catalyst 3750 authentication session not showing URL Redirect ACL for MAB with ISE

teatrodelsogno — Mon, 11 Mar 2019 07:34:47 GMT

Hi Guys,

I've strange problem on catalyst 3750 I don't know if connected to the IOS or some missing on the configuration.

I'd like to authenticate some users with MAB-wired, from ISE radius log everithings seems look good, but on the "show authentication sessions" are missing some parameters that usually should appear:

SW-3750#sh authentication sessions interface fa1/0/11
            Interface: FastEthernet1/0/11
          MAC Address: 0021.ccd9.37be
           IP Address: 10.40.40.199
            User-Name: 00-21-CC-D9-37-BE
               Status: Authz Success
               Domain: DATA
       Oper host mode: single-host
     Oper control dir: both
        Authorized By: Authentication Server
          Vlan Policy: N/A
      Session timeout: N/A
         Idle timeout: N/A
    Common Session ID: 0A0A0AFC000000010017381D
      Acct Session ID: 0x00000002
               Handle: 0xFD000001

Runnable methods list:
       Method   State
       mab      Authc Success

As you can see, part from URL redirect and URL redirect ACL are not showing!?

I was thinking some radius and vsa part missing, but on the switch I've:

aaa authentication dot1x default group radius
aaa server radius dynamic-author
client 10.20.20.200 server-key estremo
auth-type all
radius-server host 10.20.20.200 auth-port 1645 acct-port 1646
radius-server key xxxxxx
radius-server vsa send accounting
radius-server vsa send authentication

interface FastEthernet1/0/11
description GUEST
switchport access vlan 40
switchport mode access
authentication order mab
authentication priority mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x max-req 10
dot1x max-reauth-req 10
spanning-tree portfast

SW-3750#sh aaa servers

RADIUS: id 1, priority 1, host 10.20.20.200, auth-port 1645, acct-port 1646
     State: current UP, duration 3192s, previous duration 0s
     Dead: total time 0s, count 0
     Quarantined: No
     Authen: request 1, timeouts 0

dot1x system-auth-control
dot1x critical eapol

ip device tracking

ip http server
ip http secure-server

ip access-list extended ACL_WEBAUTH_REDIRECT
deny ip any host 10.20.20.200
deny udp any any eq domain
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq 8443

On the ISE monitoring, auth seems send the correct AV parameters:

Result

User-Name	00-21-CC-D9-37-BE
State	ReauthSession:0A0A0AFC000000010017381D
Class	CACS:0A0A0AFC000000010017381D:ise1/280058218/272
cisco-av-pair	url-redirect-acl=ACL_WEBAUTH_REDIRECT
cisco-av-pair	url-redirect=https://ise1.estremo.local:8443/portal/gateway?sessionId=0A0A0AFC000000010017381D&portal=a692c530-2230-11e6-99ab-005056bf55e0&action=cwa&token=e5afe6a346055cbaca8dab304e3541af
cisco-av-pair	ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-pre-webauth-ACL-58da9681
cisco-av-pair	profile-name=Unknown
LicenseTypes	Base license consumed

And Policy auth auth are configured in attachement

Do you have some ideas?

regards

Anybody? :-)

teatrodelsogno — Wed, 29 Mar 2017 21:01:13 GMT

Anybody? 🙂

Re: catalyst 3750 authentication session not showing URL Redirect ACL for MAB with ISE

trimmy — Wed, 13 Jun 2018 11:32:57 GMT

did you ever get this fixed? I have same issue on 2960S - the correct authorization policy is matched, but dACL and redirect URLs are not getting to user interface.

Re: catalyst 3750 authentication session not showing URL Redirect ACL for MAB with ISE

Rob Ingram — Wed, 13 Jun 2018 12:21:00 GMT

@trimmy post your configuration please. This is an old thread but from the output provided it looks like the "aaa authorization...." commands are missing.

topic Re: catalyst 3750 authentication session not showing URL Redirect ACL for MAB with ISE in Network Access Control

catalyst 3750 authentication session not showing URL Redirect ACL for MAB with ISE

Result

Anybody? :-)

Re: catalyst 3750 authentication session not showing URL Redirect ACL for MAB with ISE

Re: catalyst 3750 authentication session not showing URL Redirect ACL for MAB with ISE