topic Not Working-central web-authentication with a switch and Identit in Network Access Control

Not Working-central web-authentication with a switch and Identity Service Engine

Nuno Moreira — Mon, 11 Mar 2019 01:57:19 GMT

on the followup the document "Configuration example : central web-authentication with a switch and Identity Service Engine" by Nicolas Darchis, since the redirection on the switch is not working, i'm asking for your help...

I'm using ISE Version : 1.0.4.573 and WS-C2960-24PC-L w/software 12.2(55)SE1 and image C2960-LANBASEK9-M for the access.

The interface configuration looks like this:

interface FastEthernet0/24

switchport access vlan 6

switchport mode access

switchport voice vlan 20

ip access-group webauth in

authentication event fail action next-method

authentication event server dead action authorize

authentication event server alive action reinitialize

authentication order mab

authentication priority mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

authentication violation restrict

mab

spanning-tree portfast

end

The ACL's

Extended IP access list webauth

10 permit ip any any

Extended IP access list redirect

10 deny ip any host 172.22.2.38

20 permit tcp any any eq www

30 permit tcp any any eq 443

The ISE side configuration I follow it step by step...

When I conect the XP client, e see the following Autenthication session...

swlx0x0x#show authentication sessions interface fastEthernet 0/24

Interface: FastEthernet0/24

MAC Address: 0015.c549.5c99

IP Address: 172.22.3.184

User-Name: 00-15-C5-49-5C-99

Status: Authz Success

Domain: DATA

Oper host mode: single-host

Oper control dir: both

Authorized By: Authentication Server

Vlan Group: N/A

URL Redirect ACL: redirect

URL Redirect: https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa

Session timeout: N/A

Idle timeout: N/A

Common Session ID: AC16011F000000490AC1A9E2

Acct Session ID: 0x00000077

Handle: 0xB7000049

Runnable methods list:

Method State

mab Authc Success

But there is no redirection, and I get the the following message on switch console:

756005: Mar 28 11:40:30: epm-redirect:IP=172.22.3.184: No redirection policy for this host

756006: Mar 28 11:40:30: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_qualify ...

I have to mention I'm using an http proxy on port 8080...

Any Ideas on what is going wrong?

Regards

Nuno

Not Working-central web-authentication with a switch and Identit

Federico Ziliotto — Wed, 28 Mar 2012 16:04:24 GMT

Hi Nuno,

There are some chances you may be hitting something similar to the following bug CSCtk75751:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtk75751

Symptom:

epm-redirect:IP=N.N.N.N: No redirection policy for this host

above message is displayed if traffic matches redirect acl if only a single host is present on the interface

Conditions:

url-redirect configured as a policy and only a single host present on the interface.

Workaround:

Just to exclude this assumption, would you be able to test with 12.2(55)SE3 for example?

Regards,

Fede

If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

Not Working-central web-authentication with a switch and Identit

Nicolas Darchis — Thu, 29 Mar 2012 05:56:39 GMT

Federico's point is valid, but I'm also thinking that if you are using an http proxy on port 8080, it means that your client PC will only talk to this proxy on port 8080 and it's the proxy who will send the real HTTP/HTTPS requests. So you should be redirecting port 8080 as well on your switch ACL.

I've never did this setup with a proxy but I think it would be required in your case.

Not Working-central web-authentication with a switch and Identit

Pedro Santos — Thu, 29 Mar 2012 11:45:31 GMT

OK, so I upgraded the IOS to version

SW Version: 12.2(55)SE5, SW Image: C2960-LANBASEK9-M

I tweak with ACL's to the following:

Extended IP access list redirect

10 permit ip any any (13 matches)

and created a DACL that is downloaded along with the authentication

Extended IP access list xACSACLx-IP-redirect-4f743d58 (per-user)

10 permit ip any any

I can see the epm session

swlx0x0x#show epm session ip 172.22.3.74
Admission feature: DOT1X

ACS ACL: xACSACLx-IP-redirect-4f743d58

URL Redirect ACL: redirect

URL Redirect: https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa

And authentication

swlx0x0x#show authentication sessions interface fastEthernet 0/24
Interface: FastEthernet0/24
MAC Address: 0015.c549.5c99

