802.1x & Web Authentication

Dear All, Can any one help me to understand concept of web authentication. Can it be used for Guest users authentication whose pcs are not 802.1x capable. Can they be groupd ina vlan based on user name & password via web-authentication. My requirement is to use 802.1x in network for coporate users & for guest users. If corporate users are authenticated then they will be placed in corporate vlan. which is working quite well. if guest users are from same company they should be placed in same vlan somehow & if guests are from different company then they should be placed in different vlans based on credentials remember guest laptops are not 802.1x enable/capable.
any one has idea how to achieve this without NAC hardware.

You can use the web-based authentication feature to authenticate end users on host systems that do not run the IEEE 802.1X supplicant. You can configure the web-based authentication feature on Layer 2 and Layer 3 interfaces.
When a user initiates an HTTP session, the web-based authentication feature intercepts ingress HTTP packets from the host and sends an HTML login page to the user. The user keys in their credentials, which the web-based authentication feature sends to the AAA server for authentication. If the authentication succeeds, web-based authentication sends a Login-Successful HTML page to the host and applies the access policies returned by the AAA server.
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/webauth.html#wp1067205

Similar Messages

  • No Web Authentication - but excluded client with reason code 4

    Hello,
    we are using a WLC 4400 with Software Version 5.0.148.0 and WCS Version 5.0.56.2.
    Access Points are AIR-LAP1131AG-E-K9.
    We have problems with one client (Windows XP SP3). The computer loses the wireless connection all the time, but we don't know why. Duration of the connections are different.
    So there are a lot of minor alarms saying “Client which was associated with AP, interface '0' is excluded. The reason code is '4(Web Authentication failed 3 times.)'.”
    But the wireless lan which is used by the client is not configured with Web Authentication!! It is only using MACFilter. That's very strange! (There is another wireless lan configured with Web Authentication.)
    The minor alarms are created by different Access Points, amongst others by the Access Point where the client is connected to! (All Access Points radiate all wireless lans.)
    Regarding to this client the SyslogServer often says:
    Sep 17 16:01:57.187 1x_ptsm.c:404 DOT1X-3-MAX_EAPOL_KEY_RETRANS: Max EAPOL-key M1 retransmissions exceeded for client LOCAL USE 0 ERROR CONDITION
    Sep 17 16:02:07.885 1x_ptsm.c:511 DOT1X-3-PSK_CONFIG_ERR: Client may be using an incorrect PSK LOCAL USE 0 ERROR CONDITION
    Last week I tried the trouble shooting of the WCS with the following effect:
    Time :09/18/2009 19:01:39 Message :Controller association request message received.
    Time :09/18/2009 19:01:39 Message :Association request received from a client has an invalid RSN IE.(One reason could be mismatch in WPA2 algorithm).
    Time :09/18/2009 19:01:39 Message :Received reassociation request from client.
    Time :09/18/2009 19:01:39 Message :The wlan to which client is connecting requires 802 1x authentication.
    Time :09/18/2009 19:01:39 Message :Client moved to associated state successfully.
    Time :09/18/2009 19:01:39 Message :802.1x authentication message received, static dynamic wep supported.
    Time :09/18/2009 19:01:39 Message :802.1x authentication was completed successfully.
    Time :09/18/2009 19:01:39 Message :Client has got IP address, no L3 authentication required.
    I think the problem is hidden at the client but I don't know what it could be. The PSK can not be incorrect because the client is able to connect to the wireless lan but later loses the connection.
    Does somebody has an idea or knows the error messages?!
    Greetings lydia

    Hi,
    I'm exactly with the same problem! Can you please tell me if you were able to solve this?
    Thank you!
    Best regards,

  • Cisco Wireless AP 2602 - Web Authentication/Pass NOT working?

    Product/Model                                       Number:
    AIR-CAP2602E-A-K9
    Top                                       Assembly Serial Number:
    System                                       Software Filename:
    ap3g2-k9w7-xx.152-4.JB3a
    System                                       Software Version:
    15.2(4)JB3a
    Bootloader                                       Version:
    BOOTLDR: C2600 Boot Loader (AP3G2-BOOT-M) LoaderVersion 12.4(25e)JA1, RELEASE SOFTWARE (fc1)
    When "Web Authentication/Pass" option checked, it is totally unaccessible to internal or external network, any clue/advice?
    Thanks in advance.

