https://community.cisco.com/t5/network-access-control/wism2-ise-central-web-authentication-redirection-acl-does-not/m-p/2425223#M86592 <P>Hi,</P><P>Ok, I will go through the configuration to verify that the configuration is the same for wism2/5760 controllers. How have you configured your redirect acl? I am confused about using deny or permit in the acl entries... I read a lot of documentation and I came across with different redirect acl examples.</P><P>Could you share your redirect acls configured on foreign/anchor controllers? It would be very helpful.</P><P>Thank you very much.</P><P>Joana.</P> Fri, 25 Apr 2014 08:18:09 GMT Joana Manzano 2014-04-25T08:18:09Z https://community.cisco.com/t5/network-access-control/wism2-ise-central-web-authentication-redirection-acl-does-not/m-p/2425218#M86587 <P><SPAN style="font-family: arial, helvetica, sans-serif;">Hi</SPAN></P><P><SPAN style="font-family:arial,helvetica,sans-serif;">I am using these devices to setup Central Web Authentication for Guest Wireless:</SPAN></P><P>&nbsp;</P><OL><LI><SPAN style="font-family:arial,helvetica,sans-serif;">WiSM2 - 7.6.110.0: Foreing Controller.</SPAN></LI><LI><SPAN style="font-family:arial,helvetica,sans-serif;">WLC 5760 - 03.03.01SE: Anchor Controller.</SPAN></LI><LI><SPAN style="font-family:arial,helvetica,sans-serif;">Cisco ISE 1.1.X</SPAN></LI></OL><P><BR /><SPAN style="font-family:arial,helvetica,sans-serif;">Mobility is UP between controllers. Clients can connect to GUEST SSID, get an IP address but they are never redirected to Cisco ISE Guest Portal for Authentication. Instead of going to ISE Web Portal, they can talk straight to the Internet bypassing any authentication.</SPAN></P><P><SPAN style="font-family:arial,helvetica,sans-serif;">I think the Pre-Auth ACL specified in the ISE Authorization Profile is not properly applied to the Clients so they are not restricted to talk to the Internet.</SPAN><BR />&nbsp;</P><P><SPAN style="font-family:arial,helvetica,sans-serif;">This is my configuration:</SPAN></P><P><SPAN style="font-family:arial,helvetica,sans-serif;"><U><STRONG>WiSM2:</STRONG></U></SPAN></P><P><BR /><SPAN style="font-family:arial,helvetica,sans-serif;">1. Radius:</SPAN></P><P><IMG src="https://community.cisco.com/legacyfs/online/media/1_13.jpg" class="migrated-markup-image" /><BR />&nbsp;</P><P><SPAN style="font-family:arial,helvetica,sans-serif;">2. WLAN GUEST - WLAN ID 2:<BR />&nbsp;<BR />&nbsp;</SPAN><IMG src="https://community.cisco.com/legacyfs/online/media/2_3.jpg" class="migrated-markup-image" /></P><P><IMG src="https://community.cisco.com/legacyfs/online/media/3_0.jpg" class="migrated-markup-image" /></P><P><IMG src="https://community.cisco.com/legacyfs/online/media/4_0.jpg" class="migrated-markup-image" /><BR /><SPAN style="font-family:arial,helvetica,sans-serif;">&nbsp;<BR />3. ACLs:</SPAN></P><P><BR /><SPAN style="font-family:arial,helvetica,sans-serif;">3.1 Unknown - Pre-Auth ACL that permits traffic to ISE.</SPAN></P><P><IMG src="https://community.cisco.com/legacyfs/online/media/9.jpg" class="migrated-markup-image" /><BR /><SPAN style="font-family:arial,helvetica,sans-serif;">&nbsp;<BR />3.2 Compliant - User sucessfully authenticated:&nbsp;</SPAN></P><P><IMG src="https://community.cisco.com/legacyfs/online/media/10.jpg" class="migrated-markup-image" /></P><P><BR /><SPAN style="font-family:arial,helvetica,sans-serif;">3.3 Non-compliant - User is not allowed.&nbsp;</SPAN></P><P><IMG src="https://community.cisco.com/legacyfs/online/media/11.jpg" class="migrated-markup-image" /></P><P><BR /><SPAN style="font-family:arial,helvetica,sans-serif;">4. Controller:</SPAN></P><P><BR /><SPAN style="font-family:arial,helvetica,sans-serif;">&nbsp;</SPAN><IMG src="https://community.cisco.com/legacyfs/online/media/12.jpg" class="migrated-markup-image" /></P><P>&nbsp;</P><P><U style="font-family: arial, helvetica, sans-serif;"><STRONG>WLC ANCHOR 5760:</STRONG></U></P><P><BR /><SPAN style="font-family:arial,helvetica,sans-serif;">aaa new-model<BR />aaa group server radius ISE<BR />&nbsp;server name ise</SPAN></P><P><SPAN style="font-family:arial,helvetica,sans-serif;">aaa authentication dot1x ise_webauth group ISE<BR />aaa authorization network cwa_macfilter group ISE<BR />aaa authorization credential-download ise_webauth group ISE</SPAN></P><P><SPAN style="font-family:arial,helvetica,sans-serif;">aaa server radius dynamic-author<BR />&nbsp;client '10.X.X.X (ISE IP Address)' server-key 7 1363D3AC00070D3E773B27E70A<BR />&nbsp;auth-type any</SPAN></P><P><SPAN style="font-family:arial,helvetica,sans-serif;">ip access-list extended compliant<BR />&nbsp;permit ip any any<BR />ip access-list extended non-compliant<BR />&nbsp;deny &nbsp; ip any any<BR />ip access-list extended unknown<BR />&nbsp;deny &nbsp; udp any eq bootps any<BR />&nbsp;deny &nbsp; udp any any eq bootpc<BR />&nbsp;deny &nbsp; udp any eq bootpc any<BR />&nbsp;deny &nbsp; udp any any eq domain<BR />&nbsp;deny &nbsp; tcp any any eq domain<BR />&nbsp;deny &nbsp; ip any host '10.X.X.X'(ISE IP address)<BR />&nbsp;deny &nbsp; ip any host '10.X.X.X'(DHCP Server IP Address)<BR />&nbsp;permit tcp any any eq www<BR />&nbsp;permit tcp any any eq 443<BR />!</SPAN></P><P><SPAN style="font-family:arial,helvetica,sans-serif;">radius-server attribute 6 on-for-login-auth<BR />radius-server attribute 31 send nas-port-detail mac-only</SPAN></P><P><SPAN style="font-family:arial,helvetica,sans-serif;">radius server ise<BR />&nbsp;address ipv4 '10.X.X.X(ISE IP address)' auth-port 1812 acct-port 1813<BR />&nbsp;key 7 033771233103226B5B5A0A113C4112<BR />!</SPAN></P><P><SPAN style="font-family:arial,helvetica,sans-serif;">wireless mobility controller<BR />wireless mobility group member ip '10.X.X.X WiSM2 Ip Address' public-ip '10.X.X.X WiSM2 Ip Address' group GUEST<BR />wireless mobility group name GUEST<BR />wireless mobility dscp 46</SPAN></P><P><SPAN style="font-family:arial,helvetica,sans-serif;">wlan GUEST 2 GUEST<BR />&nbsp;aaa-override<BR />&nbsp;client vlan 230<BR />&nbsp;ip dhcp opt82 format add-ssid<BR />&nbsp;ip dhcp server 10.X.X.X&nbsp;<BR />&nbsp;mac-filtering cwa_macfilter<BR />&nbsp;mobility anchor<BR />&nbsp;nac<BR />&nbsp;peer-blocking drop<BR />&nbsp;no security wpa<BR />&nbsp;no security wpa akm dot1x<BR />&nbsp;no security wpa wpa2<BR />&nbsp;no security wpa wpa2 ciphers aes<BR />&nbsp;security dot1x authentication-list ise_webauth<BR />&nbsp;session-timeout 1800<BR />&nbsp;no shutdown</SPAN></P><P>&nbsp;</P><P><SPAN style="font-family:arial,helvetica,sans-serif;"><U><STRONG>CISCO ISE:</STRONG></U></SPAN></P><P><BR /><SPAN style="font-family:arial,helvetica,sans-serif;">1. Authorization Profiles:</SPAN></P><P><BR /><SPAN style="font-family:arial,helvetica,sans-serif;">&nbsp;</SPAN><IMG src="https://community.cisco.com/legacyfs/online/media/13.jpg" class="migrated-markup-image" /></P><P><BR /><SPAN style="font-family:arial,helvetica,sans-serif;">I also configured: Airspace ACL Name = unknown. I am not sure if this is needed?? I have tried with/without this option.</SPAN></P><P><BR /><SPAN style="font-family:arial,helvetica,sans-serif;">2. Authentication:<BR />&nbsp;</SPAN></P><P><IMG src="https://community.cisco.com/legacyfs/online/media/14.jpg" class="migrated-markup-image" /></P><P><BR /><SPAN style="font-family:arial,helvetica,sans-serif;">3. Authorization:<BR />&nbsp;</SPAN></P><P><IMG src="https://community.cisco.com/legacyfs/online/media/15.jpg" class="migrated-markup-image" /></P><P><IMG src="https://community.cisco.com/legacyfs/online/media/16.jpg" class="migrated-markup-image" /><BR /><SPAN style="font-family:arial,helvetica,sans-serif;">&nbsp;<BR />4. Operations Authentication:<BR />&nbsp;</SPAN></P><P><IMG src="https://community.cisco.com/legacyfs/online/media/17.jpg" class="migrated-markup-image" /><BR />&nbsp;</P><P><SPAN style="font-family:arial,helvetica,sans-serif;">I never get the point where the profile is Compliant. It is always UnknownProfile/Pending.