topic Re: Guest CWA - portal not redirecting in Network Access Control

Guest CWA - portal not redirecting

creserva1 — Wed, 06 Jun 2018 20:26:05 GMT

I have been testing WebAuth on a switch but I have been stuck and unable to get the url redirection comes up. The policy for authentication and authorization it hits on ISE but the redirections is not working.

interface GigabitEthernet0/5

switchport access vlan 14

switchport mode access

ip access-group ACL-DEFAULT in

authentication periodic

authentication timer reauthenticate server

access-session port-control auto

access-session control-direction in

mab

dot1x pae authenticator

dot1x timeout tx-period 10

spanning-tree portfast

spanning-tree bpduguard enable

service-policy type control subscriber DOT1X-DEFAULT

3560X#show access-session int gi 0/5 de

3560X#show access-session int gi 0/5 details

Interface: GigabitEthernet0/5

MAC Address: XX-XX-XX-XX

IPv6 Address: Unknown

IPv4 Address: 10.x.x.x

User-Name: XX-XX-XX-XX

Status: Unauthorized

Domain: DATA

Oper host mode: multi-auth

Oper control dir: in

Session timeout: N/A

Common Session ID: 0A0A0110000005C686B230A0

Acct Session ID: Unknown

Handle: 0x0D00050C

Current Policy: DOT1X-DEFAULT

Method status list:

Method State

dot1x Stopped

mab Authc Success

ACL Switch

ip access-list extended ACL-DEFAULT

permit udp any eq bootpc any eq bootps

permit udp any any eq domain

permit icmp any any

permit udp any any eq tftp

permit tcp any host 10.96.50.181 eq www

permit tcp any host 10.96.50.181 eq 443

permit tcp any host 10.96.50.181 eq 8443

permit tcp any host 10.96.50.182 eq www

permit tcp any host 10.96.50.182 eq 443

permit tcp any host 10.96.50.182 eq 8443

deny ip any any log

ip access-list extended ACL-WEBAUTH-REDIRECT

deny udp any any eq domain

deny tcp any any eq 8905

deny tcp any any eq 8443

permit tcp any any eq www

permit tcp any any eq 443

deny ip any any

DACL

permit udp any any eq bootps

permit udp any any eq domain

permit tcp any any eq domain

remark ping for troubleshooting

permit icmp any any echo

permit icmp any any echo-reply

remark allow web traffic to kick off redirect

permit tcp any any eq www

permit tcp any any eq 443

remark mandatory for ISE PSN for Guest Portal Access

permit tcp any host 10.96.50.181 eq 8443

permit tcp any host 10.96.50.181 eq 8905

permit tcp any host 10.96.50.181 eq 8909

permit tcp any host 10.96.50.181 range 8905 8906

permit udp any host 10.96.50.181 eq 8909

permit tcp any host 10.96.50.182 eq 8443

permit tcp any host 10.96.50.182 eq 8905

permit tcp any host 10.96.50.182 eq 8909

permit tcp any host 10.96.50.182 range 8905 8906

permit udp any host 10.96.50.182 eq 8909

deny ip any any

Re: Guest CWA - portal not redirecting

Timothy Abbott — Thu, 07 Jun 2018 13:26:37 GMT

Are you referencing ACL-WEBAUTH-REDIRECT in your authorization result?

Regards,

-Tim

Re: Guest CWA - portal not redirecting

Jason Kunst — Thu, 07 Jun 2018 15:05:43 GMT

Did you check this document as well?

https://communities.cisco.com/docs/DOC-77590

Re: Guest CWA - portal not redirecting

creserva1 — Thu, 07 Jun 2018 20:19:11 GMT

Yes I am. I have that on under profile authorizations then CWA then ACL were I added the name ACL-WEBAUTH-REDIRECT. It is applying authentication and authorization it is just the CWA does not comes up.

I also tried remove the dot1x system auth kind a disabling the dot1x globally and then re-adding it back.

Re: Guest CWA - portal not redirecting

creserva1 — Thu, 07 Jun 2018 20:20:24 GMT

Yes I did follow that guide and also this https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/whitepaper_C11-7…

Re: Guest CWA - portal not redirecting

Jason Kunst — Thu, 07 Jun 2018 20:22:21 GMT

Would recommend contacting the tac to see what you’re doing wrong then

Re: Guest CWA - portal not redirecting

Dustin Anderson — Thu, 07 Jun 2018 21:30:28 GMT

Not sure, but one thing we have that I don't see is permitting DNS? I also only have a redirect on wireless, so may be different.

