topic Re: ISE Wired guest portal redirect even after authentication in Network Access Control

ISE Wired guest portal redirect even after authentication

pemasirid — Mon, 11 Mar 2019 03:14:28 GMT

I have configured both Wired and Wireless guest authentication via guest portal. Wireless is working fine, however the when trying with Wired, the redireciton page is keep getting even after user authenticated.

I'm not seen the redirection authorization policy in my logs however I can see only the user authentication logs (successful). Attached is my configuration and logging output.

Here is what I see on the interface

ABQT-3FLR-ACC-01#sh authentication sessions interface gigabitEthernet 4/0/19

Interface: GigabitEthernet4/0/19

MAC Address: a0b3.ccca.2ab1

IP Address: 10.1.3.16

User-Name: A0-B3-CC-CA-2A-B1

Status: Authz Success

Domain: DATA

Oper host mode: multi-auth

Oper control dir: both

Authorized By: Authentication Server

Vlan Policy: N/A

URL Redirect ACL: ACL-WEBAUTH-REDIRECT

URL Redirect: https://xxxx-TW-ISE-2.xxx.xxx.qa:8443/guestportal/gateway?sessionId=AC14011F000001571E52779F&action=cwa

Session timeout: N/A

Idle timeout: N/A

Common Session ID: AC14011F000001571E52779F

Acct Session ID: 0x00000309

Handle: 0xE6000158

Runnable methods list:

Method State

dot1x Failed over

mab Authc Success

Here is the ACL

Extended IP access list ACL-WEBAUTH-REDIRECT

10 deny udp any any eq domain (1344 matches)

20 deny ip any host 172.20.5.12 (8122 matches)

30 deny ip any host 172.20.5.14

40 permit tcp any any eq www (3124 matches)

50 permit tcp any any eq 443 (202927 matches)

60 permit tcp any any eq 8080 (114 matches)

70 permit ip any any (8056 matches)

ISE Wired guest portal redirect even after authentication

r.mohannad — Thu, 28 Mar 2013 07:40:23 GMT

Can you please tell us what is your switch model, also the configratoin on the interface ...

Thanks

ISE Wired guest portal redirect even after authentication

pemasirid — Thu, 28 Mar 2013 12:47:43 GMT

Sorry, I missed to write the swtich/software details.. here it is:

WS-C2960S-48FPD-L IOS version: 15.0(2)SE1

ISE Wired guest portal redirect even after authentication

r.mohannad — Fri, 29 Mar 2013 12:45:27 GMT

Try to

remove the last policy "Guest Wired Redirect"

change "Wired MAB" policy to be :

"NetworkAccess:UseCase=Hostlookup" and "Session:Posture Status=Unknown" conditions

without Wired_MAB condition

Remove the first two policices and add new one at the top "GUEST" policy:

GUEST if Network Access:UseCase EQUALS Guest Flow then PermitAccess

let me know if this works

Re: ISE Wired guest portal redirect even after authentication

pemasirid — Sun, 31 Mar 2013 07:39:14 GMT

Hi Mohannad,

I tried with the above changes, but now it seems it does not hit those policies as I see I'm getting default Deny Access authorization policy. Then I enabled previosuly created Wired_MAB and got the login portal and after giving the username/passwords it again redirecting the same login portal.

Attached is my Authorization policy and logging screen shots. We need to the reason for "Dynamic Authentication Failed" error we see after username/password accepted.

Screen shots are attached as stated.

Regards,

Re: ISE Wired guest portal redirect even after authentication

r.mohannad — Sun, 31 Mar 2013 09:31:56 GMT

The changes should work. Can you past the interface configration of the switch, please make sure the MAB is enabled.

Also, make sure in the authentication in the ISE continue if the user was not found as shown in the bellow figure

http://www.cisco.com/image/gif/paws/113362/web-auth-ise-03.gif

Re: ISE Wired guest portal redirect even after authentication

pemasirid — Sun, 31 Mar 2013 09:37:50 GMT

Hi Mohannad,

Thanks for your response.

Actually the as per the configuration it should work, I'm still trying to find out what is what has gone wrong with this configuration. Infact I have tested with 3560 switch with the same config and it worked. only difference here is we used 2960S switch.

We need to find out why the next Auth policy is not hitting once user is authenticated.

Here is the port configuration and the authen status of the port.

ABQT-3FLR-ACC-01#sh running-config interface gig4/0/19

Building configuration...

Current configuration : 427 bytes

interface GigabitEthernet4/0/19

switchport access vlan 103

switchport mode access

switchport voice vlan 135

authentication event fail action next-method

authentication host-mode multi-auth

authentication order dot1x mab

authentication priority dot1x mab webauth

authentication port-control auto

authentication violation restrict

mab

dot1x pae authenticator

dot1x timeout tx-period 10

spanning-tree portfast

end

ABQT-3FLR-ACC-01#

Mar 31 12:32:14.127: %AAA-3-BADSERVERTYPEERROR: Cannot process accounting server type tacacs+ (UNKNOWN)

ABQT-3FLR-ACC-01#

ABQT-3FLR-ACC-01#sh atuh

ABQT-3FLR-ACC-01#sh atu

ABQT-3FLR-ACC-01#sh authe

ABQT-3FLR-ACC-01#sh authentication se

ABQT-3FLR-ACC-01#sh authentication sessions in

ABQT-3FLR-ACC-01#sh authentication sessions interface gi

ABQT-3FLR-ACC-01#sh authentication sessions interface gigabitEthernet 4/0/19

Interface: GigabitEthernet4/0/19

MAC Address: 0015.c5b4.fd4a

IP Address: 10.1.3.23

User-Name: 00-15-C5-B4-FD-4A

Status: Authz Success

Domain: DATA

Oper host mode: multi-auth

Oper control dir: both

Authorized By: Authentication Server

Vlan Policy: N/A

URL Redirect ACL: ACL-WEBAUTH-REDIRECT

URL Redirect: https://ABQ-TW-ISE-2.abq.gov.qa:8443/guestportal/gateway?sessionId=AC14011F0000018A32B4D906&action=cwa

Session timeout: N/A

Idle timeout: N/A

Common Session ID: AC14011F0000018A32B4D906

Acct Session ID: 0x00000394

Handle: 0x3E00018B

Runnable methods list:

Method State

dot1x Failed over

mab Authc Success

Re: ISE Wired guest portal redirect even after authentication

pemasirid — Sun, 31 Mar 2013 09:52:42 GMT

Hi Mohannad,

I found the issue and fixed it and its working perfectly now.

The issue was on radius dynamic-author key, so I re-configured the key and started working

aaa server radius dynamic-author

client X.X.X.X server-key xxxxx

thanks a lot for all your responses.

Re: ISE Wired guest portal redirect even after authentication

r.mohannad — Mon, 01 Apr 2013 06:28:27 GMT

Good News pemasirid