     IP Address: 172.22.3.74
     User-Name: 00-15-C5-49-5C-99
     Status: Authz Success
     Domain: DATA
     Oper host mode: multi-auth
     Oper control dir: both
     Authorized By: Authentication Server
     Vlan Group: N/A
     ACS ACL: xACSACLx-IP-redirect-4f743d58
     URL Redirect ACL: redirect
     URL Redirect: https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa

Session timeout: N/A

Idle timeout: N/A
Common Session ID: AC16011F000000160042BD98

Acct Session ID: 0x0000001B

Handle: 0x90000016

Runnable methods list:

Method State

mab Authc Success

on the logging, I get the following messages...

017857: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_qualify ...

017858: Mar 29 11:27:04: epm-redirect:epm_redirect_cache_gen_hash: IP=172.22.3.74 Hash=271

017859: Mar 29 11:27:04: epm-redirect:IP=172.22.3.74: CacheEntryGet Success

017860: Mar 29 11:27:04: epm-redirect:IP=172.22.3.74: Ingress packet on [idb= FastEthernet0/24] matched with [acl=redirect]

017861: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: Enqueue the packet with if_input=FastEthernet0/24

017862: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_process ...

017863: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: Not an HTTP(s) packet

What I'm I missing?

Not Working-central web-authentication with a switch and Identit

Nicolas Darchis — Thu, 29 Mar 2012 11:56:01 GMT

With a permit ip any any, your switch will try to redirect on all kinds of packets, so this log extract can be for a dns packet or whatsoever, so it could be legitimate.

Now if there's only this type of log then yes it's concerning. I haven't seen this yet.

To rule out (and I like to rule out things, it makes thinking simpler 🙂 ) the proxy, coudl you remove your proxy configuration ?

Your PC would then send traffic on port 80 and the setup would be simpler. If you then get the redirection, we know the issue is related with port 8080 or the proxy system.

Not Working-central web-authentication with a switch and Identit

Nuno Moreira — Thu, 29 Mar 2012 15:18:25 GMT

Yes, I already tried that...

I also tried with a new ACL

10 permit tcp any any eq www

20 permit tcp any any eq 443 (6 matches)

30 permit tcp any any eq 8080

40 permit udp any eq bootpc any eq bootps (14 matches)

50 permit udp any any eq domain (850 matches)

60 permit icmp any any (8 matches)

But nothing seems to redirect the webAuthentication...

Not Working-central web-authentication with a switch and Identit

Tarik Admani — Thu, 29 Mar 2012 20:03:37 GMT

Nuno - give this a shot here is a note in the webauth guide:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/app_note_c27-577494.html

Note:

WebAuth can intercept nonstandard ports using an IP port-to-application map (PAM) entry that maps a new port to HTTP (or HTTPS). In addition, the Cisco IOS Software HTTP server needs to be reconfigured to listen on the nonstandard port. However, the Cisco IOS Software HTTP server can run only on a single port. Therefore, support for port 80 and a nonstandard port are mutually exclusive. If PAM is used to remap the port used for HTTP, then URLs that reference the default port (80) will not trigger redirection. In addition, if traffic to the default router is bridged through a stateful firewall, that firewall will have to turn off stateful inspection for the remapped port.

I found the command on my 3750 which is (ip port-map http....) however I dont know as of yet if that will work on the 2960, give this a try to see if it listens on 8080.

thanks,

Tarik Admani

Not Working-central web-authentication with a switch and Identit

Nuno Moreira — Thu, 05 Apr 2012 10:24:34 GMT

proxy on port 8080 is only intended for Internet use, and even if the proxy could interfere with the web authentication, when I remove proxy settings it still isn't working...

for the ip port-map http... I did map http on port 8080, and changed the ACL

swlx0x0x#show ip port-map

Default mapping: https port 443 system defined

Default mapping: http port 8080 user defined

Default mapping: http port 80 system defined

to be honest, the DACL is having hits

permit tcp any any eq 443 (6 matches)

permit tcp any any eq www (9 matches)

and the switch ACL is also having hits

Extended IP access list ACL-WEBAUTH-REDIRECT

10 permit tcp any gt 1 any gt 1 (276 matches)

And I can see on the logger that packests are identified for redirection

997210: Apr 5 10:17:19: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_qualify ...