    Thanks, seems I missed the RADIUS part; after I done that it's still no luck, here are some tech support info, are you able to help?
    ------------------ show version ------------------
    Cisco IOS Software, C2600 Software (AP3G2-K9W7-M), Version 15.2(4)JB3a, RELEASE SOFTWARE (fc1)
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2013 by Cisco Systems, Inc.
    Compiled Mon 23-Dec-13 08:11 by prod_rel_team
    ROM: Bootstrap program is C2600 boot loader
    BOOTLDR: C2600 Boot Loader (AP3G2-BOOT-M) LoaderVersion 12.4(25e)JA1, RELEASE SOFTWARE (fc1)
    WuGa-CiscoAP uptime is 3 days, 19 minutes
    System returned to ROM by power-on
    System restarted at 23:18:39 +0800 Mon Feb 10 2014
    System image file is "flash:/ap3g2-k9w7-mx.152-4.JB3a/ap3g2-k9w7-xx.152-4.JB3a"
    Last reload reason:
    This product contains cryptographic features and is subject to United
    States and local country laws governing import, export, transfer and
    use. Delivery of Cisco cryptographic products does not imply
    third-party authority to import, export, distribute or use encryption.
    Importers, exporters, distributors and users are responsible for
    compliance with U.S. and local country laws. By using this product you
    agree to comply with applicable laws and regulations. If you are unable
    to comply with U.S. and local laws, return this product immediately.
    A summary of U.S. laws governing Cisco cryptographic products may be found at:
    http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
    If you require further assistance please contact us by sending email to
    [email protected].
    cisco AIR-SAP2602E-A-K9 (PowerPC) processor (revision A0) with 204790K/57344K bytes of memory.
    Processor board ID FGL1650Z5X3
    PowerPC CPU at 800Mhz, revision number 0x2151
    Last reset from power-on
    1 Gigabit Ethernet interface
    2 802.11 Radios
    32K bytes of flash-simulated non-volatile configuration memory.
    Base ethernet MAC Address: E0:2F:6D:A3:4D:0B
    Part Number                          : 73-14511-02
    PCA Assembly Number                  : 800-37898-01
    PCA Revision Number                  : A0
    PCB Serial Number                    : FOC164889AN
    Top Assembly Part Number             : 800-38357-01
    Top Assembly Serial Number           : FGL1650Z5X3
    Top Revision Number                  : A0
    Product/Model Number                 : AIR-CAP2602E-A-K9  
    Configuration register is 0xF
    ------------------ show running-config ------------------
    Building configuration...
    Current configuration : 5276 bytes
    ! Last configuration change at 23:36:14 +0800 Thu Feb 13 2014
    ! NVRAM config last updated at 23:36:14 +0800 Thu Feb 13 2014
    ! NVRAM config last updated at 23:36:14 +0800 Thu Feb 13 2014
    version 15.2
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    hostname WuGa-CiscoAP
    logging rate-limit console 9
    enable secret 5
    aaa new-model
    aaa group server tacacs+ tac_admin
    aaa group server radius rad_eap
    aaa group server radius rad_mac
    aaa group server radius rad_acct
    aaa group server radius rad_admin
    aaa group server radius rad_pmip
    aaa group server radius dummy
    aaa authentication login webauth group radius
    aaa authentication login eap_methods group rad_eap
    aaa authentication login mac_methods local
    aaa authentication login web_list group radius
    aaa authorization exec default local
    aaa accounting network acct_methods start-stop group rad_acct
    aaa session-id common
    clock timezone +0800 8 0
    no ip cef
    ip admission name webpass consent
    ip admission name webauth proxy http
    ip admission name webauth method-list authentication web_list
    ip admission name web_auth proxy http
    ip admission name web_auth method-list authentication web_list
    ip admission name web-auth proxy http
    ip admission name web-auth method-list authentication web_list
    ip name-server 8.8.8.8
    dot11 syslog
    dot11 vlan-name GuestVLAN vlan 2
    dot11 vlan-name InternalVLAN vlan 1
    dot11 ssid Guest
       vlan 2
       web-auth
       authentication open
       mbssid guest-mode
    dot11 ssid WuGa-6
       vlan 1
       authentication open
       authentication key-management wpa
       mbssid guest-mode
       wpa-psk ascii 7 0211115C0A555C721F1D5A4A5644
    dot11 ssid WuGa-60
       vlan 1
       authentication open
       authentication key-management wpa
       guest-mode
       wpa-psk ascii 7 03084C070900721F1D5A4A56444158
    dot11 guest
      username wuga lifetime 360 password 7 030D5704100A36594908
    username Cisco privilege 15 password 7
    bridge irb
    interface Dot11Radio0
    no ip address
    encryption mode ciphers aes-ccm
    encryption vlan 1 mode ciphers aes-ccm
    ssid Guest
    ssid WuGa-6
    antenna gain 2
    stbc
    mbssid
    speed  basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15. m16. m17. m18. m19. m20. m21. m22. m23.
    channel 2452
    station-role root
    dot11 dot11r pre-authentication over-air
    dot11 dot11r reassociation-time value 500
    ip admission web-auth
    interface Dot11Radio0.1
    encapsulation dot1Q 1 native
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 spanning-disabled
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    interface Dot11Radio0.2
    encapsulation dot1Q 2
    bridge-group 2
    bridge-group 2 subscriber-loop-control
    bridge-group 2 spanning-disabled
    bridge-group 2 block-unknown-source
    no bridge-group 2 source-learning
    no bridge-group 2 unicast-flooding
    ip admission webauth
    interface Dot11Radio1
    no ip address
    encryption mode ciphers aes-ccm
    encryption vlan 1 mode ciphers aes-ccm
    ssid WuGa-60
    antenna gain 4
    peakdetect
    no dfs band block
    stbc
    speed  basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15. m16. m17. m18. m19. m20. m21. m22. m23.
    power local 5
    channel width 40-above
    channel dfs
    station-role root
    dot11 dot11r pre-authentication over-air
    dot11 dot11r reassociation-time value 500
    interface Dot11Radio1.1
    encapsulation dot1Q 1 native
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 spanning-disabled
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    interface GigabitEthernet0
    no ip address
    duplex auto
    speed 1000
    interface GigabitEthernet0.1
    encapsulation dot1Q 1 native
    bridge-group 1
    bridge-group 1 spanning-disabled
    no bridge-group 1 source-learning
    interface GigabitEthernet0.2
    encapsulation dot1Q 2
    bridge-group 2
    bridge-group 2 spanning-disabled
    no bridge-group 2 source-learning
    interface BVI1
    ip address 192.168.133.213 255.255.255.0
    ip default-gateway 192.168.133.200
    ip forward-protocol nd
    ip http server
    no ip http secure-server
    ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
    ip route 0.0.0.0 0.0.0.0 192.168.133.200
    ip radius source-interface BVI1
    ip access-list extended ALL
    permit ip any host 0.0.0.0
    permit ip any any
    permit ip 0.0.0.0 255.255.255.0 any
    ip access-list extended All
    permit tcp any any established
    permit tcp any any eq www
    permit ip any any
    radius-server local
      nas 192.168.133.213 key 7 070C285F4D06
    radius-server attribute 32 include-in-access-req format %h
    radius-server vsa send accounting
    radius server 192.168.10.2
    address ipv4 192.168.10.2 auth-port 1812 acct-port 1646
    radius server local
    address ipv4 192.168.133.213 auth-port 1812 acct-port 1813
    key 7
    bridge 1 route ip
    line con 0
    terminal-type teletype
    line vty 0 4
    terminal-type teletype
    transport input all
    sntp server 128.138.141.172
    sntp broadcast client
    end

