 6 >> 01:VLAN [13] >> *Mar 1 01:02:08.190: RADIUS: Tunnel-Medium-Type [65] 6 >> 01:ALL_802 [6] >> *Mar 1 01:02:08.190: RADIUS: Tunnel-Private-Group[81] 5 01:"10" >> *Mar 1 01:02:08.190: RADIUS: Class [25] 26 >> *Mar 1 01:02:08.190: RADIUS: 43 41 43 53 3A 30 2F 34 64 66 2F 61 30 30 >> 30 30 [CACS:0/4df/a0000] >> *Mar 1 01:02:08.190: RADIUS: 66 65 2F 64 6F 74 31 78 [ >> fe/dot1x] >> >> >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
