Hi Patrick Do you have an SVI for VLAN 40? Also did the client obtain an IP address?
Regards, -- Piotr Kaluzny CCIE #25665 (Security), CCSP, CCNP Sr. Technical Instructor - IPexpert, Inc. URL: http://www.IPexpert.com On Tue, Sep 3, 2013 at 10:21 AM, Patrick Ogenstad < patrick.ogens...@netsafe.se> wrote: > Hello,**** > > ** ** > > I’m setting up local web auth as a fallback method. **** > > ** ** > > I’m following the guide from: > http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/WebAuth/WebAuth_Dep_Guide.html#wp392908 > **** > > ** ** > > aaa new-model**** > > aaa authentication login default group radius**** > > aaa authentication login LOCALDB local**** > > aaa authentication dot1x default group radius**** > > aaa authorization exec default local**** > > aaa authorization network default group radius**** > > aaa authorization network auth-list group radius**** > > aaa authorization auth-proxy default group radius**** > > aaa accounting auth-proxy default start-stop group radius**** > > aaa accounting dot1x default start-stop group radius**** > > ** ** > > ip device tracking**** > > ip admission name IPAD proxy http**** > > ** ** > > ip http server**** > > ip http secure-server**** > > ** ** > > ip access-list extended DOT1X**** > > permit udp any any eq bootps**** > > permit udp any any eq tftp**** > > permit udp any any eq domain**** > > ** ** > > ip access-list extended PREAUTH**** > > permit udp any any eq bootps**** > > permit udp any any eq domain**** > > permit icmp any any**** > > ** ** > > fallback profile LWA**** > > ip access-group PREAUTH in**** > > ip admission IPAD**** > > ** ** > > interface GigabitEthernet0/2**** > > switchport access vlan 40**** > > switchport mode access**** > > switchport voice vlan 66**** > > ip access-group DOT1X in**** > > authentication event fail action next-method**** > > authentication host-mode multi-domain**** > > authentication open**** > > authentication order mab dot1x webauth**** > > authentication priority mab dot1x webauth**** > > authentication port-control auto**** > > authentication fallback LWA**** > > mab**** > > dot1x pae authenticator**** > > dot1x timeout tx-period 5**** > > spanning-tree portfast**** > > end**** > > ** ** > > I can see on the ISE that the client fails MAB and from the debug on the > switch (debug dot1x all) I can see that it understands that it is to use > webauth instead:**** > > ** ** > > 5w0d: %EPM-6-POLICY_APP_SUCCESS: IP 172.29.52.15| MAC 68b5.99f4.67d0| > AuditSessionID AC1D3203000004A7B84EE5DE| AUTHTYPE AUTHPROXY| POLICY_TYPE > Named ACL| POLICY_NAME PREAUTH| RESULT SUCCESS**** > > 5w0d: %AUTHMGR-7-RESULT: Authentication result 'success' from 'webauth' > for client (68b5.99f4.67d0) on Interface Gi0/2 AuditSessionID > AC1D3203000004A7B84EE5DE**** > > ** ** > > However from the client I’m never prompted to enter a password. So I can > never do the actual web authentication. Does anyone know what I’m doing > wrong?**** > > ** ** > > Best regards**** > > Patrick**** > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com