Re: Guest CWA - portal not redirecting

hslai — Thu, 07 Jun 2018 22:29:09 GMT

Since the session is mac authc success but unauthorized, I would suggest to double check the text typed in as the redirect ACL. It can be a problem when copied from a word doc or PDF file such that "-" is not regular ASCII character. If that does not help, then please look it up in the Cisco IOS release used on the switch and find what debug commands equivalent to "debug aaa attr" and "debug aaa authorization".

Re: Guest CWA - portal not redirecting

creserva1 — Fri, 08 Jun 2018 14:09:19 GMT

Here is my

Switch ACL

ACL-DEFAULT

10 permit udp any eq bootpc any eq bootps

20 permit udp any any eq domain

30 permit icmp any any

40 permit udp any any eq tftp

50 permit tcp any host 10.x.x.x eq www

60 permit tcp any host 10.x.x.x eq 443

70 permit tcp any host 10.x.x.x eq 8443

80 permit tcp any host 10.x.x.x eq www

90 permit tcp any host 10.x.x.x eq 443

100 permit tcp any host 10.x.x.x eq 8443

Switch ACL

ACL-WEBAUTH-REDIRECT

9 deny udp any any eq domain (2 matches)

20 permit tcp any any eq www (10 matches)

30 permit tcp any any eq 443 (28 matches)

ISE - DACL-pre-WebAuth

permit udp any any eq bootps

permit udp any any eq domain

permit tcp any any eq domain

remark ping for troubleshooting

permit icmp any any echo

permit icmp any any echo-reply

remark allow web traffic to kick off redirect

permit tcp any any eq www

permit tcp any any eq 443

remark mandatory for ISE PSN for Guest Portal Access

permit tcp any host 10.x.x.x eq 8443

permit tcp any host 10.x.x.x eq 8905

permit tcp any host 10.x.x.x eq 8909

permit tcp any host 10.x.x.x range 8905 8906

permit udp any host 10.x.x.x eq 8909

permit tcp any host 10.x.x.x eq 8443

permit tcp any host 10.x.x.x eq 8905

permit tcp any host 10.x.x.x eq 8909

permit tcp any host 10.x.x.x range 8905 8906

permit udp any host 10.x.x.x eq 8909

Profile-GuestWebAuth

Access Type = ACCESS_ACCEPT

DACL = DACL-pre-WebAuth

cisco-av-pair = url-redirect-acl=ACL_WEBAUTH_REDIRECT

cisco-av-pair = url-redirect=https://10.x.x.x:port/portal/gateway?sessionId=(I removed the sessions id)=cwa

I turn on debug for radius

Log Buffer (4096 bytes):

8 14:00:54.026: RADIUS: Vendor, Cisco [26] 47

Jun 8 14:00:54.026: RADIUS: Cisco AVpair [1] 41 "ip:inacl#2=permit udp any any eq domain"

Jun 8 14:00:54.026: RADIUS: Vendor, Cisco [26] 47

Jun 8 14:00:54.026: RADIUS: Cisco AVpair [1] 41 "ip:inacl#3=permit tcp any any eq domain"

Jun 8 14:00:54.026: RADIUS: Vendor, Cisco [26] 50

Jun 8 14:00:54.026: RADIUS: Cisco AVpair [1] 44 "ip:inacl#4=remark ping for troubleshooting"

Jun 8 14:00:54.026: RADIUS: Vendor, Cisco [26] 43

Jun 8 14:00:54.026: RADIUS: Cisco AVpair [1] 37 "ip:inacl#5=permit icmp any any echo"

Jun 8 14:00:54.026: RADIUS: Vendor, Cisco [26] 49

Jun 8 14:00:54.026: RADIUS: Cisco AVpair [1] 43 "ip:inacl#6=permit icmp any any echo-reply"

Jun 8 14:00:54.026: RADIUS: Vendor, Cisco [26] 64

Jun 8 14:00:54.026: RADIUS: Cisco AVpair [1] 58 "ip:inacl#7=remark allow web traffic to kick off redirect"

Jun 8 14:00:54.026: RADIUS: Vendor, Cisco [26] 44

Jun 8 14:00:54.026: RADIUS: Cisco AVpair [1] 38 "ip:inacl#8=permit tcp any any eq www"

Jun 8 14:00:54.026: RADIUS: Vendor, Cisco [26] 44

Jun 8 14:00:54.026: RADIUS: Cisco AVpair [1] 38 "ip:inacl#9=permit tcp any any eq 443"

Jun 8 14:00:54.026: RADIUS: Vendor, Cisco [26] 72

Jun 8 14:00:54.026: RADIUS: Cisco AVpair [1] 66 "ip:inacl#10=remark mandatory for ISE PSN for Guest Portal Access"