</SPAN></P><P><BR /><SPAN style="font-family:arial,helvetica,sans-serif;"><U><STRONG>Client:</STRONG></U></SPAN></P><P><BR /><SPAN style="font-family:arial,helvetica,sans-serif;">WiSM2:<BR />&nbsp;</SPAN></P><P><IMG src="https://community.cisco.com/legacyfs/online/media/18_0.jpg" class="migrated-markup-image" /></P><P><IMG src="https://community.cisco.com/legacyfs/online/media/19_0.jpg" class="migrated-markup-image" /><BR />&nbsp;</P><P><SPAN style="font-family:arial,helvetica,sans-serif;">ANCHOR 5760:<BR />&nbsp;</SPAN><BR /><IMG src="https://community.cisco.com/legacyfs/online/media/20.jpg" class="migrated-markup-image" /><SPAN style="font-family:arial,helvetica,sans-serif;">Even the Policy Manager State is "CENTRAL_WEB_AUTH", ACL "unknown" (pre-auth ACL) is applied and Redirect URL is pointing to ISE Guest Portal, clients bypass authentication and can talk straight to the Internet. They are not redirected to Cisco ISE for authentication at any time.</SPAN></P><P><BR /><SPAN style="font-family:arial,helvetica,sans-serif;">I would appreciate some help to understand why the redirection part of the process is not working and why any client traffic is allowed.</SPAN><BR />&nbsp;</P><P><SPAN style="font-family:arial,helvetica,sans-serif;">Thank you very much.</SPAN></P><P><BR /><SPAN style="font-family:arial,helvetica,sans-serif;">Joana.</SPAN></P> Mon, 11 Mar 2019 04:38:33 GMT https://community.cisco.com/t5/network-access-control/wism2-ise-central-web-authentication-redirection-acl-does-not/m-p/2425218#M86587 Joana Manzano 2019-03-11T04:38:33Z https://community.cisco.com/t5/network-access-control/wism2-ise-central-web-authentication-redirection-acl-does-not/m-p/2425219#M86588 <P>any suggestions? I run out of ideas...</P><P>Although clients are able to talk to the Internet bypassing ISE Central Web Authentication, if I do it manually, copy the redirect URL and login, it works fine. I pass through the authentication/authorization policies configured on ISE successfully.</P><P>The issue is I am not automatically redirected to ISE (WLC doesn't seem to intercept web traffic) and my clients bypass the restrictions applied by the redirect ACLs. Any traffic is allowed.</P><P>Thanks,</P><P>&nbsp;</P><P>Joana.</P> Wed, 23 Apr 2014 14:40:16 GMT https://community.cisco.com/t5/network-access-control/wism2-ise-central-web-authentication-redirection-acl-does-not/m-p/2425219#M86588 Joana Manzano 2014-04-23T14:40:16Z https://community.cisco.com/t5/network-access-control/wism2-ise-central-web-authentication-redirection-acl-does-not/m-p/2425220#M86589 <P>your cwa_redirect ACL need to be configured correctly.. Refer <A href="http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html">this</A> document.</P><P>You must deny the traffic that you want to redirect to guest portal for authentication.</P><P>&nbsp;</P><P>HTH</P><P>"Please rate helpful posts"<BR />&nbsp;</P> Thu, 24 Apr 2014 12:04:19 GMT https://community.cisco.com/t5/network-access-control/wism2-ise-central-web-authentication-redirection-acl-does-not/m-p/2425220#M86589 Poonam Garg 2014-04-24T12:04:19Z https://community.cisco.com/t5/network-access-control/wism2-ise-central-web-authentication-redirection-acl-does-not/m-p/2425221#M86590 <P>Hi,</P><P>Thanks for you response.</P><P>I already followed the configuration steps of the document that you have suggested. This is the cwa_redirect ACL configured on my wism2 (foreign controller).</P><P><IMG src="https://community.cisco.com/legacyfs/online/media/acl_wism2_0.jpg" class="migrated-markup-image" /></P><P>and this is the ACL configured on the Anchor Controller 5760:</P><P>ip access-list extended pre-auth-acl<BR />&nbsp;deny udp any eq bootps any<BR />&nbsp;deny udp any any eq bootpc<BR />&nbsp;deny udp any eq bootpc any<BR />&nbsp;deny udp any any eq domain<BR />&nbsp;deny tcp any any eq domain<BR />&nbsp;deny ip any host '<EM>ISE_IP_Address'</EM><BR />&nbsp;permit tcp any any eq 80<BR />&nbsp;permit tcp any any eq 443</P><P>According to the attached document, on the 5760 'deny' means do not redirect and 'permit' means redirect to ISE (the opposite to wism cwa_redirect ACL). However, I have changed deny by permit and I still have the same behaviour:</P><P>ip access-list extended pre-auth-acl<BR />&nbsp;permit udp any eq bootps any<BR />&nbsp;permit udp any any eq bootpc<BR />&nbsp;permit udp any eq bootpc any<BR />&nbsp;permit udp any any eq domain<BR />&nbsp;permit tcp any any eq domain<BR />&nbsp;permit ip any host '<EM>ISE_IP_Address'</EM><BR />&nbsp;deny tcp any any eq 80<BR />&nbsp;deny tcp any any eq 443</P><P>Is this what you meant?</P><P>Thanks again.</P><P>Joana.</P> Thu, 24 Apr 2014 13:22:33 GMT https://community.cisco.com/t5/network-access-control/wism2-ise-central-web-authentication-redirection-acl-does-not/m-p/2425221#M86590 Joana Manzano 2014-04-24T13:22:33Z https://community.cisco.com/t5/network-access-control/wism2-ise-central-web-authentication-redirection-acl-does-not/m-p/2425222#M86591 <P>I just set this up on a wism2 with anchor. The key was your redirect acl need to be identical on your anchor and foreign controllers. Also match your wlan ssid settings identically except the interface for your foreign which should be your mngt. Good luck and let me know how you make out.&nbsp;</P> Fri, 25 Apr 2014 01:49:37 GMT https://community.cisco.com/t5/network-access-control/wism2-ise-central-web-authentication-redirection-acl-does-not/m-p/2425222#M86591 Ryan Coombs 2014-04-25T01:49:37Z https://community.cisco.com/t5/network-access-control/wism2-ise-central-web-authentication-redirection-acl-does-not/m-p/2425223#M86592 <P>Hi,</P><P>Ok, I will go through the configuration to verify that the configuration is the same for wism2/5760 controllers. How have you configured your redirect acl? I am confused about using deny or permit in the acl entries... I read a lot of documentation and I came across with different redirect acl examples.</P><P>Could you share your redirect acls configured on foreign/anchor controllers? It would be very helpful.</P><P>Thank you very much.</P><P>Joana.</P> Fri, 25 Apr 2014 08:18:09 GMT https://community.cisco.com/t5/network-access-control/wism2-ise-central-web-authentication-redirection-acl-does-not/m-p/2425223#M86592 Joana Manzano 2014-04-25T08:18:09Z https://community.cisco.com/t5/network-access-control/wism2-ise-central-web-authentication-redirection-acl-does-not/m-p/2425224#M86593 <P>So this is my redirect ACL.....Like I said its identical on each internal WLC and Anchor.</P><P>&nbsp;</P><P>On Cisco ISE 1.2 our PSN NIC 0 is a (eg. 10.10.10.100) so for Security &gt; Radius we point to 10.10.10.100</P><P>On the same PSN NIC 4 is dedicated for Guest Portal on port 8445 and has an ip of 192.168.2.12 hanging off the DMZ</P><P>Since the client will talk directly to the ISE Guest Portal the first rule allows TCP to the Portal (192.168.2.12) on port 8445 along with return traffic.&nbsp; Not sure if HTTPS will work since we changed the port number and its neither 443 or 8443. Thats why we choose port number.</P><P>Next DHCP and DNS and then deny everything else.</P><P>As soon as we connect to our open SSID and try a url we are instantly redirected.&nbsp; Verify on your WLC that your override ACL name appears.&nbsp; Our problem was it showed in the internal but not anchor until we matched them.