topic ISE doesn't remove URL redirect in Network Access Control

ISE doesn't remove URL redirect

sdeeks — Mon, 11 Mar 2019 02:27:08 GMT

We have an ISE problem, in that the URL redirect sent to the access switch for guest auth is not removed even after successful authentication.

Debug shows RADIUS activity as normal, 802.1X failover to MAB, then rediect to webauth;

003064: Aug 22 17:48:08.340: %AUTHMGR-5-START: Starting 'mab' for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000007201857889

003065: Aug 22 17:48:08.365: %MAB-5-SUCCESS: Authentication successful for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000007201857889

003066: Aug 22 17:48:08.365: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000007201857889

003067: Aug 22 17:48:08.382: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007201857889| AUTHTYPE DOT1X| EVENT APPLY

https://ukhatfnac0001.dtukad.local:8443/guestportal/gateway?sessionId=C0A8D60D0000007201857889&action=cwa

| RESULT SUCCESS

NWS-TSL-HATB3F3-DistSW1#

003138: Aug 22 18:01:18.718: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000007401914245

000054: Aug 22 18:01:18.345: %AUTHMGR-5-VLANASSIGN: VLAN 1040 assigned to Interface Gi1/0/4 AuditSessionID C0A8D60D0000007401914245 (NWS-TSL-HATB3F3-DistSW1-2)

003139: Aug 22 18:01:19.490: %EPM-6-IPEVENT: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007401914245| AUTHTYPE DOT1X| EVENT IP-ASSIGNMENT

NWS-TSL-HATB3F3-DistSW1#

https://ukhatfnac0001.dtukad.local:8443/guestportal/gateway?sessionId=C0A8D60D0000007401914245&action=cwa

| RESULT SUCCESS

003064: Aug 22 17:48:08.340: %AUTHMGR-5-START: Starting 'mab' for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000007201857889

003065: Aug 22 17:48:08.365: %MAB-5-SUCCESS: Authentication successful for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000007201857889

003066: Aug 22 17:48:08.365: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000007201857889

003067: Aug 22 17:48:08.382: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007201857889| AUTHTYPE DOT1X| EVENT APPLY

003068: Aug 22 17:48:08.390: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.60.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007201857889| AUTHTYPE DOT1X| POLICY_TYPE URL Redirect| POLICY_NAME https://ukhatfnac0001.dtukad.local:8443/guestportal/gateway?sessionId=C0A8D60D0000007201857889&action=cwa

| RESULT SUCCESS

NWS-TSL-HATB3F3-DistSW1#

Then after successful authentication, VLAN is moved and xACSACLx-IP-PERMIT_ALL_TRAFFIC is sent, but rediect is sent again from ISE. We've been over configs several times, but can't get to the bottom of this. Can anyone shed any light ?

003138: Aug 22 18:01:18.718: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000007401914245
000054: Aug 22 18:01:18.345: %AUTHMGR-5-VLANASSIGN: VLAN 1040 assigned to Interface Gi1/0/4 AuditSessionID C0A8D60D0000007401914245 (NWS-TSL-HATB3F3-DistSW1-2)
003139: Aug 22 18:01:19.490: %EPM-6-IPEVENT: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007401914245| AUTHTYPE DOT1X| EVENT IP-ASSIGNMENT
003140: Aug 22 18:01:19.490: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007401914245| AUTHTYPE DOT1X| POLICY_TYPE Named ACL| POLICY_NAME xACSACLx-IP-PERMIT_ALL_TRAFFIC-4f57e406| RESULT SUCCESS
NWS-TSL-HATB3F3-DistSW1#
003141: Aug 22 18:01:19.515: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007401914245| AUTHTYPE DOT1X| POLICY_TYPE URL Redirect| POLICY_NAME https://ukhatfnac0001.dtukad.local:8443/guestportal/gateway?sessionId=C0A8D60D0000007401914245&action=cwa| RESULT SUCCESS
003142: Aug 22 18:01:19.515: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007401914245| AUTHTYPE DOT1X| POLICY_TYPE URL Match ACL| POLICY_NAME web_guest_redirect| RESULT SUCCESS

ISE doesn't remove URL redirect

Tarik Admani — Wed, 22 Aug 2012 16:29:53 GMT

Hi,

Do you have change of authorization configured globally on the ISE node? Check under Administration > Settings > Profiling > COA settings.