  • Central web authentication

    I have downloaded the new Cisco ISE, I've managed to configure 802.1x and MAB succesfully but I want to configure wired centralized web authentication, but I cannot find any documentation how to configure ISE and Cisco Catalyst (IOS) switches to use this feature (I only find (limited) documentation about local web auth on the switch).
    I want to achieve the following authentication order on a switchport:
    802.1x
    MAB
    central web authentication
    So if a guest user comes with his laptop, 802.1x is not configured on his laptop and he's not in the Mac Bypass DB, he should "failover" to web auth and get the ISE guest portal webpage with his web browser. There he enters a guest username and password (which is of course already in the ISE DB) and he should get web access.
    I've configured the switchport with the following commands
    switchport access vlan 99
    switchport mode access
    switchport voice vlan 50
    authentication event no-response action authorize vlan 32
    authentication host-mode multi-domain
    authentication order dot1x mab webauth
    authentication port-control auto
    authentication violation protect
    authentication fallback webprofile
    mab
    dot1x pae authenticator
    dot1x timeout quiet-period 2
    dot1x timeout tx-period 2
    spanning-tree portfast
    spanning-tree bpduguard enable
    the web-profile with access-list to permit DHCP traffic between the attached device and any DHCP server in the vlan 99, and communications with ISE (also in vlan 99) at the moment "fallback webprofile" is triggered (I don't know if this should be configured with central webauth?)
    SW01T#sh fallback profile webprofile
    Profile Name: webprofile
    Description : webauth profile
    IP Admission Rule : NONE
    IP Access-Group IN: 133
    FYI, the access list:
    Extended IP access list 133
    10 permit ip any host 10.175.0.29
    30 permit udp any any eq bootps
    40 permit udp any eq bootpc any
    In the ISE, I configured DOT1x and MAB. In the MAB profile, I configured "continue" if user is unknown, and then an authorization profile for the web authentication:
    (attributes of the profile):
    Access Type = ACCESS_ACCEPT
    cisco-av-pair = url-redirect-acl=webauth
    cisco-av-pair = url-redirect=https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&portal=https://10.175.0.29:8443/guestportal/gateway?sessionId=SessionIdValue&portal=http&action=cwa&action=cwa
    But it doesn't work. If I attach a device, it tries 802.1x, it tries MAB, then it fails over to "web authentication" but immediately fails with "no-response" message:
    001420: Jul 1 12:09:19: %AUTHMGR-5-START: Starting 'webauth' for client (0011.2
    5d7.6c6c) on Interface Fa1/0/3 AuditSessionID 0AAF003E000000582E866B69
    5d7.6c6c) on Interface Fa1/0/3 AuditSessionID 0AAF003E000000582E866B69
    from 'webauth' for client (0011.25d7.6c6c) on Interface Fa1/0/3 AuditSessionID 0
    AAF003E000000582E866B69
    001422: Jul 1 12:09:19: %AUTHMGR-7-FAILOVER: Failing over from 'webauth' for cl
    ient (0011.25d7.6c6c) on Interface Fa1/0/3 AuditSessionID 0AAF003E000000582E866B
    69
    001423: Jul 1 12:09:19: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication
    methods for client (0011.25d7.6c6c) on Interface Fa1/0/3 AuditSessionID 0AAF003 001420:
    Is there some configuration guide or steps available in order to make this work please?
    kind regards