</P><P>&nbsp;</P><P><IMG alt="" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAA8QAAAF9CAIAAABNlDY0AAAgAElEQVR4nO3dv47cNrTH8XmN5DXSzRP4GVy4ZO/egLNvoG5xi8X1C6RJoSK3cmobWznNYAs33iKA25S6xcxIJHVIURQlHUnfD4LAq6X+nZVmfkNRmlMDAAAAIMtp7Q1I8OPvN+9+/+Xd4+OPtbcEAAAAsHhh+p/3737/1frv/dd1NstBmAYAAIBKVpj++ocXoP961BFhCdMAAABQqQ3Ttz7pN3/+a//65c8/2gj78udj22P9y7s//nJnfP+169W2+7Pludp8/PXvN+9+/+XD3y/Nv48fnE5xoTFhGgAAAJrcw/TXP36NBdZb0r1F7Vvja9i9Zejrj9fo/MuHv1/ic/34+42dm2/tO85yCNMAAABQyQvTbX+zy4+zbW+0928hMctzBfLxX49S5zRhGgAAACqJPdPdgI3blPtw6l+F2xPDYToyl5CP7z3cj//4yyFMAwAAQKXwmGk7XsfibHrPtKX/K69rnDANAAAA9cJP83D6qm+jn2/dxs11itONLYTpyFz9fOxOuY2ZJkwDAABAsYHnTNujqO3ncvTHhEhhOjyXlI/tlm8+EKYBAACg3Ra+AREAAABQiTANAAAAZCJMAwAAAJkI0wAAAEAmwjQAAACQiTANAAAAZCJMAwAAAJkI0wAAAEAmwjQAAACQ6Ram/+d//+I//uM//tvQf+u+dAIAcEXPNAAAAJCJMA0AAABkIkwDAAAAmQjTAAAAQCbCNAAAAJCJMA0AAABkIkwDAAAAmTSH6dqcTL32RgAAAAAhXpiuzel0WifCjonOl+p8ri7yQk6n7lfE8Sb4N71U55Pt2sCvmFBBoUmoys46rL/YdZO8dXsbZP+B2/bX9YxabGhn/cb+OgEAABK4Ybo2J1OvlEBLhWljTBuKCNOBv2ltvOR4r2ivYrXpNbRbXKrz+XyOhOl2ZntG8e/i/VG9TbRnGbXYyM5G5wIAAEjghOlbrPDShdWrd4sgKVOcfsLbtP6U/srFKe6M1srEXtMuX7VLcHom7exlTLfc2vQ2TtqvbZH+pn5A7je3uMlTyqHhNOq0tpqlhGlvO0NhenCxkZ2NzAUAAJDECtNdRPFCjPXvWy7rT+kFHXtav9V1iiMcpvszRnumrU2UcpITte+/vlRn59/9MQ/BVaom/k1juyJUzOsH7v87LUx7B1V/PIawWYGgPGaxw383wjQAAMjXhWk5M8X6i60pYojxuo77U4aXaw+m9QYXxML0PRC7Yczvm3ZDev/f4n5tivw3HRmm5UQu5tyuI//azL4gYC82sWc6EqaTF0uYBgAAc2rDtH+L1inU65gyxfmdF3n6UxKXa804GKZvua+yYnE/NyeE6W2nrMDfdNwwD2uq9cveosUltn+nS3UODYDuNxY3RuyZTlkswzwAAMCM7mE6dJ+ZE1dqY2phiptVL9X52srLPv0p7pYEw7Qwo3cXnLwQ6ykW/uS0MC3t15aE7x28VGc//dYmODCmCdzF6PxS3AJvPMYcNyAOLjays0ObDwAAMOQWpoVAId28l3IDovCgs/41f6Gv0BtUYQ3SkGYM9G87+2EPhO6Wbkxqz7S4X9sR+5s2kUfj9Sc2zieTlBV163BvXrwtIzRmOtTT3bZvj8j0xUZ2dmjzAQAAhmj+0hYAAABANcI0AAAAkIkwDQAAAGQiTAMAAACZCNMAAABAJsI0AAAAkIkwDQAAAGQiTAMAAACZCNMAAABAJsI0AAAAkIkwDQAAAGQiTAMAAACZCNMAAABAJsI0AAAAkIkwDQAAAGQiTAMAAACZCNMAAABAJsI0AAAAkIkwDQAAAGQiTAMAAACZCNMAAABAJsI0AAAAkKkN05fqfLKcq8ts6/RWdTJ1kWXOuclb1ZWa6gAAAJRnh2k7b9VmpvzVW3CZGEyYFlyq8/2TSm2I0wAAAMWFwnTj5C+rL/k+qTYnY4wz0cpu3vzRafYv/c7q2nRLbP/dX7W1fdcmwgZfqvO5qkzbyFrbTmOm8yfl0wYAAEB5kTDdplc70bbNatNG3i5Ee/m7N34jkugu1bkLte1yQmG6t2pnyeIGX6rzSVhY0zS1KTHQRB/CNAAAwMwSwrTVhWt1/oqB1cnaQnaLJDp7eXKOd3qm/VXbS5Y32F33ret6nyn6hjANAAAws/gwj16g7f/Wn/c6XZ4nNsyjbJgWVi6mybob9rE/hGkAAICZpdyAaA2raJpLdY70TDf3fBobzeH9sjbn6uIM8+j+bYXvbisCYdqJ3f0N9qOlvPW7wg2IAAAA80p7NJ7zy3Ci7RpHu3pDj8br3UboTDMm1jPtdTILGywO89jz/YdNw6PxAAAA5lX+S1v229ELAAAAOEqHaeehHAAAAMCe8XXiAAAAQCbCNAAAAJCJMA0AAABkIkwDAAAAmQjTAAAAQCbCNAAAAJCJMA0AAABkIkwDAAAAmQjTAAAAQCbCNAAAAJCJMA0AAABkIkwDAAAAmQjTAAAAQCbCNAAAAJCJMA0AAABkIkwDAAAAmQjTAAAAQCbCNAAAAJCJMA0AAABkIkwDAAAAmQjTAAAAQCbCNAAAAJCJMA0AAABkIkxjK/55/+73X63/3vz5b/Zyfnn3+PhD/HGtRQEAgE0iTGMrrlH1j7+apmmalz8ff333+y+P/+Qup0jkJT0DAHB0hGlshROmm+bfxw9+r3C/0/qaudv/3n/99/FD9+Mvj/+4gfi2isf7XPfluHPdGscX1TQ//n7jzxJZBQAA2CTCNLbCC9PNX49tGP3n/bvff/nw90vTtBn3/dem+fqH1HsdGZtxS+TdMq3V3fz4+003fWBRbrPu3wOrAAAA20GYxlaEw/TXP351h1P3p4dHNscTsNDN/GtKmHZz/HVT33+NrgIAAGwQYRpbER7mcU2ut55plxuCrf7gMWH6uvxANzNhGgCAIyNMYysiNyDexk68/3pr+tdj9+/Gav/mz3/FwdZJYfq6LmeYx6hFDWZxAACwPYRpbEX80XjO7YDXYO3dfdj2E7fTQzcg9pPutWv513e///Lh8U0v02fcgEiYBgBgHwjTAAAAQCbCNAAAAJCJMA0AAABkIkwDAAAAmQjTaJrmdrfcDN/G5z3vYnF73a8j4n5NAPot9m1ct5vyeVXUIB6m/ecneI8bm0F7cAweiJGnBS9s+SpFud9g0j7bWHyuReuvR7vm97+C+/iLrPKWC5173S+NhgubsoTS9Vk3TCs7zZX+jfzlhx+/M245ge3UX4Sx4kULHoTek4sSXx4nb1LB6q3yhu69I1xf1aeH4IXCtPX1BfENCD1CStvBv23hMO08T7dppGf3lmcFpqF16TgOVqnSsMi5ZH8Lt9u+e6n1Pu9O+fhbNnTudb+0GSxs4hL2EqY1nuY6/0b95YsPhs9YTjBM6y7CWOGihQ9Cb8df/ny0vp1qSnGGNqmkVf4Q3lvAtsJ05D0o9kbZa6bn4N+2cJiOfKuc+1G1Oz/lr1weoX2ab+90ddb4y+Pf9kOFxz7i9/H+Ib7A1f+0795LeMzw/cT4016gt9fOF5REdyF2LllfX+LshRUObhv25sPvvzz+8/Ln4/3hyt2m/irsmtg7Yp/wfsfweHvdL21ChZWOUuE4/7d3eoZOh0Y+yGPnzhov/RpP8/DBL2+St+o/3vf/RoWFv7I0vIO9c006lrZUhLHGf8/rNWQLB+fQy+P0TRp5bHtd2gre0P95/+7+1QEf/n5xwnS8N9dZqfttA/ENEwsils4i7b4TlvxZUnqmhTNLeqdDqoGeaSlbXI+/6x/v9vd4/9X73Jz3yaydK+WKT6RN7AvnfnW+U3ryZ8d4lUZ8AZ57ZH/4+yWy1/3iByvZ/7E/17+PH7yz8d7+fqHg/ddAjrH/6O4XaDsLt07daR9g9rpf2oQKGzpKE79oPfE7IEc1XoTG0zz0NwptRuKqC/JfY63O0cAOyudaYs+0ziKMFS5a6CCUi9YMvTyW2KSUY1s4jPW8od+38Nbtkhqmvb9IrxT2hvU+ewgF6ZcuVP/Ev6kT2e8HzNAwj+CBhCTxMdPCt8p5Q1e7D1jOXyLnyLavHznXpJJeYa0f3fbWuKKZ3piDVRqzDb1LNuJeh4rvE0Jn8BOncIteO3ubR4P9BN1Zam1bvyvoTZnEudf90iZU2IGjtHecyy/TXbPwQT68zKVpO80Df6PgJvUvCq8XpqNvIr1zbSBM6y7CWJHk2qQchN6igi+PZTZp+NgeigreWhZ+Q2/T7fUd4Y/3yT3TYrSV2iQc9vFBg9GDOfBnTemZ7hVNPvuQKvVpHl3SDVxscodSZYRp/2WiW4uic2+AX6V53mUDY29skXNJ2OZo16A9xSqveAnCDaPty8Sv7353B1Rk2+t+aRMq7JHDdEfHaR74GynKkd4WJoxYaMRzLbFn2qKoCGOFi+bqDsK0YR7zbFLCsd3fMEVv6FZX8T1KzhSmu5c74S+lI0w34tmHVMEw/fLno324e0ew/Se83QbhnNLjT2P/7oron7xpxBF4KVeFyobpeJXSTsvAK1H4WphQfF966PznffB1LRo6A/fEtGXpf+a+vfoPfxKI2Ot+aZMcppPeWiLNgge5qmEeKk/z0N8o8S8iTinL2cJ+b0t8B8VzLb6KwPR1izBWsGjhgzDpBsQ5Ninl2Jb+ynre0K0wfS/j0Ck8Nkz780oFiR+EsTVOC9MDH9UI06PEwrTTSdx7AepfP+rNMuI07t9rLL743pbsDpYfe79C2TAdrFLgjqvALOJhLex1qPidwCPk5D+Hf4tev1D2lNvmtbc+3Ptl//irv1/Ow4acGTNz5173S6P0MD18nO/gBkSNp3nk4I/fe2etunfjVFnOfvXem4UdDJxrke3UX4SxgkWLviM7t6MNvzwW2qSEZBY6jJW8oTth2utDCRQ8NUwHTl6xIEOf6MIHs/TK0PT+9MFC2TUPnX1INNOXtpQ6jTGvvx73FAE7e90vAACgDWH6wOb6dsC17XW/AACAPnydOAAAAJCJMA0AAABkIkwDAAAAmQjTAAAAQKYuTP/fghZeXSkb3ewtotSLodQeCpKBomVQWDSFm1TKjndNm12WekSYBgAAADAKYRoAAADIRJgGAAAAMhGmAQAAgEyEaQAAACATYRqKfK8f3tava2/FIVBqAACKIEyXcqnO5+piTajN6cbU/Wknt3F8UU1zqc7+wrpJ1grkeQYbRDZmSc8fzdPn4WbqSp23rrS5ZpJYagAAMIAwXcA9a1mR6FKd29xVm/tvatM26SYOLeo60W9szW+va0QDa2pgY5b2/PTb03O8idJS56xreK4ZJZQaAACkIEyX4vY71sYKXUL3p5Ol4otylyVNzGrgrETcwqV9fjIfkwKetlLnrStxrlkklxoAAAwgTJfiRiWnCzMwliCYyvqLOgkDAgYHacQbqAvTzx8f6u9JLfWVOmNdqXPNIb3UAABgAGG6FD8qhYJZ0wxe1u8lvO6nds5Ldb7nLzmkDTVQFqbH3A+nrdRZ60qdqzxuPQQAoCDCdCnRi/juQISE/s1Qwrsvyx1uIAw+GGygK0y/fnp4+JQa8JSVOm9dqXMVN6rUAABgAGG6lFDCc/JSbYTnQfQmeouS7rDzl9redndf1GADVTcgvtZvR9wPp6zUmeuS55rduFIDADDVyXyJ/7f2Bk5FmC7AGWZgP/ghOPTWec6aHarERQ0++82+P879IdpAzaPx0u+H01jqvHUF5pobtx4CAJY0mKR3kKcPEqYHH8KAFfHM48VQagDAogjTff9VD9+quQZcup11c6Tf1ccGAxtgdcX3O+/9PnWpf363H12vldnt7s0r9uVHw0Ol3IPyUK/jSo46JZtRmportDtGmHZc6m8n8+VkZg3TwsMUZlsDgLjeJZ3a9L/m5j60fOaTV4PanEzNda4skS8/ulTn89l/PqQ/8bhlV3LUKdmMwjTdO7RfhOm+uXumpS/jsPozrBfjc1WZex9HbU7GmK5Nbbz212UNfr82AJv31hl5t4l8k85+SA948V98ml5W5D26aZrIlx9df+gfat7EnR5Tw5QcdUo2ozBdT7XarXhcJkwXZx/K7Slpn7ttg0t19m8Qs55R0X9exX0hnCzACG6AiZ0+4sm7L90u2glBfEDO4FfQH5J0Pb0tqvhC74Xp/Q8j6lNy1CnZjOII04uIdD/TMz0H6fkKvdGbUigO9V+0/yZMAxlGhemdD2j1Pi64V738yXYc3GU1xpO+/MgqXvdPcaK3JOURrRwlR52SzSiPML2I0HAOhnnMsinyoRx8NSVMA3PLHeaxQ71nGXYf98VvsxcHLxyY9OVHvZqeztVFnOgua/cHW0vJUadkM2ZAmF6EODyaMdPLhunek5Gn9kzrP70BLfy3w0t17n9he/8GxB3yP0fEx6Hd5thrJ32OwJcftcTk5XRSOw/IP8bLuJKjTslmzIIbEJfADYiO+9M8vpzMl9PDjxmOucD7sfOpuL0nMStMt8NGjvFSDEwjJZzgo/H2/EYkFEK4IcstwnEyXyLpy4/sX0Yn2ofdno80m5KjTslmzIVH482PMI0k1nuE9E167lWx2NXL9RcVeDVR83Kzdn0ULcqeYyPvWsey848XUEnJUadkM6DE0cN04v7voArT3K5zX//pPY2v1zSee1ZZlNzSoudC2NZLXXJRTdMEHtALBZxRDcAilBx1SjYDmuw+Q9IzXVYXhrKy1DqLElt2lN6isclSl/2rbec2HwAAdoswXZI9TqyWnooqTlx9UWJLZ6q+ML3RUhdclPgsXgAAsDDCdDmhIRBiRI3fn7HKoiIttYXprZd6+qKcxxwQpgEAWA1huozoIDExgAZT6SqLirVUFqa3Xuoii0p4Fi8AAFgCYboA6XkK4lNR5Uel2rOvsSj5eRDWRD03IG691CX/anZN6JkGAGAthOnJep2EpvamtvFTflRql59WWZTc0k11Sh6Nt/VSl1xUhzANAMCKCNMAAABAJsI0AAAAkIkwDQAAAGQiTAMAAACZujD9sqCFV1fKRjd7iyj1Yii1h4JkoGgZFBZN4SaVsuNd02aXpR4RpgEAAACMQpgGAAAAMhGmAQAAgEyEaQAAACATYRoAAADIRJiGIt/rh7f169pbcQiUGgCAIgjTpVyq87m6WBNqc7oxdX/ayW0cX1TTXKqzv7BukrUCcf1j1pU210yeP5qnz8PN1JV6TIPlqypKLDUAABhAmC7gnpSsnHSpzm2sqs39N7Vpm3QThxZ1neg3tua312U3yFnX8Fwzen767ek53kRpqQcaWFOXr6ooodQAACAFYboUt4+zNlamEro/nbQXX5S7LGmi2CBvXYlzzeLzk/mYFPC0lXqogbOSSMGXk1xqAAAwgDBdihuSnB7KwFiCYADuL6rjpLK0kQMj1pU61xyePz7U35Na6it1vIG6MJ1eagAAMIAwXYofkkLBrGkGr/X3El73UzvnpTrfE2I8no1aV+pc5Y25H05bqYcaKAvT3HoIAEBBhOlSouMl3IEICV3JoYR3X5Y7miA0zmP0ulLnKu7108PDp9SAp6zUgw10helRpQYAAAMI06WEQpKT6GojPO6hN9FblHSHnb/U9ra7k910/LrkuWb3Wr8dcT+cslIP/y003YA4rtQAAEx1Ml/i/629gVMRpgtwhhnYz3UIDr11HqNmJzxxUYPPfrNvf7MS3vh1BeaaW/r9cBpLndJAzaPxuPUQALCkwSS9gzx9kDA9+LwLrIhnHi+GUgMAFkWYdtRP7T5/q2YZc+l2J86RflcfsApsgNXT3u+893v9pUshu//oGvuanuERRm59d/+SdN3d3R8T81FSQCWbUZqay4Y7Rpi2/TQPP25H2vPLqf13SfLDFGZbA4C43iWd2vS/5uY+tHzmk1eRyNf0XKrz+ew/jNGfeKwrZbU5mfpYu1yWkgIq2YzCNN3Qsl+E6RArWJcU+DIOqxPIegc7V5W5dwzV5mSM6drUxmt/Xdbglz4DsHlvnZF3m8g36exP8Gt6rj/0q+ZN3Hl5XNJTcfxX7Kb3qYRg01JSQCWbUZiuRy3tVjwuHzdMX+pvp6efxTfFPZTbU9I+d9sGl+rs3yBmPTih/xCF+0I4WYAR3NQXO33Ek3e/pEvDbQnE1ywvTB9lREx3XNixSnzUTaS//8CUFFDJZhRHmF5EpPv5wD3Tc43xaOTnK/RGb0qhONTp0/6bMA1kGBWmjzMKWPqaHqtU3T/Fid6SlKeNabzPWO6lQn+yXcu9H0KplBRQyWaUR5heRGg4x3GHeVzqb7Ml6UY+lINvQYRpYG65wzz2Tfqant7DGE/n6iJOdJe177r1CtD1kQghLDBM5siUFFDJZsyAML0IcXj0ccdM109f5hnd0RIPZf9xvVN7pvWf3oAW/tvhpTr3v7C9fwPizgW+pqclhgink9p5APl+X5H82sQH793mOMCVjWRKCqhkM2bBDYhL4AZEy+uPs7vbpvxXPwTej51Pxe09iVlhuh02st/3L6AcKRYGH413pDci6Wt67F9GJ9oV3HPRhDoId7G5R86+P12MpKSASjZjLjwab36EaSSx3lilb9Jzr4rFLvluf1H2HHO8lG69PmJLB6/sOLCDfSYrT0kBlWwGlDh6mE7c/x1UYZrbde7rP72n8fWaxiPm5hfVNE3gUbtFbL0+cksL1xxxYM74GYynpIBKNgOa7D5D0jNdVpeWsmLZ5hfVTp//3pOt1qffssPdMAAAbA1huiR7nFgtPUpWnLinRYlP1Z3DRusjtnSmEqYBANgUwnQ5oevyYm6K35+x0UU5DyyYM0xvtD4pLQnTAABsCmG6jOggMTEVBaPSdheV8FTdArZbn+GWhGkAALaGMF2A9OgK8VGy8vNl7dk3viinJnM9zWPL9RGfcmJN5AZEAAA2hjA9Wa8/1tTe1DYTyc+X7bLU5hfVmSVMb70+cks3YfNoPAAANoUwDQAAAGQiTAMAAACZCNMAAABAJsI0AAAAkKkL0y8LWnh1pWx0s7eIUi+GUnsoSAaKlkFh0RRuUik73jVtdlnqEWEaAAAAwCiEaQAAACATYRoAAADIRJgGAAAAMhGmAQAAgEyEaSjyvX54W7+uvRWHQKkBACiCMF3KpTqfq4s1oTanG1P3p53cxvFFNc2lOvsL6yZZK5DnGWwQ2ZglPX80T5+Hm6krdfa6AhMXkFhqAAAwgDBdwD1rWanoUp3b3FWb+29q0zbpJg4t6jrRb2zNb69rRANramBjlvb89NvTc7yJ0lJnr2utTzIJpQYAACkI06W4XYy1sUKX2PtoJbD4otxlSROzGjgrWat/1PH5yXxMCnjaSp23rsjE2SWXGgAADCBMl+KmIqcLMzCWIJjK+os6CcMIBgdpxBuoC9PPHx/q70kt9ZU6Y12xiXNLLzUAABhAmC7FT0WhYNY0g8Mqegmv+6md81Kd76lNzmNDDZSF6TH3w2krdda6YhPnxa2HAAAURJguJZKK/IEICf2boYR3X5Y73EAYfDDYQFeYfv308PApNeApK3Xeuob3ZSajSg0AAAYQpksJpSInZdVGeB5Eb6K3KOkOO3+p7W1390UNNlB1A+Jr/XbE/XDKSp25rvi+zGZcqQEAmOpkvsT/W3sDpyJMF+AMM7Af/BAceus8Z81OXeKiBp/9Zt8f5/4QbaDm0Xjp98NpLHXuugIbMC9uPQQALGkwSe8gTx8kTA8+hAEr4pnHi6HUAIBFEaYd9VO3z2aWzi23i2+O9Lv62GBgG7zPn+2Z4/XD+4Nk5j1/13e9SLHPfZtB5GipjX9FSLyOQ7EbNUedks0oTc0V2h0jTNv+q55+3I601x9n8zJ31J1lHC9hGkgSCdN+JLLGrcx8/q6uNidTc50rWeRoqc3JGOP8eB8eNfjo94NRctQp2YzCNN07tF+E6YDnl9PDjxmOucCXcVgdFc7bdmXuHRe31+W2TW289tdlDX6/NoCrxDDduM8QDH2Zzk5ID3jxX3ya3uPGD/weHTlaanMydVepe03p7+hRctQp2YzCdD3VarficfmQYfr55WS+zJOkG/dQbk9J+9x1rzW7N4hZz6joP6+CV2pglPQwLZ5d0a+v2ahu/+yEID4gZ/Ar6A8icrR02excXezjrdcVcmxKjjolm1EcYXoRke7nY/dMzzjMoze8znqQgtWn3L96KH7hs33pkDANpMsL0/Lw2H3wPiv0xic4k9t/ae+Zm9dwmL7nLflZ+VxGVHLUKdmM8gjTiwgN5zj8MI/mv+rhW1X+ex+kQ1m+WEyYBmblnXj2oKv+hfvQr/ak9wTE7uO++G321+l7HOwyQuRocbqiz1UVKtSxK6jkqFOyGTMgTC9CHB591DHTrz/OTz+7f89/A+Kd/2TkqT3T+k9vYH3Od9VYP6TegLg3fidbfBzabY5d9tCPMXADovtI/F45/WbHo+SoU7IZs+AGxCVwA6Ltv+qh3ec5uqWb4Jux86lY7ANLDtPtpcMDvz4DaewhVsI3/fRGc+w5TMujEPwbstwK8NF94NF4XXGsW10isxyOkqNOyWbMhUfjzY8wjSRW6JC+Sc+9KhZ/n1h7UYFXEzUvN2vXZ0uLwrr2/NkCWik56pRsBpQ4ephO3P8dVGGa2thDxaSrmFbT+Kf1VRYlt7TouRC29VIvuSisyhkmAyxCyVGnZDOgye4zJD3TZXVhaHIAWm5RYsuO0ls0NlnqlRYFAADmQpguyR4nJg44FSeuviixpTNVX5jeaKlXWRQAAJgPYbqc0BAIMaLG789YZVGRltrC9NZLveSiAADAnAjTZUQHiYkBNJhKV1lUrKWyML31Ui+5KAAAMDfCdAHOo7Dbac7DxO5P6BMmOrOvsSixpT1Rzw2IWy/17IsCAAALI0xP1vtyKFN7U53vvuhNtPLTKouSW7qpTsmj8bZe6vkXBQAAFkaYBgAAADIRpgEAAIBMhGkAAAAgE2EaAAAAyNSF6ZcFLby6Uja62VtEqRdDqcrrECcAABPgSURBVD0UJANFy6CwaAo3qZQd75o2uyz1iDANAAAAYBTCNAAAAJCJMA0AAABkIkwDAAAAmQjTAAAAQCbCNBT5Xj+8rV/X3opDoNQAABRBmC7lUp3P1cWaUJvTjan7005u4/iimuZSnf2FdZOsFYjrH7muwMQFPH80T5+Hm6kr9ZgGqxS2L7HUAABgAGG6gHtSsnLSpTq3sao299/Upm3STRxa1HWi39ia316X3SB7XWtlvuen356e402UlnqggTU1sDFLSyg1AABIQZguxe3jrI2VqcSOXivtxRflLkuaKDbIW1dk4uw+P5mPSQFPW6mHGjgrWavX35FcagAAMIAwXYobkpweysBYgmAA7i+q46SytJEDI9YVmzi3548P9feklvpKHW+gLkynlxoAAAwgTJfih6RQMGuawWv9vYTX/dTOeanO94QYj2ej1hWbOK8x98NpK/VQA2VhmlsPAQAoiDBdSiQk+QMRErqSQwnvvix3NEFonMfodQ3vy0xePz08fEoNeMpKPdhAV5geVWoAADCAMF1KKCQ5ia42wuMeehO9RUl32PlLbW+7O9lNx68rvi+zea3fjrgfTlmph/8Wmm5AHFdqAACmOpkv8f/W3sCpCNMFOMMM7Oc6BIfeOo9RsxOeuKjBZ7/Zt79ZCS9nXYENmFf6/XAaS53SQM2j8bj1EACwpMEkvYM8fZAwPfi8C6yIZx4vhlIDABZFmBb9NOaLmaVzy+1OnCP9rj5gFdgG7/Nne+Z4ff7+IJl5z981RXa8Nv7FDfHyx/5qkuh64eagO1+CkgIq2YzS1Fw23DHCdN9/1cO388N8YVp4mMJsawAQEgnTfo60htvMfP6uKbLjtTkZY5wf76OKBp9ifgC1OZn6qDtfgpICKtmMwjTd0LJfhGlf/fTFPN/+P4PAl3FYvTvO23Zl7r09tzeztk1tvPbXZQ1+6TOAq8Qw3bjPEAx9mc4ORHa8NidTd2/K9z3no3vTNPJTcfxX7Kb3PHiCTUtJAZVsRmG6HrW0W/G4fLgwfam/nev/mmaZMN2ekva5615rdm8Qsx6c0H+IAm9vwCjpYVo8u6JflbNJkR3vYsa5util632qP56ubHasEh91YzXY3+GTTUkBlWxGcYTpRUS6n4/XM/38cnr6ef3nnGG6NybRek6C1afcv+Qqfp+zfb2VMA2kywvT8pjiXRgO0/foID+L/JhXxLwPWL2RMM7k9l/auzMXpKSASjajPML0IkLDOY44zONSf/N2+9pLXZR0KMsXiwnTwKy8E88edNUf7RD61Z5Edtzpij5XVWiAy95GvgzrPaKy6yMRQth9+vHqFKSkgEo2YwaE6UWIw6MPPWb6aqEx0/e1eY/rndozrf/0BtbnfBWN9UPqDYi7M3ADovvI8d4INb/ZMfg9k/HBe7c59nhZI5eSAirZjFlwA+ISuAFRtmyY9j4Vi31gyWG6vd56sDc1YDx7iJXw9TO90Ry7D9OhHXdSsnXXRmSWQ5DHu/h3sbmHDf0dFiUFVLIZc+HRePMjTCOJFTqkb9Jzr4rF31x3v6iJdO5U1qICxeGVHQe27w9kC1BSQCWbASWOHqYT938HVZimNvZQMenSr9U0/ml994uaSOdOpS9KbmnhmiMOzBlbhPGUFFDJZkCT3WdIeqbL6tLS5Ky5+0VNpHOnBhYltuxwNwwAAFtDmC7JHicmDjgVJx5zURPp3KnBRYktnamEaQAANoUwXU7ouryYm+L3Z+x+URPp3Kn0RUVaEqYBANgUwnQZ0UFiYioKRqXdL2oinTuVvqhYS8I0AABbQ5guwHkUdjvNeZjY/Ql9wkRn9l0uqiA9O5W1KLGlPZEbEAEA2BjC9GS9L4cytTfV+e6L3kQrS+10UZS6+1YToaWbsHk0HgAAm0KYBgAAADIRpgEAAIBMhGkAAAAgE2EaAAAAyNSF6ZcFLby6Uja62VtEqRdDqT0UJANFy6CwaAo3qZQd75o2uyz1iDANAAAAYBTCNAAAAJCJMA0AAABkIkwDAAAAmQjTAAAAQCbCNBT5Xj+8rV/X3opDoNQAABRBmC7hUp1PV+fqslKDPXj+aJ4+x5tQ6jISSg0AABIQpqe7VOeTqZumaZraSAFsgQa78Pz029NztAWlLmS41AAAIAlherJLde4il/PDcg124fOT+TiYpSl1CcOlBgAAaQjTk5Hwynj++FB/jzeh1GUklBoAAKQhTE9Gwish6X44Sl0Ctx4CAFAQYXoyEl4Br58eHj4NBjxKXUBaqQEAQBrC9HTyLWu1Od2nztVgP17rt0n3w1HqyVJLDQBAGSfzJf7f2hs4FWG6BOlhalY+m6vBboy4H45ST8OthwCAJQ0m6R3k6YOE6dp0WQna8MzjxVDqHWhfzXhZA7ABhGlH/WTv9req/LDLrkvwdDrN8jaxy0GwQHleUGvPHPckdTrv5z9/1xTZca9W7o/efLdfpdVKnndChl76BXDxonkz7uQgrI2KnVGyGaXt+lKkEoRpR/30xcx7gdh5pZ9lwCphGkgSCdNeJGrP0/nP3zVFdjycC+1WzlISahWcd1thesmiedP20nNfm5Op198ZJZtR2N5vktGBMO1YOEx3r4RWZ4Pztl2Ze+dDbU7GmK5Nbbz212VZC9rX6wFQWmKYbqy3oMD5uxORHQ/lwsib82CtIvNKwzyEF0n/VbFZ4QVw2aJFPioMvYlUXaRyN2L43Wd2tx119rf/x7VTobsL+9qMwvb/+CYV4nH5iGG63ed5UrV9KLenpH3uuteanVPafhhD/8EM94VwsgBJ0sO0eHZ5b6k7ENnx9sO7O7wg9mozVKvYvP0wLb5ISo+oWbln2t7WGYpmLdRdRuKbSPtDvLDejDPrdtrOpeLzh6wGxc8/JZtRHGF6EZHu5yP2THdef5zNyzwjmrtX1u7MHX7FFV8HG+E1kZMFSJIXpnvn737Ec6HUyTqQC6O1GhWm5RdJKQjqCtOli+auxalEQmwXrrCkzTgr7wOENEimm2x/kCq7iUo2ozzC9CJCwzkOOszD8l/1MNMNiNIoOOGTLWEamFXoKrx44T70qz2J7PjkEQuCMcM85BdJnWF61qL5pJEJ4aXdulFrc5Ky4oTNmMC/E9PqZBJS7H168SFWSjZjBoTpRYjDow87Zvqnefp5++eMPdP9Q7n2HgE8tWda/+kNrO9SnU92X9TJ73W6qkM3IO5Ozr10l+rcH3GQmGrD84rDPPovkoEwvegL4LJF88NbvD6BXnPjjQlOmnEu/ieL+OjH+xYXvy6kZDNmYZ0SG+hI3ypuQLT9Vz3M+ly8Jvgi5XwqFvvAksN0e+GORA0MsC9y22+ZQg/V/Vc7fi+K7HgwFwrzjerFl+eVOneFF0k56Cz7Arhw0cKrG34TuW+FV5vEGechdO0Kne3u9szweUnJZsyl+xPv+OVrZYRppBk8GxdocBCUGgAClHyiVbIZUOLoYTpx/3dQhWkGrxMt0OAgKDUABDiDsw6/GdBk9xmSnunJBu9gWKDBQVBqAACgDGF6MhLeYig1AABQhjA9GQlvMZQaAAAoQ5iejIS3GEoNAACUIUxPJ9+yJn7RatkGx0OpAQCALoTpEqSHqfmP+5+hwRFRagAAoAlhGgAAAMhEmAYAAAAyEaYBAACATIRpAAAAIFMXpl8WtPDqStnoZm8RpV4MpfZQkAwULYPCoincpFJ2vGva7LLUI8I0AAAAgFEI0wAAAEAmwjQAAACQiTANAAAAZCJMAwAAAJkI01Dke/3wtn5deysOgVIDAFAEYbqES3U+XZ2ry0oN9uD5o3n6HG9CqctIKDUAAEhAmJ7uUp1Ppm6apmlqIwWwBRrswvPTb0/P0RaUupDhUgMAgCSE6cku1bmLXM4PyzXYhc9P5uNglqbUJQyXGgAApCFMT0bCK+P540P9Pd6EUpeRUGoAAJCGMD0ZCa+EpPvhKHUJ3HoIAEBBhOnJSHgFvH56ePg0GPAodQFppQYAAGkI09PJt6zV5nSfOleD/Xit3ybdD0epJ0stNQAAZZzMl/h/a2/gVITpEqSHqVn5bK4GuzHifjhKPQ23HgIAljSYpHeQpw8SpmvTZSVowzOPF0OpcUztWwDvBcDSCNO+S/3ttttPP2fYmK5L8HQ6zfKKt8tBsEB5XuZozxz3JHU67+c/f9cU2XGvVu6P3ny3XyXUyptxk/VcvGjBeSdk6PXfNWqj4ghQshml7fpSpBKEacel/nZ6+DHnwea8aM0yYHX9l0VgEyJh2otE7Xk6//m7psiOh3Oh3cpZymCtvGkb7U9duGiRebccpmtzMvX6R4CSzShs7zfJ6ECYtv005mXmk8h90WrPWqunwXnbrsy946E2J2NM16Y2XvvrsqwF7ev1ACgtMUw31ltQ4PzdiciOh3Jh5M15qFaRADf0elh16cDdiOEX0uKWLVpsXmmYh1AQ/62kUfCucdtiZ3/722mnwluLsslQyWYUtv/HN6kQj8sHC9OvP87WB4hz/d8MG2Mfyu0paZ+77rVm55S2H8bQfzDDfSGcLECS9DAtnl3eW+oORHa8/fDuDi2IvdoM16rXI+Cu01lI//Ww/UEcKxyasbhlixabt18HsSDSc33Wfdfo1m7nUvH5Q1aD4uefks0ojjC9iEj38/F6pl9/nLsxHj+N+VaVf1StM9itO3OHX3HFN49GeN3kZAGS5IXp3vm7H/FcKHWyDuTC1FrdXwLlCCquSbhYkDZjacsWbVSYlgsiJexV3zW8DxDSIJlusv2ZoOwmK9mM8gjTiwgN5zjkMA8nTDf10xdT/gFb0qEsXywmTAOzCl2FFy/ch361J5EdnzxiIYF0kT28tFuPYG1OUuyZsBkjLVy0McM85IJoC9P+3ZRWJ5OQYu/Tiw+xUrIZMyBML0IcHn3YMdP/VQ9tgJ6vZ7p/KNfeI4Cn9kzrP72B9V2q88nuizr5vU5XdegGxN3JuZfuUp37wzSSApqfQ+yXssHXw/sMxhvemjRjUcsWLTavOMyjX5BAmF5xuLSzN/HRj7c5yl8XUrIZs7D+uhvoSN8qbkD0/DT3fZ6hW7oJvlY6n4rFPrDkMN1e3CNRAwPsC+H2W6bQQ3X/1Y7fiyI7HsyFwnypvfjh1Q2/Ht63wnudS5yxpIWLFplX6hEXCiKnw7XeNYSuXeEKhVuWGaK/ks2YS3cY7Pjla2WEaaQZPBsXaHAQlBoAApR8olWyGVDi6GE6cf93UIVpBq8TLdDgICg1AAQ4g7MOvxnQZPcZkp7pyQbvYFigwUFQagAAoAxhejIS3mIoNQAAUIYwPRkJbzGUGgAAKEOYnoyEtxhKDQAAlCFMTyffsiZ+0WrZBsdDqQEAgC6E6RKkh6n5XwkwQ4MjotQAAEATwjQAAACQiTANAAAAZCJMAwAAAJkI0wAAAECmLky/LGjh1ZWy0c3eIkq9GErtoSAZKFoGhUVTuEml7HjXtNllqUeEaQAAAACjEKYBAACATIRpAAAAIBNhGgAAAMhEmAYAAAAyEaahyPf64W39uvZWHAKlBgCgCMJ0CZfqfLo6V5eVGuzB80fz9DnehFKXkVBqAACQgDA93aU6n0zdNE3T1EYKYAs02IXnp9+enqMtKHUhw6UGAABJCNOTXapzF7mcH5ZrsAufn8zHwSxNqUsYLjUAAEhDmJ6MhFfG88eH+nu8CaUuI6HUAAAgDWF6MhJeCUn3w1HqErj1EACAggjTk5HwCnj99PDwaTDgUeoC0koNAADSEKank29Zq83pPnWuBvvxWr9Nuh+OUk+WWmoAAMo4mS/x/9bewKkI0yVID1Oz8tlcDXZjxP1wlHoabj0EACxpMEnvIE8TprE6nnm8GEoNAFgUYdry+uPs7rYp37/VdQnutV8Q2KzanE5WB/4xUYQMFG0iJQVUshml7fpSpBKE6ZCfxrzMcEZ593vVhqMbUKI2J1PXZn/vpWNQhAwUbSIlBVSyGYXt/SYZHQjTskv97Vz/V3xTpIcnWEe31W1t3TZmjHEmWmeGNz+AfLc3Uee99HAnIEXIQNEmUlJAJZtR2P4f36RCPC4fNkzP1C3diIfy/cy1z+C2mfgMBi9/7+tTNLCK7tS03xwPdgJShAwUbSIlBVSyGcURphcR6X4+bs90/fRlnm7pJham6/uH37twwnayNmcGMJ19Zlr/PtYJSBEyULSJlBRQyWaUR5heRGg4x4GHebz+OM/VLd0Ehnn0YnP/t/681+m7G9wFrMO7M7gdaHWoE5AiZKBoEykpoJLNmAFhehHi8OhDj5mes1u6id6A6D8IONIz3dw7sjktgAL8/qX22u2RTkCKkIGiTaSkgEo2YxbcgLgEbkB0Pb+cHn7MeahFH43n/LIdmyWfyRsYqgVshNC/JNyLtPMTkCJkoGgTKSmgks2YC4/Gmx9hequWvlozeDYu0OAgKPUWcLm0oQhZKNpESgqoZDOgxNHDdOL+q6vCpTovGoMGrxMt0OAgKPUWLH0CqkQRMlC0iZQUUMlmQJMtZcgs++yZXtTgHQwLNDgISg0AAJQhTE9GwlsMpQYAAMoQpicj4S2GUgMAAGUI05OR8BZDqQEAgDKE6enkW9bEL1ot2+B4KDUAANCFMF2C9DA1/2tmZmhwRJQaAABoQpgGAAAAMhGmAQAAgEyEaQAAACATYRoAAADI1IXplwUtvLpSNrrZW0SpF0OpPRQkA0XLoLBoCjeplB3vmja7LPWIMA0AAABgFMI0AAAAkIkwDQAAAGQiTAMAAACZCNMAAABAJsI0AAAAkIkwDQAAAGQiTAMAAACZCNMAAABApv8HPn2oGs3a6sQAAAAASUVORK5CYII=" /></P> Fri, 25 Apr 2014 16:15:17 GMT https://community.cisco.com/t5/network-access-control/wism2-ise-central-web-authentication-redirection-acl-does-not/m-p/2425224#M86593 Ryan Coombs 2014-04-25T16:15:17Z https://community.cisco.com/t5/network-access-control/wism2-ise-central-web-authentication-redirection-acl-does-not/m-p/2425225#M86594 <P lang="en-US" style="margin:0in;font-family:Calibri;font-size:11.0pt"><SPAN style="font-size:16px;"><SPAN style="font-family: arial,helvetica,sans-serif;">If you compare the switch redirect ACL and the WLC redirect ACL, you will see the differences. We use the statement deny udp any any eq 53 to stop DNS traffic from being redirected on the switch and on the WLC we use a permit action for DNS traffic. This is because the redirect ACL on the WLC is just a regular wireless ACL. Hence, the ACL rules must&nbsp; have permit statements for allowed traffic flows like <STRONG>DNS</STRONG> and <STRONG>traffic to and from ISE</STRONG> . <STRONG>Any other traffic is caught by the implicit deny statement and is re-directed to the redirect URL set in the ISE. </STRONG>This ACL is invoked when ISE sends the VSA through the authorization profile.Refer Cisco Trustsec How-to Guide-Central Web Authentication</SPAN></SPAN></P><P lang="en-US" style="margin:0in;font-family:Calibri;font-size:11.0pt">&nbsp;</P><P lang="en-US" style="margin:0in;font-family:Calibri;font-size:11.0pt"><SPAN style="font-size:16px;"><SPAN style="font-family: arial,helvetica,sans-serif;">Secondly, Since this web authentication method is Layer 2, you have to be aware that it will be the foreign WLC that does all of the RADIUS work. Only the foreign WLC contacts the ISE, and the redirection ACL must be present on the foreign WLC (In your case its WiSM2).</SPAN></SPAN></P><P lang="en-US" style="margin:0in;font-family:Calibri;font-size:11.0pt">&nbsp;</P><P lang="en-US" style="margin:0in;font-family:Calibri;font-size:11.0pt"><SPAN style="font-size:16px;"><SPAN style="font-family: arial,helvetica,sans-serif;">Can you post your topology</SPAN></SPAN></P><P lang="en-US" style="margin:0in;font-family:Calibri;font-size:11.0pt">&nbsp;</P><P lang="en-US" style="margin:0in;font-family:Calibri;font-size:11.0pt"><SPAN style="font-size:16px;"><SPAN style="font-family: arial,helvetica,sans-serif;">HTH</SPAN></SPAN></P><P lang="en-US" style="margin:0in;font-family:Calibri;font-size:11.0pt">&nbsp;</P><P lang="en-US" style="margin:0in;font-family:Calibri;font-size:11.0pt">"<SPAN style="font-size:16px;">Please rate helpful posts"</SPAN></P><P lang="en-US" style="margin:0in;font-family:Calibri;font-size:11.0pt">&nbsp;</P><P lang="en-US" style="margin:0in;font-family:Calibri;font-size:11.0pt">&nbsp;</P> Fri, 25 Apr 2014 16:59:39 GMT https://community.cisco.com/t5/network-access-control/wism2-ise-central-web-authentication-redirection-acl-does-not/m-p/2425225#M86594 Poonam Garg 2014-04-25T16:59:39Z https://community.cisco.com/t5/network-access-control/wism2-ise-central-web-authentication-redirection-acl-does-not/m-p/2425226#M86595 <P>Hi Joana,</P><P>Were you able to solve this situation? I have the exact same scenario as you (ISE and 5760) and have configured it almost the same way except that i have the authz for CWA a bit different on ISE . I havent had the chance to test it though but i got really confused about 5760 configs...your inputs would help me a lot.</P><P>&nbsp;</P><P>Thanks!</P><P>emilio</P> Wed, 30 Apr 2014 03:33:09 GMT https://community.cisco.com/t5/network-access-control/wism2-ise-central-web-authentication-redirection-acl-does-not/m-p/2425226#M86595 emgalanme 2014-04-30T03:33:09Z https://community.cisco.com/t5/network-access-control/wism2-ise-central-web-authentication-redirection-acl-does-not/m-p/2425227#M86596 <P>Hi Emilio,</P><P>I have been off on holiday so I didn't have time to continue testing. I will let you know once I get any improvement.</P><P>Thanks!</P><P>Joana.</P> Wed, 30 Apr 2014 08:19:17 GMT https://community.cisco.com/t5/network-access-control/wism2-ise-central-web-authentication-redirection-acl-does-not/m-p/2425227#M86596 Joana Manzano 2014-04-30T08:19:17Z https://community.cisco.com/t5/network-access-control/wism2-ise-central-web-authentication-redirection-acl-does-not/m-p/2425228#M86597 <P>Thank you very much. Really appreciate it! I am going to review my configuration based on your redirect acls. It is good to have an example that is working as a reference. I will let you know how it is going.</P><P>Thanks!</P><P>Joana.</P> Wed, 30 Apr 2014 08:22:51 GMT https://community.cisco.com/t5/network-access-control/wism2-ise-central-web-authentication-redirection-acl-does-not/m-p/2425228#M86597 Joana Manzano 2014-04-30T08:22:51Z https://community.cisco.com/t5/network-access-control/wism2-ise-central-web-authentication-redirection-acl-does-not/m-p/2425229#M86598 <P>Hi,</P><P>Sorry, I missed your post.</P><P>This is my topology:</P><P><IMG src="https://community.cisco.com/legacyfs/online/media/topology_4.png" class="migrated-markup-image" /></P><P>&nbsp;</P><P>Clients join an Open Guest Wireless.</P><P>WiSM2 is the foreign WLC and this is its configuration:</P><P><IMG src="https://community.cisco.com/legacyfs/online/media/wlan_wisim2_0.png" class="migrated-markup-image" /></P><P>&nbsp;</P><P><IMG src="https://community.cisco.com/legacyfs/online/media/acl_wism2.png" class="migrated-markup-image" /></P><P>&nbsp;</P><P>This is the configuration for the 5760-Anchor WLC located in the DMZ:</P><P><IMG src="https://community.cisco.com/legacyfs/online/media/wlan_5760.png" class="migrated-markup-image" /></P><P><IMG src="https://community.cisco.com/legacyfs/online/media/acl_5760.png" class="migrated-markup-image" /></P><P>I have also tried, with no success, deny instead of permit in the entries of the previous acl:</P><P>ip access-list extended pre-auth-acl<BR />&nbsp;1 deny tcp any host 10.9.1.2<BR />&nbsp;2 deny tcp host 10.9.1.2 any<BR />&nbsp;3 deny udp any any eq domain<BR />&nbsp;4 deny udp any eq domain any<BR />&nbsp;5 permit tcp any any eq 80<BR />&nbsp;6 permit tcp any any eq 443</P><P>I have the same scenario working fine with a 3850 as a foreign WLC. However, I cannot get it working when the Foreign WLC is a WiSM2... The redirection part never happens, it seems that WiSM2 is not doing any redirection to ISE when HTTP/HTTPS traffic is intercepted. I always get the same behaviour, it seems that it doesn't matter what I configure in the redirect acl... ISE policies are applied to clients, but they never reach the ISE Authentication Web Portal, instead they are allowed to talk to the Internet without any authentication.