topic Re: Guest Access / CWA / Central Web Authentication - ISE 2.6 Patch 3 - Wired in Network Access Control

Guest Access / CWA / Central Web Authentication - ISE 2.6 Patch 3 - Wired

fabian.kaltenschnee — Fri, 10 Jan 2020 14:54:48 GMT

Hey folks,

i'm trying to get this working. i jsut want a captive portal popping up when a wired client runs in the default rule.

i tried with 2960s and 2960x. and with different versions. it only works (i type e.g. www.google.com and i get redirected to ise.. works perfect) with an old Version and only on the 2960s:

c2960s-universalk9-mz.150-2.SE12.bin

2960x doenst work at all

So costumer wise i have to use the newest or recommendet ios and cant downgrade to 15.0x... at least for the 2960s.. as mentioned earlier... 2960x doenst work at all.. also tried with different IOS releases.

i used this guide here:

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/113362-config-web-auth-ise-00.html

Thats my config:

aaa group server radius ISE_RADIUS
server name ISE01
ip radius source-interface Vlan172
!
aaa authentication dot1x default group ISE_RADIUS
aaa authorization network default group ISE_RADIUS
aaa accounting update newinfo periodic 2880
aaa accounting dot1x default start-stop group ISE_RADIUS
aaa accounting network default start-stop group ISE_RADIUS
!!
aaa server radius dynamic-author
client 172.17.0.60 server-key xxxx

dot1x system-auth-control
dot1x critical eapol

interface GigabitEthernet1/0/1
switchport access vlan 172
switchport mode access
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab webauth
authentication priority dot1x mab webauth
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 5
dot1x max-reauth-req 1
spanning-tree portfast

ip http server

ip device tracking
ip http secure-server
!

ip access-list extended cwa
permit tcp any any eq www
permit tcp any any eq 443
deny ip any host 172.17.0.60
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 10 tries 3
radius-server vsa send accounting
radius-server vsa send authentication
!
radius server ISE01
address ipv4 172.17.0.60 auth-port 1812 acct-port 1813
key xxxx

Output 2960x ... looks correct, but doesnt work. Yes i can copy the link and use it on thee client pc.. works...

Cat2960x#sho authentication sess int g1/0/4 d
Interface: GigabitEthernet1/0/4
MAC Address: 3c52.824a.646f
IPv6 Address: Unknown
IPv4 Address: 172.17.0.211
User-Name: 3C-52-82-4A-64-6F
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Restart timeout: N/A
Periodic Acct timeout: 172800s (local), Remaining: 172800s
Session Uptime: 12s
Common Session ID: AC1200290000000D0003ECAE
Acct Session ID: 0x00000003
Handle: 0xBD000002
Current Policy: POLICY_Gi1/0/4

Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

Server Policies:
URL Redirect: https://ise26.conti-ise.lan:8443/portal/gateway?sessionId=AC1200290000000D0003ECAE&portal=84b42d60-32ed-11ea-8487-460b91b8ec2e&action=cwa&token=3aecb01eb4c7adad773476c53309080a
URL Redirect ACL: cwa
ACS ACL: xACSACLx-IP-cwa_dacl-5e1732ca

Method status list:
Method State

dot1x Stopped
mab Authc Success

ISE Config:

So, what do i do wrong? i really have no idea.

Thanks in advance!

Re: Guest Access / CWA / Central Web Authentication - ISE 2.6 Patch 3 - Wired

Damien Miller — Fri, 10 Jan 2020 16:37:00 GMT

If you take a look at this guide (its jut the first one I pulled up), you will see the CWA ACL has the ISE nodes denied first. So I would start there. I previously used 15.2(2)E7 on the 2960x platform to do CWA without issue.
https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/113362-config-web-auth-ise-00.html

This sample configuration gives full network access even if the user is not authenticated; therefore, you might want to restrict access to unauthenticated users.

In this configuration, HTTP and HTTPS browsing does not work without authentication (per the other ACL) since ISE is configured to use a redirect ACL (named redirect). Here is the definition on the switch:

ip access-list extended redirect
deny ip any host <ISE ip address>
permit TCP any any eq www
permit TCP any any eq 443

Re: Guest Access / CWA / Central Web Authentication - ISE 2.6 Patch 3 - Wired

fabian.kaltenschnee — Mon, 13 Jan 2020 09:33:18 GMT

Hey Damien, thanks for your reply.

I tried out what you said but no chance... it doesnt work.

As is said, i can copy the redirect url out of the logs of the switch and can access the login page of the ise.

But the f****** redirect doesnt work. i tried different browser.. the redirect never ever works...

So is it correct that the switch does the redirection itself?

Greetings

Fabian

Re: Guest Access / CWA / Central Web Authentication - ISE 2.6 Patch 3 - Wired

fabian.kaltenschnee — Tue, 14 Jan 2020 08:35:27 GMT

Ok with some research i figured out by myself...

problem is/was the firewall ...

(see pauls post here: https://community.cisco.com/t5/identity-services-engine-ise/no-redirect-on-wired-guest-portal-ise-v2-4/m-p/3701948/highlight/true#M17593)

firewall is still the problem but with a workaround, that the switch has an SVI in the guest subnet... then it works perfectly...

Re: Guest Access / CWA / Central Web Authentication - ISE 2.6 Patch 3 - Wired

Jason Kunst — Tue, 14 Jan 2020 18:05:14 GMT

@fabian.kaltenschnee wrote:

Ok with some research i figured out by myself...

problem is/was the firewall ...

(see pauls post here: https://community.cisco.com/t5/identity-services-engine-ise/no-redirect-on-wired-guest-portal-ise-v2-4/m-p/3701948/highlight/true#M17593)

firewall is still the problem but with a workaround, that the switch has an SVI in the guest subnet... then it works perfectly...

Check out this guide as well

https://community.cisco.com/t5/security-documents/ise-guest-access-prescriptive-deployment-guide/ta-p/3640475