    Hi Tarik,
    thank you for the fast reply.
    I've configuried the extra settings you told me (although I thought the ip admission configuration was only for local web authentication (where the switch acts as a http server).
    But it still doesn't work. The pc is getting the ip address from the dhcp server but if I open a browser session, I do not get redirected to the ISE portal in order to log me in with a Guest account.
    If I look at the authentication session of the port, it looks like the ISE has correctly sent the redirect acl and redirect url to the switchport:
    Switch# show auth sessions int fa 1/0/3
               Interface:  FastEthernet1/0/3
             MAC Address:  0011.25d7.6c6c
              IP Address:  10.175.0.229
               User-Name:  001125d76c6c
                  Status:  Authz Success
                  Domain:  DATA
         Security Policy:  Should Secure
         Security Status:  Unsecure
          Oper host mode:  multi-domain
        Oper control dir:  both
           Authorized By:  Authentication Server
              Vlan Group:  N/A
        URL Redirect ACL:  webauth
            URL Redirect:  https://ISE.onemrva.priv:8443/guestportal/gateway?session
    Id=0AAF003E0000175A43004FE3&action=cwa
         Session timeout:  N/A
            Idle timeout:  N/A
       Common Session ID:  0AAF003E0000175A43004FE3
         Acct Session ID:  0x000018CF
                  Handle:  0xEF00075B
    Runnable methods list:
           Method   State
           dot1x    Failed over
           mab      Authc Success
           webauth  Not run
    As you can see, the "web authentication" is the result of a "succesful MAB". This is because I had to configure ISE to continue on MAB if the user was not found (I found that somewhere in documentation). Then I have configured a default authorization profile where the "web authentication" is triggered. This is where I've configured the redirect-url and so on and this is of course sent to the switch as a succesfull MAB:
    authorization profile "webauthentication" with the "centralized web authentication" settings configured (see attributes output):
    Access Type = ACCESS_ACCEPT
    cisco-av-pair = url-redirect-acl=webauth
    cisco-av-pair = url-redirect=https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cwa
    Actually, I really have no idea if I have correctly configured ISE to handle central web authentication...
    If I check the "show ip admission cache", nothing is seen in there.

  • ISE Web Authentication with Profile

       Hi,
       I'm using Web Authentication with Cisco ISE 1.2.1 without problems.
       The Cisco ISE didn't find the endpoint in my internal endpoint store and continue with Web Authentication
       But when I enable the PSN with the Profile Server, the Cisco ISE populate dynamically the internal endpoint store and I cannot use
       the Web Authentication cause the endpoint is already in the internal endpoint store.
       What's the better way to solve this problem ?
       Thanks in Advanced
       Andre Gustavo Lomonaco

        Hi Neno, let me clarify my question
        I'm already using my internal endpoints to permit authenticate via MAB my IP Phones, Access Points and Printers.  I'm using Profile to be able to populate this ISE internet database.
        Now imagine that I wanna use the Web Authentication to permit authenticate guest workstations without 802.1x.If the profile put the guest workstation mac in the endpoints database, those workstation always will be authenticate using the MAC authentication and not the Web Authentication. Remember that for the Web authentication works we need to configure the continue options if the mac are not found in the endpoints database. But when the profile is on, the news (guest workstations) macs are inserted in endpoints database before I have chance to use the Web Authentication.

  • ISE and central web authentication

    Hello all,
    I have followed the steps in this document in detail:
    http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080ba6514.shtml
    however, my central authentication does not work. I get to the guest portal, i get authenticated through the guest portal,
    but then the "second" MAB authenticatino doesn't happen.
    In the last screencapture of the document, you get a green "Dynamic Authorization" line (third line from below). On my system
    this is a red line with the error message "11213 No response received from Network Access Device".
    (i have a successfull guest authentication in my ise logs, but it seems ise is unable to bounce or initiate the second MAB....)
    Any ideas ?
    regards,
    Geert

    By the way, i feel the document example is a bit too general. For example, if you implement the document, ISE will do web authentication and redirection even when you are using a 802.1X client and are authenticated (and you have no other rules in your Autorization sequence table)
    I managed to prevent this by adding an additional condition to the first rule "MAC not known" that has the CentralWebAuth policy. Only do webautentication if MAC not known AND Wired_MAB is being used.

  • Web Authentication with MS IAS Server

    I'm trying to configure my 2106 WLC to authenticate with an MS IAS Radius Server. I had this working, but my boss did not want to do any configuration on the client side and now wants to do all authentication through Web authentication with the Radius server. The wireless client connects and is redirected to the login page like they're supposed to, but when I enter my credentials the login fails. However, if I enter the login of a local user to the controller the authentication works.
    I see in the logs the following error: AAA Authentication Failure for UserName:chevym User Type: WLAN USER. The authentication is reaching the server too, but the logs don't tell you much.
    Here is what is in the server logs: 192.168.0.77,chevym,07/29/2008,05:58:16,IAS,TESTLAB1,25,311 1 192.168.0.221 07/28/2008 17:27:10 48,4127,2,4130,TESTLAB\chevym,4129,TESTLAB\chevym,4154,Use Windows authentication for all users,4155,1,4128,Wireless LAN Controller,4116,9,4108,192.168.0.77,4136,3,4142,19
    I don't really understand any of that and I'm not really sure if I have the server itself configured correctly for what I want to do. Does anyone have instructions on how to do this?

    I had another thread going on this, but since it appears to be an IAS problem, I've been posting on the MS forum instead of here.
    I'm trying to set up wireless laptop-WLC-IAS authentication using PEAP.
    The machine authenticates on boot, but any login by any user results in this message in the Windows Event log on the IAS server:
    Event Type: Warning
    Event Source: IAS
    Event Category: None
    Event ID: 2
    Date: 9/3/2008
    Time: 11:00:55 PM
    User: N/A
    Computer: DC1
    Description:
    User SCOTRNCPQ003.scdl.local was denied access.
    Fully-Qualified-User-Name = SCDL\SCOTRNCPQ003.scdl.local
    NAS-IP-Address = 10.10.10.10
    NAS-Identifier = scohc0ciswlc
    Called-Station-Identifier = 00-21-55-C0-7D-70:Domain Staff
    Calling-Station-Identifier = 00-90-4B-4C-92-B7
    Client-Friendly-Name = WLAN Controller
    Client-IP-Address = 10.10.10.10
    NAS-Port-Type = Wireless - IEEE 802.11
    NAS-Port = 29
    Proxy-Policy-Name = Use Windows authentication for all users
    Authentication-Provider = Windows
    Authentication-Server =
    Policy-Name =
    Authentication-Type = EAP
    EAP-Type =
    Reason-Code = 8
    Reason = The specified user account does not exist.
    The policy is the default connection policy created when installing IAS.
    In ADUC, I've tried setting both the machine and users Dial-In properties to Allow Access or Control through policy, with the same result.
    I've gone through the policy and there isn't anything there, other than the Day-Time rule which is set to allow access for all hours of the whole day, every day.
    In the last few days, I've read about the Ignore User Dial In properties, but can't find where/how you set this.
    It sounded to me as if this had been resolved in this thread, so I wanted to know how this had been accomplished.