</P><P>WiSM2:</P><P><IMG src="https://community.cisco.com/legacyfs/online/media/18_1.jpg" class="migrated-markup-image" /></P><P><IMG src="https://community.cisco.com/legacyfs/online/media/19_1.jpg" class="migrated-markup-image" /></P><P>&nbsp;</P><P>5760 - Anchor:</P><P><IMG src="https://community.cisco.com/legacyfs/online/media/20_0.jpg" class="migrated-markup-image" /></P><P><IMG src="https://community.cisco.com/legacyfs/online/media/21_0.jpg" class="migrated-markup-image" /></P><P>&nbsp;</P><P>ISE:</P><P><IMG src="https://community.cisco.com/legacyfs/online/media/17_0.jpg" class="migrated-markup-image" /></P><P>&nbsp;</P><P>Any ideas?</P><P>Thank you very much for your help.</P><P>&nbsp;</P><P>Joana.</P> Wed, 30 Apr 2014 14:02:39 GMT https://community.cisco.com/t5/network-access-control/wism2-ise-central-web-authentication-redirection-acl-does-not/m-p/2425229#M86598 Joana Manzano 2014-04-30T14:02:39Z https://community.cisco.com/t5/network-access-control/wism2-ise-central-web-authentication-redirection-acl-does-not/m-p/2425230#M86599 <P>Hi,</P><P>I am afraid it is still not working for me.... I have tried exactly the same entries in the redirect ACL (change ISE IP address) and I configured it in both foreign/anchor WLC but no difference. I also verified both SSIDs have the same options configured.</P><P>I have post some more information about my topology and configuration as an answer to&nbsp;<SPAN class="fullname" style="color: rgb(153, 153, 153); background-color: rgb(247, 247, 247);"><SPAN rel="sioc:has_creator"><A about="/users/favoritevanilla" class="username" datatype="" href="https://supportforums.cisco.com/users/favoritevanilla" property="foaf:name" title="View user profile." typeof="sioc:UserAccount" lang="">Poonam Garg</A></SPAN></SPAN><SPAN style="color: rgb(153, 153, 153); background-color: rgb(247, 247, 247);">&nbsp;(</SPAN>up in this discussion thread). I would appreciate if you can have a look and check if there is something that you think might be wrong.</P><P>Thanks again.</P><P>Joana.</P> Wed, 30 Apr 2014 14:09:51 GMT https://community.cisco.com/t5/network-access-control/wism2-ise-central-web-authentication-redirection-acl-does-not/m-p/2425230#M86599 Joana Manzano 2014-04-30T14:09:51Z https://community.cisco.com/t5/network-access-control/wism2-ise-central-web-authentication-redirection-acl-does-not/m-p/2425231#M86600 <P>Joana,</P><P>Lets say your ISE server is at 10.10.10.10, The client is connecting to the guest network he gets and IP of 192.168.1.100.&nbsp; Does the DNS Server address your providing the guest have an entry and access to ISE at 10.10.10.10.&nbsp; Also allow ICMP on your ACL and once you connect as a guest, try to ping the fqdn of ISE.&nbsp; Verify its resolved.&nbsp; Also when you type a URL do you see your web browser showing its redirected but it never reaches ISE?&nbsp; Or does it go straight to the website?&nbsp; I'm thinking it may be a DNS issue now.&nbsp; Also instead of trying to search for eg. google.com type in an IP 1.1.1.1 - If your local DNS is working it wont trigger the ACL.</P><P>&nbsp;</P><P>Let me know the results please.&nbsp; I'm curious and would like to help while its still fresh in my head!</P> Wed, 30 Apr 2014 14:20:25 GMT https://community.cisco.com/t5/network-access-control/wism2-ise-central-web-authentication-redirection-acl-does-not/m-p/2425231#M86600 Ryan Coombs 2014-04-30T14:20:25Z https://community.cisco.com/t5/network-access-control/wism2-ise-central-web-authentication-redirection-acl-does-not/m-p/2425232#M86602 <P>Hi,</P><P>Clients get an IP address and a IP address of one of our internal DNS servers. Once I am connected to Guest SSID, I can talk straight to the website. The browser doesn't show any kind of redirection to ISE at any point. However, if I manually write the redirection-url got from ISE (say: <A href="https://ise.domain.com:8443/guestportal/gateway?sessionId=0a0933f10d0022775360f02&amp;action=cwa)&nbsp;on" target="_blank">https://ise.domain.com:8443/guestportal/gateway?sessionId=0a0933f10d0022775360f02&amp;action=cwa)&nbsp;on</A> my web browser I get the ISE Authentication Web Portal and I can login. My authentication/authorization status is updated on ISE (Guest User logged successfully). The thing is it doesn't happen automatically and access to the Internet is never restricted... It is like any other Open SSID with no security.</P><P>I don't know what you exactly mean with "<SPAN style="font-size: 14px; background-color: rgb(247, 247, 247);">Does the DNS Server address your providing the guest have an entry and access to ISE at 10.10.10.10"?&nbsp;</SPAN></P><P>Thanks again!</P><P>Joana.</P> Wed, 30 Apr 2014 14:38:14 GMT https://community.cisco.com/t5/network-access-control/wism2-ise-central-web-authentication-redirection-acl-does-not/m-p/2425232#M86602 Joana Manzano 2014-04-30T14:38:14Z https://community.cisco.com/t5/network-access-control/wism2-ise-central-web-authentication-redirection-acl-does-not/m-p/2425233#M86603 <P>Hello Joana,</P><P>Check your configuration on ISE. Under your UnknownProfile you are allowing web authentication centralised, ACL <STRONG>unknown</STRONG>.This acl need not to refer here and even need not to create. Under ACL you have to refer your <STRONG>redirect acl (pre-auth-acl) </STRONG>you have defined on WLC which is permitting access to/from ISE and DNS server. ISE is giving direction to WLC to apply that redirect ACL. As you can see on WiSM2 security information that ISE is returning AAA override ACL name unknown that is not configured.</P><P>You have to configure exact same name on ISE that is configured on WiSM2 and WLC.</P> Thu, 01 May 2014 04:33:44 GMT https://community.cisco.com/t5/network-access-control/wism2-ise-central-web-authentication-redirection-acl-does-not/m-p/2425233#M86603 Poonam Garg 2014-05-01T04:33:44Z https://community.cisco.com/t5/network-access-control/wism2-ise-central-web-authentication-redirection-acl-does-not/m-p/2425234#M86606 <P>Hi,</P><P>Sorry I put the old screenshot in the previous post, my mistake.I changed the name of the ACLs on both controllers and ISE from unknown to pre-auth-acl to be more meaningful. So, I have the acl "pre-auth-acl" configured in both controllers and also in the ACL field of the authorization profile on ISE.