collapse

Search


User Info

 
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Author Topic: dot1x fallback to local web authentication  (Read 30692 times)

Offline spark_rod

  • Cisco Newbie
  • *
  • Posts: 9
  • Reputation: 1
  • Certification: CCNP
dot1x fallback to local web authentication
« on: June 12, 2014, 08:14:58 PM »
Hi, does anyone did the dot1x fallback? please help how to do it.
thanks

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 401
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
  • Certification: CCIE
Re: dot1x fallback to local web authentication
« Reply #1 on: June 15, 2014, 01:02:49 AM »
Hmm.. I have never tried local web auth due to its limitation compared to CWA. Can you elaborate on what you are trying to do? Is this wired or wireless?

Offline spark_rod

  • Cisco Newbie
  • *
  • Posts: 9
  • Reputation: 1
  • Certification: CCNP
Re: dot1x fallback to local web authentication
« Reply #2 on: June 17, 2014, 06:42:03 PM »
Hi, thanks for the reply.. it is for the wired network. This is due to some of the users with limited technical knowledge and may not configure their device for dot1x properly especially those VIPs. Customer wants the web authentication as interim solution. This is to avoid complains from users at one shots and due to limited resource to fix the dot1x issue of each of the individual. The users will be relocating soon to the new building.

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 401
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
  • Certification: CCIE
Re: dot1x fallback to local web authentication
« Reply #3 on: June 17, 2014, 08:39:12 PM »
Got it. You will need to enable dot1x and MAB on the switchport. On ISE, you can have a catch all rule for send user to the Central Webauth. If dot1x is not detected, user will be sent to a login page where they can type in their username/password. Just make sure you include the AD in the guest authentication sequence. On ISE, you will need one authorization policy for dot1x AD user, one for AD user login via guest portal, and one for the CWA catch all.

Offline spark_rod

  • Cisco Newbie
  • *
  • Posts: 9
  • Reputation: 1
  • Certification: CCNP
Re: dot1x fallback to local web authentication
« Reply #4 on: June 30, 2014, 08:09:14 AM »
Hi MC,

I tried what you've suggested but it is partially working.. I can't figure out what is the issue now as the users not prompting the redirect page. from switch i can see, it shows the redirect page to the switchport by issuing command, show authen session interface. I believe the wired setup are the same with the wireless guest? for wireless no problem, the users redirecting to the guest portal page. only for the wired network, i'm not able to see the redirect page from users PC. I can see the athentication logs that it hits the redirect policy. please advice what could be the problem.
Thanks

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 401
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
  • Certification: CCIE
Re: dot1x fallback to local web authentication
« Reply #5 on: June 30, 2014, 11:10:57 PM »
You might want to verify the redirect ACL (on the switch) and the downloadable ACL (on ISE)and make sure they are correct. Redirect ACL should deny DHCP, DNS, and anything to ISE while allowing all http/https. Downloadable ACL should be pretty much the reverse of that. Note that this is different from wireless since wireless uses only one ACL and anything that is not allowed in that ACL will automatically be redirected.

Offline spark_rod

  • Cisco Newbie
  • *
  • Posts: 9
  • Reputation: 1
  • Certification: CCNP
Re: dot1x fallback to local web authentication
« Reply #6 on: July 18, 2014, 06:35:15 PM »
Hi, the issue resolved. It happens that in our network the client is connected to the Layer 2 switch and the SVI is in the Distribution switch. We leaked the routing from management and user vlan. It's either create the svi on the access switch or leaking the routing between the 2 vlans. Cisco TAC says this is only the solution in order the cwa works in our setup.

 

Related Topics

  Subject / Started by Replies Last post
1 Replies
19940 Views
Last post April 02, 2014, 12:05:45 PM
by MC
3 Replies
39920 Views
Last post June 25, 2015, 09:43:21 PM
by MC
5 Replies
14318 Views
Last post April 14, 2016, 11:23:38 PM
by MC
1 Replies
18303 Views
Last post February 12, 2017, 09:07:00 PM
by MC
1 Replies
65648 Views
Last post July 16, 2018, 08:23:09 PM
by MC

SimplePortal 2.3.7 © 2008-2024, SimplePortal