  • Web authentication with Radius server problem

    Hello,
    I'm having problem to web authenticate users via radius server for one WLC. Here is the outpu from WLC:
    *emWeb: Mar 26 14:17:31.537: 20:7d:xx:xx:d8:f0 Username entry (aaaaaa) created for mobile, length = 7
    *emWeb: Mar 26 14:17:31.537: 20:7d:xx:xx:d8:f0 Username entry (aaaaaa) created in mscb for mobile, length = 7
    *aaaQueueReader: Mar 26 14:17:31.537: Unable to find requested user entry for aaaaaa
    *aaaQueueReader: Mar 26 14:17:31.537: ReProcessAuthentication previous proto 8, next proto 1
    *aaaQueueReader: Mar 26 14:17:31.537: AuthenticationRequest: 0x1e08eb94
    *aaaQueueReader: Mar 26 14:17:31.538:   Callback.....................................0x10908d90
    *aaaQueueReader: Mar 26 14:17:31.538:   protocolType.................................0x00000001
    *aaaQueueReader: Mar 26 14:17:31.538:   proxyState...................................20:7D:xx:xx:D8:F0-00:00
    *aaaQueueReader: Mar 26 14:17:31.538:   Packet contains 11 AVPs (not shown)
    *aaaQueueReader: Mar 26 14:17:31.538: apfVapRadiusInfoGet: WLAN(1) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
    *aaaQueueReader: Mar 26 14:17:31.538: 20:7d:xx:xx:d8:f0 Successful transmission of Authentication Packet (id 67) to 10.xx.33.249:1645, proxy state 20:7d:xx:xx:d8:f0-00:01
    *aaaQueueReader: Mar 26 14:17:31.538: 00000000: 01 43 00 8c 48 7c a7 ff  df 06 53 30 c0 be e1 8e  .C..H|....S0....
    *aaaQueueReader: Mar 26 14:17:31.538: 00000010: d7 fd 8b d3 01 09 73 65  66 72 73 76 65 02 12 7b  ......aaaaaa..{
    *aaaQueueReader: Mar 26 14:17:31.538: 00000020: ae 2e f5 eb fa cf f5 cc  3b 08 65 d7 04 0e ba 06  ........;.e.....
    *aaaQueueReader: Mar 26 14:17:31.538: 00000030: 06 00 00 00 01 04 06 0a  2e 09 14 05 06 00 00 00  ................
    *aaaQueueReader: Mar 26 14:17:31.538: 00000040: 0d 20 0d 73 65 76 73 74  2d 6c 77 63 31 30 3d 06  ...xxxxx-lwc10=.
    *aaaQueueReader: Mar 26 14:17:31.538: 00000050: 00 00 00 13 1a 0c 00 00  37 63 01 06 00 00 00 01  ........7c......
    *aaaQueueReader: Mar 26 14:17:31.538: 00000060: 1f 0e 31 39 32 2e 31 36  38 2e 31 2e 36 31 1e 0c  ..192.168.1.61..
    *aaaQueueReader: Mar 26 14:17:31.538: 00000070: 31 30 2e 34 36 2e 39 2e  32 30 50 12 95 11 7c d9  10.xx.9.20P...|.
    *aaaQueueReader: Mar 26 14:17:31.538: 00000080: 75 8e 01 6e bf 62 38 f8  38 ab 68 4a              u..n.b8.8.hJ
    *radiusTransportThread: Mar 26 14:17:31.603: 00000000: 03 43 00 14 e5 8c e7 75  52 04 af e0 07 b7 fb 96  .C.....uR.......
    *radiusTransportThread: Mar 26 14:17:31.603: 00000010: c1 4a fb 40                                       .J.@
    *radiusTransportThread: Mar 26 14:17:31.603: ****Enter processIncomingMessages: response code=3
    *radiusTransportThread: Mar 26 14:17:31.603: ****Enter processRadiusResponse: response code=3
    *radiusTransportThread: Mar 26 14:17:31.603: 20:7d:xx:xx:d8:f0 Access-Reject received from RADIUS server 10.xx.33.249 for mobile 20:7d:xx:xx:d8:f0 receiveId = 0
    *radiusTransportThread: Mar 26 14:17:31.603: ReProcessAuthentication previous proto 1, next proto 2
    *radiusTransportThread: Mar 26 14:17:31.603: AuthenticationRequest: 0x1da9fa4c
    *radiusTransportThread: Mar 26 14:17:31.603:    Callback.....................................0x10908d90
    *radiusTransportThread: Mar 26 14:17:31.603:    protocolType.................................0x00000002
    *radiusTransportThread: Mar 26 14:17:31.603:    proxyState...................................20:7D:xx:xx:D8:F0-00:00
    *radiusTransportThread: Mar 26 14:17:31.603:    Packet contains 11 AVPs (not shown)
    *radiusTransportThread: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Returning AAA Error 'No Server' (-7) for mobile 20:7d:xx:xx:d8:f0
    *radiusTransportThread: Mar 26 14:17:31.605: AuthorizationResponse: 0x2dd03648
    *radiusTransportThread: Mar 26 14:17:31.605:    structureSize................................32
    *radiusTransportThread: Mar 26 14:17:31.605:    resultCode...................................-7
    *radiusTransportThread: Mar 26 14:17:31.605:    protocolUsed.................................0x00000002
    *radiusTransportThread: Mar 26 14:17:31.605:    proxyState...................................20:7D:xx:xx:D8:F0-00:00
    *radiusTransportThread: Mar 26 14:17:31.605:    Packet contains 0 AVPs:
    *emWeb: Mar 26 14:17:31.605: Authentication failed for aaaaaa
    *emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Username entry deleted for mobile
    *emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Plumbing web-auth redirect rule due to user logout
    *emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 192.168.1.61 WEBAUTH_REQD (8) Deleting mobile policy rule 42461
    *emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Adding Web RuleID 42464 for mobile 20:7d:xx:xx:d8:f0
    *emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Web Authentication failure for station
    *emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 192.168.1.61 WEBAUTH_REQD (8) Reached ERROR: from line 5069
    That was pretty clear for me that Radius is refusing to give user access.
    Fully-Qualified-User-Name = NMEA\aaaaaa
    NAS-IP-Address = 10.xx.9.20
    NAS-Identifier = xxxxx-lwc10
    Called-Station-Identifier = 10.xx.9.20
    Calling-Station-Identifier = 192.168.1.61
    Client-Friendly-Name = YYY10.xx
    Client-IP-Address = 10.xx.9.20
    NAS-Port-Type = Wireless - IEEE 802.11
    NAS-Port = 13
    Proxy-Policy-Name = Use Windows authentication forall users
    Authentication-Provider = Windows
    Authentication-Server = <undetermined>
    Policy-Name = YYYYY Wireless Users
    Authentication-Type = PAP
    EAP-Type = <undetermined>
    Reason-Code = 66
    Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy
    That output is from WLC 5508 version 7.0.235
    What is strange, that user was able to authenticate from other before refresh WLC 4402 ver 4.2.207. I cannot change WLC because of AP which cannot run old version.
    this is output from working client connection from old WLC
    NAS-IP-Address = 10.xx.9.13
    NAS-Identifier = xxxxx-lwc03
    Client-Friendly-Name = YYY10.46
    Client-IP-Address = 10.xx.9.13
    Calling-Station-Identifier = 192.168.19.246
    NAS-Port-Type = <not present>
    NAS-Port = <not present>
    Proxy-Policy-Name = Use Windows authentication for all users
    Authentication-Provider = Windows
    Authentication-Server = <undetermined>
    Policy-Name = YYYYY Wireless Guest Access
    Authentication-Type = PAP
    EAP-Type = <undetermined>
    I know there is different Policy Name used, but my question is why it is not using the same as on old WLC when configuration is same.
    Is there any way I can force users to use different policy from WLC or AP configuration or is this solely configuration of Radius?
    Is it maybe problem of version 7.0.235?
    Any toughts would be much appriciated.

    Scott,
    You are probably right. The condition that is checked for the first policy name (we have 2) is to match
    NAS-Port-Type = Wireless - IEEE 802.11, and this is basically used to differentiate guests from other company users.
    as you can see from the logs the one that is working correctly is not sending NAS-Port-Type. The question is why.
    As I said before.
    WLC 5508 ver. 7.0.235 is sending NAS-Port-Type
    WLC 4402 ver. 4.2.207 is not.
    The same user was working OK on 4402 WLC and after refresh and associating APs to 5508 it all broke, so client did not changed anything on adapter.

  • Question about dot1x & Web Authentication

    I'm not sure if what I want to do is possible so hopefully someone can set me straight.
    Right now when a user doesn't have a 802.1x capable machine, they are assigned to the guest VLAN. Then using the dot1x fallback command we could force them to use authenticate using the web if we so choose. At least this is how I understand web-auth to work. Please correct me if I'm wrong.
    But what about when someone is using an 802.1x capable machine but fails auth? Like say a user logging in locally on a domain machine or a vendor using his companies laptop. Currently those ports go into an unauthorized state and are not active. If I use the dot1x auth-fail-vlan command, it authorizes the ports for that vlan just fine.
    What I'd like to do in those cases is to put them in a restricted vlan and then force them to use web authentication to gain access to the network.
    Is that possible? I can't seem to find a way to use web authentication after a failed dot1x auth. Or is that it, a failure is a failure and there is no way to try and reauthenticate a different way?