&nbsp;</P><P>These are the screenshots that show that "pre-auth-acl" is "applied" to clients:</P><P>wism2:</P><P><IMG src="https://community.cisco.com/legacyfs/online/media/wism2_client.png" class="migrated-markup-image" /></P><P>&nbsp;</P><P>5760-anchor:</P><P><IMG src="https://community.cisco.com/legacyfs/online/media/5760_client.png" class="migrated-markup-image" /></P><P>I also include a result of a debug in both controllers:</P><P>wism2:</P><P><SMALL>(WiSM-slot8-1) &gt;debug client 8c62.5a7f.41c1</SMALL></P><P><SMALL>*apfMsConnTask_5: May 01 09:42:28.819: 8c:70:5a:7f:43:c0 Association received from mobile on BSSID 00:23:eb:de:3b:a1<BR />*apfMsConnTask_5: May 01 09:42:28.819: 8c:70:5a:7f:43:c0 Global 200 Clients are allowed to AP radio<BR />*apfMsConnTask_5: May 01 09:42:28.819: 8c:70:5a:7f:43:c0 Max Client Trap Threshold: 0 &nbsp;cur: 1<BR />*apfMsConnTask_5: May 01 09:42:28.819: 8c:70:5a:7f:43:c0 Rf profile 600 Clients are allowed to AP wlan<BR />*apfMsConnTask_5: May 01 09:42:28.819: 8c:70:5a:7f:43:c0 apfApplyWlanPolicy: Retaining the ACL recieved in AAA attributes 5 on mobile<BR />*apfMsConnTask_5: May 01 09:42:28.819: 8c:70:5a:7f:43:c0 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type<BR />*apfMsConnTask_5: May 01 09:42:28.819: 8c:70:5a:7f:43:c0 In processSsidIE:4795 setting Central switched to TRUE<BR />*apfMsConnTask_5: May 01 09:42:28.819: 8c:70:5a:7f:43:c0 In processSsidIE:4798 apVapId = 3 and Split Acl Id = 65535<BR />*apfMsConnTask_5: May 01 09:42:28.819: 8c:70:5a:7f:43:c0 Applying site-specific Local Bridging override for station 8c:70:5a:7f:43:c0 - vapId 2, site 'SITE', interface 'management'<BR />*apfMsConnTask_5: May 01 09:42:28.819: 8c:70:5a:7f:43:c0 Applying Local Bridging Interface Policy for station 8c:70:5a:7f:43:c0 - vlan 0, interface id 0, interface 'management'<BR />*apfMsConnTask_5: May 01 09:42:28.819: 8c:70:5a:7f:43:c0 Applying site-specific override for station 8c:70:5a:7f:43:c0 - vapId 2, site 'SITE', interface 'management'<BR />*apfMsConnTask_5: May 01 09:42:28.819: 8c:70:5a:7f:43:c0 processSsidIE &nbsp;statusCode is 0 and status is 0<BR />*apfMsConnTask_5: May 01 09:42:28.819: 8c:70:5a:7f:43:c0 processSsidIE &nbsp;ssid_done_flag is 0 finish_flag is 0<BR />*apfMsConnTask_5: May 01 09:42:28.819: 8c:70:5a:7f:43:c0 STA - rates (8): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0<BR />*apfMsConnTask_5: May 01 09:42:28.819: 8c:70:5a:7f:43:c0 suppRates &nbsp;statusCode is 0 and gotSuppRatesElement is 1<BR />*apfMsConnTask_5: May 01 09:42:28.820: 8c:70:5a:7f:43:c0 STA - rates (12): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0<BR />*apfMsConnTask_5: May 01 09:42:28.820: 8c:70:5a:7f:43:c0 extSuppRates &nbsp;statusCode is 0 and gotExtSuppRatesElement is 1<BR />*apfMsConnTask_5: May 01 09:42:28.820: 8c:70:5a:7f:43:c0 apfMsAssoStateDec<BR />*apfMsConnTask_5: May 01 09:42:28.820: 8c:70:5a:7f:43:c0 apfProcessAssocReq (apf_80211.c:8159) Changing state for mobile 8c:70:5a:7f:43:c0 on AP 00:23:eb:de:3b:a0 from Associated to AAA Pending<BR />*apfMsConnTask_5: May 01 09:42:28.820: 8c:70:5a:7f:43:c0 Scheduling deletion of Mobile Station: &nbsp;(callerId: 20) in 10 seconds<BR />*apfReceiveTask: May 01 09:42:28.830: 8c:70:5a:7f:43:c0 Received SGT for this Client.<BR />*apfReceiveTask: May 01 09:42:28.830: 8c:70:5a:7f:43:c0 Redirect URL received for client from RADIUS. Client will be moved to WebAuth_Reqd state to facilitate redirection. Skip web-auth Flag = 0<BR />*apfReceiveTask: May 01 09:42:28.830: 8c:70:5a:7f:43:c0 Resetting web IPv4 acl from 5 to 255<BR />*apfReceiveTask: May 01 09:42:28.830: 8c:70:5a:7f:43:c0 Resetting web IPv4 Flex acl from 65535 to 65535<BR />*apfReceiveTask: May 01 09:42:28.830: 8c:70:5a:7f:43:c0 apfApplyWlanPolicy: Retaining the ACL recieved in AAA attributes 5 on mobile<BR />*apfReceiveTask: May 01 09:42:28.830: 8c:70:5a:7f:43:c0 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type<BR />*apfReceiveTask: May 01 09:42:28.830: 8c:70:5a:7f:43:c0 Applying site-specific override for station 8c:70:5a:7f:43:c0 - vapId 2, site 'SITE', interface 'management'<BR />*apfReceiveTask: May 01 09:42:28.830: 8c:70:5a:7f:43:c0 Inserting AAA Override struct for mobile MAC: 8c:70:5a:7f:43:c0, source 2<BR />*apfReceiveTask: May 01 09:42:28.831: 8c:70:5a:7f:43:c0 apfMs1xStateDec<BR />*apfReceiveTask: May 01 09:42:28.831: 8c:70:5a:7f:43:c0 0.0.0.0 DHCP_REQD (7) Change state to START (0) last state DHCP_REQD (7)<BR />*apfReceiveTask: May 01 09:42:28.831: 8c:70:5a:7f:43:c0 pemApfAddMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.<BR />*apfReceiveTask: May 01 09:42:28.831: 8c:70:5a:7f:43:c0 0.0.0.0 START (0) Initializing policy<BR />*apfReceiveTask: May 01 09:42:28.831: 8c:70:5a:7f:43:c0 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state START (0)<BR />*apfReceiveTask: May 01 09:42:28.831: 8c:70:5a:7f:43:c0 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state AUTHCHECK (2)<BR />*pemReceiveTask: May 01 09:42:28.831: 8c:70:5a:7f:43:c0 0.0.0.0 Removed NPU entry.<BR />*apfReceiveTask: May 01 09:42:28.831: 8c:70:5a:7f:43:c0 Central switch is TRUE<BR />*apfReceiveTask: May 01 09:42:28.831: 8c:70:5a:7f:43:c0 Not Using WMM Compliance code qosCap 00<BR />*apfReceiveTask: May 01 09:42:28.831: 8c:70:5a:7f:43:c0 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 00:23:eb:de:3b:a0 vapId 2 apVapId 3 flex-acl-name:<BR />*apfReceiveTask: May 01 09:42:28.831: 8c:70:5a:7f:43:c0 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state L2AUTHCOMPLETE (4)<BR />*apfReceiveTask: May 01 09:42:28.831: 8c:70:5a:7f:43:c0 0.0.0.0 DHCP_REQD (7) pemApfAddMobileStation2 3439, Adding TMP rule<BR />*apfReceiveTask: May 01 09:42:28.831: 8c:70:5a:7f:43:c0 0.0.0.0 DHCP_REQD (7) Adding Fast Path rule type = Airespace AP - Learn IP address on AP 00:23:eb:de:3b:a0, slot 0, interface = 13, QOS = 3 IPv4 ACL ID = 255, IP<BR />*apfReceiveTask: May 01 09:42:28.831: 8c:70:5a:7f:43:c0 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206 &nbsp;Local Bridging Vlan = 0, Local Bridging intf id = 0<BR />*apfReceiveTask: May 01 09:42:28.831: 8c:70:5a:7f:43:c0 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)<BR />*apfReceiveTask: May 01 09:42:28.831: 8c:70:5a:7f:43:c0 0.0.0.0 DHCP_REQD (7) pemApfAddMobileStation2 3618, Adding TMP rule<BR />*apfReceiveTask: May 01 09:42:28.831: 8c:70:5a:7f:43:c0 0.0.0.0 DHCP_REQD (7) Replacing Fast Path rule type = Airespace AP - Learn IP address on AP 00:23:eb:de:3b:a0, slot 0, interface = 13, QOS = 3 IPv4 ACL ID = 255,<BR />*apfReceiveTask: May 01 09:42:28.831: 8c:70:5a:7f:43:c0 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206 &nbsp;Local Bridging Vlan = 0, Local Bridging intf id = 0<BR />*apfReceiveTask: May 01 09:42:28.831: 8c:70:5a:7f:43:c0 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)<BR />*apfReceiveTask: May 01 09:42:28.831: 8c:70:5a:7f:43:c0 apfMsAssoStateInc<BR />*apfReceiveTask: May 01 09:42:28.831: 8c:70:5a:7f:43:c0 apfPemAddUser2 (apf_policy.c:333) Changing state for mobile 8c:70:5a:7f:43:c0 on AP 00:23:eb:de:3b:a0 from AAA Pending to Associated<BR />*apfReceiveTask: May 01 09:42:28.831: 8c:70:5a:7f:43:c0 apfPemAddUser2:session timeout forstation 8c:70:5a:7f:43:c0 - Session Tout 1800, apfMsTimeOut '1800' and sessionTimerRunning flag is &nbsp;0<BR />*apfReceiveTask: May 01 09:42:28.831: 8c:70:5a:7f:43:c0 Scheduling deletion of Mobile Station: &nbsp;(callerId: 49) in 1800 seconds<BR />*apfReceiveTask: May 01 09:42:28.832: 8c:70:5a:7f:43:c0 Func: apfPemAddUser2, Ms Timeout = 1800, Session Timeout = 1800<BR />*apfReceiveTask: May 01 09:42:28.832: 8c:70:5a:7f:43:c0 Sending Assoc Response to station on BSSID 00:23:eb:de:3b:a2 (status 0) ApVapId 3 Slot 0<BR />*apfReceiveTask: May 01 09:42:28.832: 8c:70:5a:7f:43:c0 apfProcessRadiusAssocResp (apf_80211.c:3212) Changing state for mobile 8c:70:5a:7f:43:c0 on AP 00:23:eb:de:3b:a0 from Associated to Associated<BR />*pemReceiveTask: May 01 09:42:28.832: 8c:70:5a:7f:43:c0 Set bi-dir guest tunnel for 8c:70:5a:7f:43:c0 as in Export Foreign role<BR />*pemReceiveTask: May 01 09:42:28.832: 8c:70:5a:7f:43:c0 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x4<BR />*pemReceiveTask: May 01 09:42:28.832: 8c:70:5a:7f:43:c0 Set bi-dir guest tunnel for 8c:70:5a:7f:43:c0 as in Export Foreign role<BR />*pemReceiveTask: May 01 09:42:28.832: 8c:70:5a:7f:43:c0 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x4<BR />*DHCP Socket Task: May 01 09:42:31.988: 8c:70:5a:7f:43:c0 DHCP received op BOOTREQUEST (1) (len 308,vlan 0, port 13, encap 0xec03)<BR />*DHCP Socket Task: May 