997211: Apr 5 10:17:19: epm-redirect:epm_redirect_cache_gen_hash: IP=172.22.3.159 Hash=356

997212: Apr 5 10:17:19: epm-redirect:IP=172.22.3.159: CacheEntryGet Success

997213: Apr 5 10:17:19: epm-redirect:IP=172.22.3.159: Ingress packet on [idb= FastEthernet0/24] matched with [acl=ACL-WEBAUTH-REDIRECT]

997214: Apr 5 10:17:19: epm-redirect:IDB=FastEthernet0/24: Enqueue the packet with if_input=FastEthernet0/24

997215: Apr 5 10:17:19: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_process ...

997216: Apr 5 10:17:19: epm-redirect:epm_redirect_cache_gen_hash: IP=172.22.3.159 Hash=356

997217: Apr 5 10:17:19: epm-redirect:IP=172.22.3.159: CacheEntryGet Success

997218: Apr 5 10:17:19: epm-redirect:IP=172.22.3.159: ingress traffic on [idb=FastEthernet0/24] matches url acl [ACL-WEBAUTH-REDIRECT]. ip_enqueue the packet

I'm running out of ideas...

Not Working-central web-authentication with a switch and Identit

Nicolas Darchis — Thu, 05 Apr 2012 10:28:13 GMT

do you have "ip http server" and 'ip http secure-server" configured on the switch ?

just a wild guess

Not Working-central web-authentication with a switch and Identit

Nuno Moreira — Thu, 05 Apr 2012 10:30:24 GMT

yep

ip http server

ip http secure-server

Not Working-central web-authentication with a switch and Identit

Guillaume BARBEROT — Mon, 25 Mar 2013 12:40:31 GMT

Hello

do you have an ip on your 2960 switch in the user vlan ?

I think (i am pretty sure) the switch need an IP to send http redirect to client (spoofing the IP of public web site with its MAC-adress)

Can you update us on your problem and resolution ?

be careful that a 2960 possibly can't have multiple enabled IPs in different vlans working at the same time ....

regards,

Guillaume

Re:Not Working-central web-authentication with a switch and Iden

jan.nielsen — Tue, 26 Mar 2013 01:07:24 GMT

Does your switch have routing from its mgmt IP to The guest network ?

Sent from Cisco Technical Support Android App

Not Working-central web-authentication with a switch and Identit

Martin Konov — Thu, 09 May 2013 12:54:21 GMT

Hi Nuno,

I have the same case as yours would you mind to share how you solved your issue ?

Thank you in advance !

Regards,

Martin

Not Working-central web-authentication with a switch and Identit

jdclingan — Tue, 19 Nov 2013 19:57:50 GMT

I had the same issue and it turned out to be my captive portal acl. See below:

This ACL MUST be configured on the switch beforehand (some documentation eludes to using a downloadable ACL for this)

This ACL MUST contain DENY statements for traffic going to External Portal.

This prevents traffic getting redirected to portal from getting stuck in a redirect loop

This ACL MUST contain PERMIT statements for traffic that you want the switch to intercept and redirect to the external portal

Here is an working example for redirecting traffic to captive port (1.1.1.1 in this and following examples):

ip access-list extended captive_portal
 deny   tcp any host 1.1.1.1
 permit tcp any any

turn on "ip device tracking"

fakharict — Fri, 11 Sep 2015 12:54:28 GMT

turn on "ip device tracking" on switch and it start redirecting the traffic.

I am having the same issue

2edc3rfc — Thu, 20 Apr 2017 00:10:32 GMT

I am having the same issue mentioned in this post and I've tried everything mentioned here, but still not able to get the switch to redirect to the portal.

Anyone got this working?