    Hi,
    dot1x authentication and mac-authentication bypass are layer 2 authentication mechanism and webauth is a layer 3 authentication mechanism.
    u can set multiple authentication profiles and set the priority as well.
    like u can have dot1x authentication first and second webauth and third as mac-authentication bypass.
    remember the other authentication mechanism will only come into place if the first authentication is not possible that is the client is not having a suplicant for dot1x.
    if a user doesn;t have dot1x supplicant and u have configured guest vlan then the user will be put into the guest vlan otherwise the user will be in the access vlan in which the port is configured.
    if u have configured auth-fail vlan and the user gives wrong credentials the user will be put into the auth-fail vlan.
    if a user is a dot1x client and dot1x is configured then the user must pass the dot1x authentication .
    the fallback mechanism is only when the dot1x authentication cannot be executed because the client is not having dot21x supplicant. then the next mode of authentication will be triggered that is either webauth or MAB.
    if a user fails the dot1x authentication dues to wrong credentials then he cannot be prompted for a another authentication mechanism. this is to avoid security breaches.
    hope this helps.
    regards
    Sushil

  • Web Authentication Catalyst 2960

    Hi,
    I am trying to configure fallback Web Authentication on a catalyst 2960 switch. The goal is to authenticate clients via web authentication who are not 802.1x compliant (the 802.1x part is working fine) and allow them restricted access to the network. The problem is that the web authentication seems to fail.
    The equipment regarding my question : catalyst 2960 switch (version : 122-37.SE) and a FreeRadius.
    Here's what happens :
    The authentication window pops up in my browser and the Access-Request is sent to the RADIUS.
    The RADIUS in term responds with a Access-Accept. The debugs running on the switch show that all this information arrives correctly at the switch and the Authentication debug outputs a 'status = PASS' and the Authorization debug outputs a 'status = PASS_ADD'. In spite of this the browser on the client outputs a 'Authentication failed' message.
    I've read the manual and the Cisco-attribute Value pairs were mentioned : 'priv-lvl=15' and 'proxyacl ...'. Are these mandatory for it to work? Since I'm not configuring any switch login authentication via RADIUS.
    Any suggestions ?
    Thanx in advance

    Yes, they are mandatory.
    If priv-lvl=15 is not returned to the switch, the user will see ?Authentication Failed? and the access-list will not be applied. If the source field in the proxyacl statements is not ?any? or there are other syntax errors, the user will see ?Authentication Successful? but the access-list will not be applied and the user will be denied access to the network.
    Not sure about the specific FreeRADIUS config, but you need to setup the ?[026\009\001] cisco-av-pair VSA. It would look something like:
    priv-lvl=15
    proxyacl#10=permit ip any any
    Let me know if this gets you squared away,

  • Web Authentication Dynamic VLAN Assignment

    In a WLC 4402 firmware v.5.2.157 is there any way to assign users to a VLAN dynamically based on the RADIUS response received from the ACS?

    Yes and no. you can do this for an internal 802.1x WLAN, as the client does not get an IP address until they have completed the authentication process. For this you use 64/65/81, 64 802 , 65 VLAN and for 81 use the interface name not the VLAN number. you will also need to make sure you have AAA Overrided enabled under the WLAN.
    If as this says for Web Authentication, the answer is no. The client has an IP address prior to being validated by the AAA server.
    HTH,
    Steve

  • About web authentication.

    I want to configure a switch port for IEEE 802.1x authentication with web authentication as a fallback method.
    Can someone provide a valid configuration example?
    Only web authentication doesn't work!
    Switch#sh run
    Building configuration...
    Current configuration : 3012 bytes
    version 12.2
    no service pad
    service timestamps debug uptime
    service timestamps log uptime
    no service password-encryption
    hostname Switch
    aaa new-model
    aaa authentication login default group radius
    aaa authentication login line-con none
    aaa authentication dot1x default group radius
    aaa authorization auth-proxy default group radius
    aaa session-id common
    switch 1 provision ws-c3750-48p
    system mtu routing 1500
    ip subnet-zero
    ip domain-name cisco.com
    ip admission name rule1 proxy http
    dot1x system-auth-control
    fallback profile fallback
    ip access-group policy1 in
    ip admission rule1
    spanning-tree mode pvst
    spanning-tree extend system-id
    vlan internal allocation policy ascending
    interface FastEthernet1/0/1
    switchport access vlan 142
    switchport mode access
    interface FastEthernet1/0/47
    switchport access vlan 142
    switchport mode access
    dot1x pae authenticator
    dot1x port-control auto
    dot1x fallback fallback
    interface Vlan1
    no ip address
    shutdown
    interface Vlan142
    ip address 10.1.254.1 255.255.255.0
    ip classless
    ip access-list extended policy1
    permit udp any any eq bootps
    deny ip any any log
    radius-server attribute 8 include-in-access-req
    radius-server host 10.1.254.187 auth-port 1645 acct-port 1646 key secret
    radius-server source-ports 1645-1646
    radius-server vsa send authentication
    control-plane
    line con 0
    line vty 5 15
    end

    Try adding this:
    ip device tracking
    Also, if you want your web-auth users to be able to use DNS to resolve URLs, you probably want to add something like this to policy1:
    permit udp any any eq domain
    Remember you'll have to wait until 802.1X times out (90 sec by default) for Web-Auth to kick in.
    Shelly

  • Web authentication & Roaming.

    Dear Experts,
    Greetings!
    I have 1x 2500 controller & 15  CAP1602I APs.
    2 SSID is broadcasting, 1 for employee, 1 for guest.
    employee is using 802.1x bases on EAP, guest is using web authentication bases on local users.
    I have 2 questions:
    1.   if a user moves from meeting room to pantry, the client's AP association moves from AP1 to AP2 ( same VLAN and IP subnet).
    Is that a kind of roaming?
    2. currently, my all 15 APs are in the same group: 'default-group'. the users who use guest ssid complain the wifi often disconnects.
    Should I configure roaming for web authentication?

