Hi Everyone.

I need a feature which could control the network access and permit traffic only from users that provide proper credentials. In branch office there are few users - all network services are located in central office.

Users access them via IPsec VPN S2S. In assumption a user provide credentials. If he authenticates successfully the tcp traffic is allowed, otherwise is blocked.

I cannot use 802.1x here - access switches in that location do not support this feature. I tried the web authentication configuration on the router (c880data-universalk9-mz.152-3.T.bin) but it works partially.

Only the http traffic is being blocked - when user open web browser he is prompted for login in password - at the same time the tcp traffic is allowed. I do not know where is the problem.

I am not sure if this configuration could be done on IOS. On ASA such configuraion is easy with no sophisticaded configuration.

Do you have any ideas?

aaa new-model
aaa authentication login default group radius
aaa authentication login ssh local
aaa authorization auth-proxy default group radius
ip admission max-login-attempts 5
ip admission name webauth1 proxy http list 113
ip radius source-interface Vlan1
radius-server host 10.0.0.11 auth-port 1812 acct-port 1813 key Rad1

interface Vlan1
 ip address 192.168.18.1 255.255.255.0
 ip access-group 112 in
 no ip redirects
 ip nat inside
 ip virtual-reassembly in
 no ip route-cache
 authentication order webauth
 hold-queue 32 in
 hold-queue 100 out
 ip admission webauth1
access-list 112 permit ip 192.168.18.0 0.0.0.255 any
access-list 113 permit tcp 192.168.18.0 0.0.0.255 10.0.0.0 0.255.255.255

Regards