09-06-2012 01:40 AM - edited 03-10-2019 07:30 PM
Hi Everyone.
I need a feature which could control the network access and permit traffic only from users that provide proper credentials. In branch office there are few users - all network services are located in central office.
Users access them via IPsec VPN S2S. In assumption a user provide credentials. If he authenticates successfully the tcp traffic is allowed, otherwise is blocked.
I cannot use 802.1x here - access switches in that location do not support this feature. I tried the web authentication configuration on the router (c880data-universalk9-mz.152-3.T.bin) but it works partially.
Only the http traffic is being blocked - when user open web browser he is prompted for login in password - at the same time the tcp traffic is allowed. I do not know where is the problem.
I am not sure if this configuration could be done on IOS. On ASA such configuraion is easy with no sophisticaded configuration.
Do you have any ideas?
aaa new-model
aaa authentication login default group radius
aaa authentication login ssh local aaa authorization auth-proxy default group radius ip admission max-login-attempts 5 ip admission name webauth1 proxy http list 113 ip radius source-interface Vlan1 radius-server host 10.0.0.11 auth-port 1812 acct-port 1813 key Rad1
interface Vlan1 ip address 192.168.18.1 255.255.255.0ip access-group 112 in
no ip redirects
ip nat inside
ip virtual-reassembly in
no ip route-cache
authentication order webauth
hold-queue 32 in
hold-queue 100 out
ip admission webauth1
access-list 112 permit ip 192.168.18.0 0.0.0.255 any access-list 113 permit tcp 192.168.18.0 0.0.0.255 10.0.0.0 0.255.255.255
Regards
09-06-2012 03:13 AM
Problem solved.
I removed acl 112 and create the new one with "deny ip any any".
The proper acl is pushed from radius server.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide