https://community.cisco.com/t5/network-access-control/ise-guest-access-wired/m-p/5206128#M592342 <P>On the wired client, can you open a command prompt and see if the DNS resolution of the ISE portal FQDN resolves in the IP address of the ISE PSN?</P> Wed, 09 Oct 2024 21:15:47 GMT Arne Bier 2024-10-09T21:15:47Z https://community.cisco.com/t5/network-access-control/ise-guest-access-wired/m-p/5203640#M592191 <P>Hi friends<BR />I have to configure wired guest access with ise, I don't know if anyone has any idea of ​​the errors I have in the live log, nothing appears, these are my configurations in the switch:</P> <P>aaa authentication dot1x default group radius<BR />aaa authorization network default group radius<BR />aaa accounting dot1x default start-stop group radius<BR />!<BR />aaa server radius dynamic-author<BR />client 172.22.4.194 server-key 123456<BR />radius-server vsa send accounting<BR />radius-server vsa send authentication<BR />!<BR />radius server RADIUS<BR />address ipv4 172.22.4.194 auth-port 1812 acct-port 1813<BR />key 123456</P> <P>ip device tracking probe delay 10<BR />ip device tracking<BR />dot1x system-auth-control</P> <P>interface FastEthernet0/4<BR />switchport access vlan 209<BR />switchport mode access<BR />switchport voice vlan 202<BR />authentication open<BR />authentication order mab webauth<BR />authentication priority mab webauth<BR />authentication port-control auto<BR />mab<BR />dot1x pae authenticator<BR />dot1x timeout tx-period 10<BR />spanning-tree portfast<BR />!<BR />ip access-list extended ACL-WEBAUTH-REDIRECT<BR />deny ip any host 172.22.4.194<BR />permit tcp any any eq www<BR />permit udp any any eq domain</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="LeoTI_0-1728066094847.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/230591iF08FFF8B5829EC6F/image-size/medium?v=v2&amp;px=400" role="button" title="LeoTI_0-1728066094847.png" alt="LeoTI_0-1728066094847.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="LeoTI_1-1728066258994.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/230594iC0571B8487CC2B83/image-size/medium?v=v2&amp;px=400" role="button" title="LeoTI_1-1728066258994.png" alt="LeoTI_1-1728066258994.png" /></span></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="LeoTI_2-1728066311069.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/230595iFDEF3C781092974E/image-size/medium?v=v2&amp;px=400" role="button" title="LeoTI_2-1728066311069.png" alt="LeoTI_2-1728066311069.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="LeoTI_3-1728066349924.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/230596i1E007CD43E671F31/image-size/medium?v=v2&amp;px=400" role="button" title="LeoTI_3-1728066349924.png" alt="LeoTI_3-1728066349924.png" /></span></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="LeoTI_4-1728066382760.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/230597i8DEE107005862A45/image-size/medium?v=v2&amp;px=400" role="button" title="LeoTI_4-1728066382760.png" alt="LeoTI_4-1728066382760.png" /></span></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="LeoTI_5-1728066509421.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/230598i73B6FC12B3C15B9F/image-size/medium?v=v2&amp;px=400" role="button" title="LeoTI_5-1728066509421.png" alt="LeoTI_5-1728066509421.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="LeoTI_6-1728066529568.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/230599iD9A747C4F3C33D00/image-size/medium?v=v2&amp;px=400" role="button" title="LeoTI_6-1728066529568.png" alt="LeoTI_6-1728066529568.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 04 Oct 2024 18:31:17 GMT https://community.cisco.com/t5/network-access-control/ise-guest-access-wired/m-p/5203640#M592191 Leo TI 2024-10-04T18:31:17Z https://community.cisco.com/t5/network-access-control/ise-guest-access-wired/m-p/5203649#M592192 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/839551">@Leo TI</a>&nbsp;</P> <P>Check this. You are assigning the group "radius" to the aaa config but I dont see this group on the config. Rather I see the RADIUS in the radius server.</P> <P>&nbsp;The name radius on group is not a default name, I believe this is suppose to represent your radius group..</P> <P>aaa authentication dot1x default group radius<BR />aaa authorization network default group radius<BR />aaa accounting dot1x default start-stop group radius<BR />!<BR />aaa server radius dynamic-author<BR />client 172.22.4.194 server-key 123456<BR />radius-server vsa send accounting<BR />radius-server vsa send authentication<BR />!<BR />radius server RADIUS<BR />address ipv4 172.22.4.194 auth-port 1812 acct-port 1813<BR />key 123456</P> Fri, 04 Oct 2024 19:05:32 GMT https://community.cisco.com/t5/network-access-control/ise-guest-access-wired/m-p/5203649#M592192 Flavio Miranda 2024-10-04T19:05:32Z https://community.cisco.com/t5/network-access-control/ise-guest-access-wired/m-p/5203685#M592199 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/839551">@Leo TI</a>&nbsp;- the config looks like something out of a very old textbook - I would suggest to look at a more<A href="https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515" target="_self"> contemporary way of configuring this</A> - and I would also suggest using a named aaa group, instead of the "group radius" - I have never used this style of config, because it seems like it's a lazy/default way to let IOS select any/all radius server definitions - instead, I always create a radius group, and then inside that group, refer to my named radius server definitions.&nbsp;</P> <P>If no RADIUS traffic is hitting ISE then also check things like source interface used for RADIUS - if your switch has multiple SVI's, then IOS will auto select the lowest numbered one for sending RADIUS - this might not match what you intended and ISE will ignore/drop those packets. Run a tcpdump on ISE to see if you get anything.</P> <P>Useful commands</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">test aaa show aaa servers</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 04 Oct 2024 21:49:58 GMT https://community.cisco.com/t5/network-access-control/ise-guest-access-wired/m-p/5203685#M592199 Arne Bier 2024-10-04T21:49:58Z https://community.cisco.com/t5/network-access-control/ise-guest-access-wired/m-p/5205864#M592331 <P>Do you have any configuration guide that you can tell me?</P> <P>It only accepts me with other policies, with the wired guest policy the tests do not work for me</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="LeoTI_0-1728487013475.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/230939iBAA85237DAB9AA88/image-size/medium?v=v2&amp;px=400" role="button" title="LeoTI_0-1728487013475.png" alt="LeoTI_0-1728487013475.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 09 Oct 2024 15:20:13 GMT https://community.cisco.com/t5/network-access-control/ise-guest-access-wired/m-p/5205864#M592331 Leo TI 2024-10-09T15:20:13Z https://community.cisco.com/t5/network-access-control/ise-guest-access-wired/m-p/5206007#M592335 <P>It seems to me that it works in the ISE because it goes to the authorization to redirect, I also see that in the switch there are matches with the specific ACL, but in the host it does not redirect to the ISE web page to enter the credentials and if I force it in the browser it appears to me that no radius sessions have been found, in addition to the fact that the host has full access, the ACL is not working</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="LeoTI_0-1728496840907.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/230973i69067F86866E7FE9/image-size/medium?v=v2&amp;px=400" role="button" title="LeoTI_0-1728496840907.png" alt="LeoTI_0-1728496840907.png" /></span></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="LeoTI_1-1728496936154.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/230974iBB4B2CA8FA290B07/image-size/medium?v=v2&amp;px=400" role="button" title="LeoTI_1-1728496936154.png" alt="LeoTI_1-1728496936154.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="LeoTI_2-1728497001171.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/230975iB5942DF239E84D7F/image-size/medium?v=v2&amp;px=400" role="button" title="LeoTI_2-1728497001171.png" alt="LeoTI_2-1728497001171.png" /></span></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="LeoTI_3-1728497090019.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/230977iE68E93DD40FDB61B/image-size/medium?v=v2&amp;px=400" role="button" title="LeoTI_3-1728497090019.png" alt="LeoTI_3-1728497090019.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 09 Oct 2024 18:09:12 GMT https://community.cisco.com/t5/network-access-control/ise-guest-access-wired/m-p/5206007#M592335 Leo TI 2024-10-09T18:09:12Z https://community.cisco.com/t5/network-access-control/ise-guest-access-wired/m-p/5206128#M592342 <P>On the wired client, can you open a command prompt and see if the DNS resolution of the ISE portal FQDN resolves in the IP address of the ISE PSN?</P> Wed, 09 Oct 2024 21:15:47 GMT https://community.cisco.com/t5/network-access-control/ise-guest-access-wired/m-p/5206128#M592342 Arne Bier 2024-10-09T21:15:47Z https://community.cisco.com/t5/network-access-control/ise-guest-access-wired/m-p/5220594#M593022 <P>Hi friends<BR />I just recently got it working. I'll leave you the configurations I applied to both the switch and the ISE.</P> <P>aaa authentication dot1x default group radius</P> <P>aaa authorization network default group radius</P> <P>aaa accounting dot1x default start-stop group radius</P> <P>&nbsp;</P> <P>radius server Grupo-ISE</P> <P>&nbsp;address ipv4 172.22.4.194 auth-port 1812 acct-port 1813</P> <P>&nbsp;key 123456</P> <P>aaa server radius dynamic-author</P> <P>&nbsp;client 172.22.4.194 server-key 123456</P> <P>&nbsp;</P> <P>ip device tracking probe delay 10</P> <P>ip device tracking</P> <P>&nbsp;</P> <P>dot1x system-auth-control</P> <P>interface FastEthernet0/5</P> <P>&nbsp;switchport access vlan 209</P> <P>&nbsp;switchport mode access</P> <P>&nbsp;authentication event fail action next-method</P> <P>&nbsp;authentication open</P> <P>&nbsp;authentication order dot1x mab webauth</P> <P>&nbsp;authentication priority dot1x mab webauth</P> <P>&nbsp;authentication port-control auto</P> <P>&nbsp;mab</P> <P>&nbsp;dot1x pae authenticator</P> <P>&nbsp;dot1x timeout tx-period 10</P> <P>&nbsp;</P> <P>ip http server</P> <P>ip http secure-server</P> <P>&nbsp;</P> <P>ip access-list extended ACL-WEBAUTH-REDIRECT</P> <P>&nbsp;deny&nbsp;&nbsp; udp any any eq domain</P> <P>&nbsp;permit tcp any any eq www</P> <P>&nbsp;permit tcp any any eq 443</P> <P>&nbsp;permit icmp any any</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="LeoTI_0-1730836856784.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/233248iFE34944EF2A5C499/image-size/medium?v=v2&amp;px=400" role="button" title="LeoTI_0-1730836856784.png" alt="LeoTI_0-1730836856784.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="LeoTI_1-1730836871998.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/233249i0F2B3789B085EEBC/image-size/medium?v=v2&amp;px=400" role="button" title="LeoTI_1-1730836871998.png" alt="LeoTI_1-1730836871998.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="LeoTI_2-1730836925167.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/233250i746E633E1864749E/image-size/medium?v=v2&amp;px=400" role="button" title="LeoTI_2-1730836925167.png" alt="LeoTI_2-1730836925167.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="LeoTI_3-1730836940644.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/233251iF595CE4AAA6971AB/image-size/medium?v=v2&amp;px=400" role="button" title="LeoTI_3-1730836940644.png" alt="LeoTI_3-1730836940644.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 05 Nov 2024 20:13:00 GMT https://community.cisco.com/t5/network-access-control/ise-guest-access-wired/m-p/5220594#M593022 Leo TI 2024-11-05T20:13:00Z