Lab Minutes Forum

Technical Discussion => Security => Topic started by: spark_rod on June 12, 2014, 08:14:58 PM

Title: dot1x fallback to local web authentication
Post by: spark_rod on June 12, 2014, 08:14:58 PM
Hi, does anyone did the dot1x fallback? please help how to do it.
thanks
Title: Re: dot1x fallback to local web authentication
Post by: MC on June 15, 2014, 01:02:49 AM
Hmm.. I have never tried local web auth due to its limitation compared to CWA. Can you elaborate on what you are trying to do? Is this wired or wireless?
Title: Re: dot1x fallback to local web authentication
Post by: spark_rod on June 17, 2014, 06:42:03 PM
Hi, thanks for the reply.. it is for the wired network. This is due to some of the users with limited technical knowledge and may not configure their device for dot1x properly especially those VIPs. Customer wants the web authentication as interim solution. This is to avoid complains from users at one shots and due to limited resource to fix the dot1x issue of each of the individual. The users will be relocating soon to the new building.
Title: Re: dot1x fallback to local web authentication
Post by: MC on June 17, 2014, 08:39:12 PM
Got it. You will need to enable dot1x and MAB on the switchport. On ISE, you can have a catch all rule for send user to the Central Webauth. If dot1x is not detected, user will be sent to a login page where they can type in their username/password. Just make sure you include the AD in the guest authentication sequence. On ISE, you will need one authorization policy for dot1x AD user, one for AD user login via guest portal, and one for the CWA catch all.
Title: Re: dot1x fallback to local web authentication
Post by: spark_rod on June 30, 2014, 08:09:14 AM
Hi MC,

I tried what you've suggested but it is partially working.. I can't figure out what is the issue now as the users not prompting the redirect page. from switch i can see, it shows the redirect page to the switchport by issuing command, show authen session interface. I believe the wired setup are the same with the wireless guest? for wireless no problem, the users redirecting to the guest portal page. only for the wired network, i'm not able to see the redirect page from users PC. I can see the athentication logs that it hits the redirect policy. please advice what could be the problem.
Thanks
Title: Re: dot1x fallback to local web authentication
Post by: MC on June 30, 2014, 11:10:57 PM
You might want to verify the redirect ACL (on the switch) and the downloadable ACL (on ISE)and make sure they are correct. Redirect ACL should deny DHCP, DNS, and anything to ISE while allowing all http/https. Downloadable ACL should be pretty much the reverse of that. Note that this is different from wireless since wireless uses only one ACL and anything that is not allowed in that ACL will automatically be redirected.
Title: Re: dot1x fallback to local web authentication
Post by: spark_rod on July 18, 2014, 06:35:15 PM
Hi, the issue resolved. It happens that in our network the client is connected to the Layer 2 switch and the SVI is in the Distribution switch. We leaked the routing from management and user vlan. It's either create the svi on the access switch or leaking the routing between the 2 vlans. Cisco TAC says this is only the solution in order the cwa works in our setup.
SimplePortal 2.3.7 © 2008-2024, SimplePortal