    1.   if a user moves from meeting room to pantry, the client's AP association moves from AP1 to AP2 ( same VLAN and IP subnet).
    Is that a kind of roaming?
      Ans. Yes it is only known as roaming as the same ssid is broadcasted on all the AP and the client is getting associated and disassociated between these AP which is broadcasting this ssid.
    2. currently, my all 15 APs are in the same group: 'default-group'.  the users who use guest ssid complain the wifi often disconnects.
    Should I configure roaming for web authentication?
    Ans:- No special roaming configuration is available for web authentication. as the client is moving properly between all the AP's doing web authenticaton with the same guest ssid.
    Is there some time limit configured for web auth.. after which these clients are getting disconnected..?

  • WLC Client excluded - web authentication failed 3 times

    Is there any more I can do with the following? The customer only has 4400 controllers and WCS' both on the highest firmware currently available...
    An example of the alert generated in the event of an excessive authentication failure is as follows:
    Client '08:60:6e:35:7c:29 (172.16.235.133)' which was associated with interface '802.11b/g/n' of AP '25CS-AP21-24SE' is excluded. The reason code is '5(Web Authentication failed 3 times.)'.
    E-mail will be suppressed up to 30 minutes for these alarms.
    I need clarification of the following so that a process can be put in place to show if it is possible to deal with potential threats/attempts to hack into the network as the customers security are not accepting notification only. Therefore please advise:
    - What does ‘excluded’ mean in this scenario? Is the client permanently excluded or only temporarily?
    - If the client is not permanently excluded - if there are multiple occurrences of this alert for the same client can the client be disabled via the WCS console?
    - If necessary could e-mail suppression be turned off - for this alert only?
    Hope you can help but I think they need Prime and ISE to satisfy their security concerns myself!
    BR
    Rockford

    There is a command line syntax which will also allow you to export and import an IAS config to other IAS servers. Then you will be sure they are identical...
    http://support.microsoft.com/kb/883619

  • Web Authentication on HTTP Instead of HTTPS in WLC 5700 and WS-C3650-48PD (IOS XE)

    Hello,
    I have configured a Guest SSID with web authentication (captive portal).
    wlan XXXXXXX 2 Guest
     aaa-override
     client vlan YYYYYYYYY
     no exclusionlist
     ip access-group ACL-Usuarios-WIFI
     ip flow monitor wireless-avc-basic input
     ip flow monitor wireless-avc-basic output
     mobility anchor 10.181.8.219
     no security wpa
     no security wpa akm dot1x
     no security wpa wpa2
     no security wpa wpa2 ciphers aes
     security web-auth
     security web-auth parameter-map global
     session-timeout 65535
     no shutdown
    The configuration of webauth parameter map  is :
    service-template webauth-global-inactive
     inactivity-timer 3600 
    service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
     voice vlan
    parameter-map type webauth global
     type webauth
     virtual-ip ipv4 1.1.1.1
     redirect on-success http://www.google.es
    I need to  login on web authentication on HTTP instead of HTTPS.
    If I  login on HTTP, I will not receive certificate alerts that prevent the users connections.
    I saw how to configure it with 7.x relesae but I have IOS XE Version 03.03.05SE and I don´t know how to configure it.
    Web Authentication on HTTP Instead of HTTPS
    You can login on web authentication on HTTP instead of HTTPS. If you login on HTTP, you do not receive certificate alerts.
    For earlier than WLC Release 7.2 code, you must disable HTTPS management of the WLC and leave HTTP management. However, this only allows the web management of the WLC over HTTP.
    For WLC Release 7.2 code, use the config network web-auth secureweb disable command to disable. This only disables HTTPS for the web authentication and not the management. Note that this requires a reboot of the controller !
    On WLC Release 7.3 and later code, you can enable/disable HTTPS for WebAuth only via GUI and CLI.
    Can anyone tell me how to configure web authentication on HTTP instead of HTTPS with IOS XE?
    Thanks in advance.
    Regards.

    The documentation doesn't provide very clear direction, does it?
    To download the WLC's default webauth page, browse to the controller's Security > Web Login Page. Make sure the web authentication type is Internal (Default). Hit the Preview button. Then use your browser's File > Save As... menu item to save the HTML into a file. Edit this to your liking and bundle it and any graphics images up into a TAR archive, then upload via the controller's COMMAND page.

Maybe you are looking for

  • Questions on OCS and workflow

    I am wondering whether I can configure the following: - Can I have multiple views? Example, view documents by Author, Project, Category? Can I customize document views? - Can I control access rights on a single document? - Can I monitor or extract a

  • Installing OS 10.4.3 on "new" hard drive - need to change mount location

    I have an older G4 that I am setting up for my little sister. The original hard drive in in went bad, so I put in a "new" one that I pulled from a working PC. I also bought OS 10.4.3 to install. When I try to install it on the new disk I get the mess

  • MDM 5.5 Material, Vendor, Employee & Customer Repositories

    Hi, MDM 5.5 comes with object repositories for Material, Vendor, Employee & Customer. Can anyone help me in finding a way to synchronize these with R/3 ? I am able to see Corresponding IDoc names as data sources in Import Manager for these repositori

  • Songs not appearing under artists

    Hi, I'm going to try and explain this the best way I can, On my Ipod (30GB), some songs do not appear under the artist. Example: I have two songs by Christina Aguilera, A is from the album "Stripped" and the other one (B) I haven't listed any album n

  • Tuning WLS 11g hardware configuration.

    Hi all, we have to create a test WLS 10.3.1 environment and, at the beginning, we will deploy only 1 application for at least 25 users in a LAN, but the number of application and users should grow in the future. Is there a way to set my hardware (fir