Also can you post the screenshot of the Operations > Authentications when this occurs? If CoA is enabled you should see an entry where dynamic authorization succeeds, letting the switch know that the condition of the endpoint has changed and to reauthorize the client.

If you have CoA enabled please check your policies, they work from a top down approach and need to have a condition that you would like for them to use, when they meet your requirements above any conditions that are used to address an uncertain conditions.

For example.

Rule 1 = Guests send permit access

Rule 2 = Any send Guest Portal

thanks,

Tarik Admani
*Please rate helpful posts*

ISE doesn't remove URL redirect

sdeeks — Thu, 23 Aug 2012 14:14:09 GMT

Fixed it !

Great info from Tarik above, which lead me to the issue. My authz policy for redirect didn't include the Network Access:Usecase=Host Lookup, so this policy still (incorrectly) remained =true after valid guest authentication. As this policy remained =true, ISE was correctly applying URL rediect. Once I sorted the policy, by adding ...AND Network Access:Usecase=Host Lookup, all wored as expected.

After valid guest auth we now see DACL 'PERMIT_GUEST' and move to VL1040 as expected, without the URL rediect.

003543: Aug 22 19:03:15.169: %EPM-6-POLICY_REQ: IP 192.168.60.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000008501C99767| AUTHTYPE DOT1X| EVENT APPLY

003544: Aug 22 19:03:15.186: %EPM-6-AAA: POLICY xACSACLx-IP-PERMIT_GUEST-50350e3a| EVENT DOWNLOAD-REQUEST

003545: Aug 22 19:03:15.354: %EPM-6-AAA: POLICY xACSACLx-IP-PERMIT_GUEST-50350e3a| EVENT DOWNLOAD-SUCCESS

003546: Aug 22 19:03:15.354: %EPM-6-IPEVENT: IP 0.0.0.0| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000008501C99767| AUTHTYPE DOT1X| EVENT IP-WAIT

NWS-TSL-HATB3F3-DistSW1#

003547: Aug 22 19:03:15.849: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000008501C99767

000069: Aug 22 19:03:15.241: %AUTHMGR-5-VLANASSIGN: VLAN 1040 assigned to Interface Gi1/0/4 AuditSessionID C0A8D60D0000008501C99767 (NWS-TSL-HATB3F3-DistSW1-2)

NWS-TSL-HATB3F3-DistSW1#

003548: Aug 22 19:03:17.560: %EPM-6-IPEVENT: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000008501C99767| AUTHTYPE DOT1X| EVENT IP-ASSIGNMENT

003543: Aug 22 19:03:15.169: %EPM-6-POLICY_REQ: IP 192.168.60.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000008501C99767| AUTHTYPE DOT1X| EVENT APPLY

003544: Aug 22 19:03:15.186: %EPM-6-AAA: POLICY xACSACLx-IP-PERMIT_GUEST-50350e3a| EVENT DOWNLOAD-REQUEST

003545: Aug 22 19:03:15.354: %EPM-6-AAA: POLICY xACSACLx-IP-PERMIT_GUEST-50350e3a| EVENT DOWNLOAD-SUCCESS

003546: Aug 22 19:03:15.354: %EPM-6-IPEVENT: IP 0.0.0.0| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000008501C99767| AUTHTYPE DOT1X| EVENT IP-WAIT

NWS-TSL-HATB3F3-DistSW1#

003547: Aug 22 19:03:15.849: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000008501C99767

000069: Aug 22 19:03:15.241: %AUTHMGR-5-VLANASSIGN: VLAN 1040 assigned to Interface Gi1/0/4 AuditSessionID C0A8D60D0000008501C99767 (NWS-TSL-HATB3F3-DistSW1-2)

NWS-TSL-HATB3F3-DistSW1#

003548: Aug 22 19:03:17.560: %EPM-6-IPEVENT: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000008501C99767| AUTHTYPE DOT1X| EVENT IP-ASSIGNMENT