01 09:42:31.988: 8c:70:5a:7f:43:c0 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff<BR />*DHCP Socket Task: May 01 09:42:31.988: 8c:70:5a:7f:43:c0 DHCP processing DHCP DISCOVER (1)<BR />*DHCP Socket Task: May 01 09:42:31.988: 8c:70:5a:7f:43:c0 DHCP &nbsp; op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0<BR />*DHCP Socket Task: May 01 09:42:31.988: 8c:70:5a:7f:43:c0 DHCP &nbsp; xid: 0x62905efb (1653628667), secs: 0, flags: 0<BR />*DHCP Socket Task: May 01 09:42:31.988: 8c:70:5a:7f:43:c0 DHCP &nbsp; chaddr: 8c:70:5a:7f:43:c0<BR />*DHCP Socket Task: May 01 09:42:31.988: 8c:70:5a:7f:43:c0 DHCP &nbsp; ciaddr: 0.0.0.0, &nbsp;yiaddr: 0.0.0.0<BR />*DHCP Socket Task: May 01 09:42:31.988: 8c:70:5a:7f:43:c0 DHCP &nbsp; siaddr: 0.0.0.0, &nbsp;giaddr: 0.0.0.0<BR />*DHCP Socket Task: May 01 09:42:35.975: 8c:70:5a:7f:43:c0 DHCP received op BOOTREQUEST (1) (len 308,vlan 0, port 13, encap 0xec03)<BR />*DHCP Socket Task: May 01 09:42:35.975: 8c:70:5a:7f:43:c0 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff<BR />*DHCP Socket Task: May 01 09:42:35.975: 8c:70:5a:7f:43:c0 DHCP processing DHCP DISCOVER (1)<BR />*DHCP Socket Task: May 01 09:42:35.975: 8c:70:5a:7f:43:c0 DHCP &nbsp; op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0<BR />*DHCP Socket Task: May 01 09:42:35.975: 8c:70:5a:7f:43:c0 DHCP &nbsp; xid: 0x62905efb (1653628667), secs: 1024, flags: 0<BR />*DHCP Socket Task: May 01 09:42:35.975: 8c:70:5a:7f:43:c0 DHCP &nbsp; chaddr: 8c:70:5a:7f:43:c0<BR />*DHCP Socket Task: May 01 09:42:35.975: 8c:70:5a:7f:43:c0 DHCP &nbsp; ciaddr: 0.0.0.0, &nbsp;yiaddr: 0.0.0.0<BR />*DHCP Socket Task: May 01 09:42:35.975: 8c:70:5a:7f:43:c0 DHCP &nbsp; siaddr: 0.0.0.0, &nbsp;giaddr: 0.0.0.0<BR />*DHCP Socket Task: May 01 09:42:38.992: 8c:70:5a:7f:43:c0 DHCP received op BOOTREPLY (2) (len 344,vlan 0, port 13, encap 0xec07)<BR />*DHCP Socket Task: May 01 09:42:38.992: 8c:70:5a:7f:43:c0 DHCP processing DHCP OFFER (2)<BR />*DHCP Socket Task: May 01 09:42:38.992: 8c:70:5a:7f:43:c0 DHCP &nbsp; op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0<BR />*DHCP Socket Task: May 01 09:42:38.992: 8c:70:5a:7f:43:c0 DHCP &nbsp; xid: 0x62905efb (1653628667), secs: 0, flags: 0<BR />*DHCP Socket Task: May 01 09:42:38.992: 8c:70:5a:7f:43:c0 DHCP &nbsp; chaddr: 8c:70:5a:7f:43:c0<BR />*DHCP Socket Task: May 01 09:42:38.992: 8c:70:5a:7f:43:c0 DHCP &nbsp; ciaddr: 0.0.0.0, &nbsp;yiaddr: 10.8.3.10<BR />*DHCP Socket Task: May 01 09:42:38.992: 8c:70:5a:7f:43:c0 DHCP &nbsp; siaddr: 10.8.3.1, &nbsp;giaddr: 0.0.0.0<BR />*DHCP Socket Task: May 01 09:42:38.992: 8c:70:5a:7f:43:c0 DHCP &nbsp; server id: 10.8.3.1 &nbsp;rcvd server id: 10.8.3.1<BR />*DHCP Socket Task: May 01 09:42:38.992: 8c:70:5a:7f:43:c0 DHCP successfully bridged packet to STA<BR />*DHCP Socket Task: May 01 09:42:38.992: 8c:70:5a:7f:43:c0 DHCP received op BOOTREPLY (2) (len 344,vlan 0, port 13, encap 0xec07)<BR />*DHCP Socket Task: May 01 09:42:38.993: 8c:70:5a:7f:43:c0 DHCP processing DHCP OFFER (2)<BR />*DHCP Socket Task: May 01 09:42:38.993: 8c:70:5a:7f:43:c0 DHCP &nbsp; op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0<BR />*DHCP Socket Task: May 01 09:42:38.993: 8c:70:5a:7f:43:c0 DHCP &nbsp; xid: 0x62905efb (1653628667), secs: 0, flags: 0<BR />*DHCP Socket Task: May 01 09:42:38.993: 8c:70:5a:7f:43:c0 DHCP &nbsp; chaddr: 8c:70:5a:7f:43:c0<BR />*DHCP Socket Task: May 01 09:42:38.993: 8c:70:5a:7f:43:c0 DHCP &nbsp; ciaddr: 0.0.0.0, &nbsp;yiaddr: 10.8.3.10<BR />*DHCP Socket Task: May 01 09:42:38.993: 8c:70:5a:7f:43:c0 DHCP &nbsp; siaddr: 10.8.3.1, &nbsp;giaddr: 0.0.0.0<BR />*DHCP Socket Task: May 01 09:42:38.993: 8c:70:5a:7f:43:c0 DHCP &nbsp; server id: 10.8.3.1 &nbsp;rcvd server id: 10.8.3.1<BR />*DHCP Socket Task: May 01 09:42:38.993: 8c:70:5a:7f:43:c0 DHCP successfully bridged packet to STA<BR />*DHCP Socket Task: May 01 09:42:38.995: 8c:70:5a:7f:43:c0 DHCP received op BOOTREQUEST (1) (len 341,vlan 0, port 13, encap 0xec03)<BR />*DHCP Socket Task: May 01 09:42:38.995: 8c:70:5a:7f:43:c0 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff<BR />*DHCP Socket Task: May 01 09:42:38.995: 8c:70:5a:7f:43:c0 DHCP processing DHCP REQUEST (3)<BR />*DHCP Socket Task: May 01 09:42:38.995: 8c:70:5a:7f:43:c0 DHCP &nbsp; op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0<BR />*DHCP Socket Task: May 01 09:42:38.995: 8c:70:5a:7f:43:c0 DHCP &nbsp; xid: 0x62905efb (1653628667), secs: 1024, flags: 0<BR />*DHCP Socket Task: May 01 09:42:38.995: 8c:70:5a:7f:43:c0 DHCP &nbsp; chaddr: 8c:70:5a:7f:43:c0<BR />*DHCP Socket Task: May 01 09:42:38.995: 8c:70:5a:7f:43:c0 DHCP &nbsp; ciaddr: 0.0.0.0, &nbsp;yiaddr: 0.0.0.0<BR />*DHCP Socket Task: May 01 09:42:38.995: 8c:70:5a:7f:43:c0 DHCP &nbsp; siaddr: 0.0.0.0, &nbsp;giaddr: 0.0.0.0<BR />*DHCP Socket Task: May 01 09:42:38.995: 8c:70:5a:7f:43:c0 DHCP &nbsp; requested ip: 10.8.3.10<BR />*DHCP Socket Task: May 01 09:42:38.995: 8c:70:5a:7f:43:c0 DHCP &nbsp; server id: 10.8.3.1 &nbsp;rcvd server id: 10.8.3.1<BR />*DHCP Socket Task: May 01 09:42:38.999: 8c:70:5a:7f:43:c0 DHCP received op BOOTREPLY (2) (len 344,vlan 0, port 13, encap 0xec07)<BR />*DHCP Socket Task: May 01 09:42:38.999: 8c:70:5a:7f:43:c0 DHCP processing DHCP ACK (5)<BR />*DHCP Socket Task: May 01 09:42:38.999: 8c:70:5a:7f:43:c0 DHCP &nbsp; op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0<BR />*DHCP Socket Task: May 01 09:42:38.999: 8c:70:5a:7f:43:c0 DHCP &nbsp; xid: 0x62905efb (1653628667), secs: 0, flags: 0<BR />*DHCP Socket Task: May 01 09:42:38.999: 8c:70:5a:7f:43:c0 DHCP &nbsp; chaddr: 8c:70:5a:7f:43:c0<BR />*DHCP Socket Task: May 01 09:42:38.999: 8c:70:5a:7f:43:c0 DHCP &nbsp; ciaddr: 0.0.0.0, &nbsp;yiaddr: 10.8.3.10<BR />*DHCP Socket Task: May 01 09:42:38.999: 8c:70:5a:7f:43:c0 DHCP &nbsp; siaddr: 10.8.3.1, &nbsp;giaddr: 0.0.0.0<BR />*DHCP Socket Task: May 01 09:42:38.999: 8c:70:5a:7f:43:c0 DHCP &nbsp; server id: 10.8.3.1 &nbsp;rcvd server id: 10.8.3.1<BR />*DHCP Socket Task: May 01 09:42:39.000: 8c:70:5a:7f:43:c0 apfMsRunStateInc<BR />*DHCP Socket Task: May 01 09:42:39.000: 8c:70:5a:7f:43:c0 10.8.3.10 DHCP_REQD (7) Change state to RUN (20) last state DHCP_REQD (7)</SMALL></P><P><SMALL>*DHCP Socket Task: May 01 09:42:39.000: 8c:70:5a:7f:43:c0 10.8.3.10 RUN (20) Reached PLUMBFASTPATH: from line 0<BR />*DHCP Socket Task: May 01 09:42:39.000: 8c:70:5a:7f:43:c0 10.8.3.10 RUN (20) Replacing Fast Path rule<BR />&nbsp; type = Airespace AP Client<BR />&nbsp; on AP 00:23:eb:de:3b:a0, slot 0, interface = 13, QOS = 3<BR />&nbsp; IPv4 ACL ID = 255, IPv6 ACL ID =<BR />*DHCP Socket Task: May 01 09:42:39.000: 8c:70:5a:7f:43:c0 10.8.3.10 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206 &nbsp;Local Bridging Vlan = 0, Local Bridging intf id = 0<BR />*DHCP Socket Task: May 01 09:42:39.000: 8c:70:5a:7f:43:c0 10.8.3.10 RUN (20) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)<BR />*DHCP Socket Task: May 01 09:42:39.000: 8c:70:5a:7f:43:c0 Assigning Address 10.8.3.10 to mobile<BR />*DHCP Socket Task: May 01 09:42:39.000: 8c:70:5a:7f:43:c0 DHCP success event for client. Clearing dhcp failure count for interface management.<BR />*DHCP Socket Task: May 01 09:42:39.001: 8c:70:5a:7f:43:c0 DHCP success event for client. Clearing dhcp failure count for interface management.<BR />*DHCP Socket Task: May 01 09:42:39.001: 8c:70:5a:7f:43:c0 DHCP successfully bridged packet to STA<BR />*pemReceiveTask: May 01 09:42:39.001: 8c:70:5a:7f:43:c0 Set bi-dir guest tunnel for 8c:70:5a:7f:43:c0 as in Export Foreign role<BR />*pemReceiveTask: May 01 09:42:39.001: 8c:70:5a:7f:43:c0 10.8.3.10 Added NPU entry of type 1, dtlFlags 0x4<BR />*pemReceiveTask: May 01 09:42:39.001: 8c:70:5a:7f:43:c0 Skip Foreign / Export Foreign Client IP 10.8.3.10 plumbing in FP SCB</SMALL></P><P>5760-anchor:</P><P><SMALL>anchorwlc5760-primary#<BR />*May &nbsp;1 08:54:32.618: %IOSXE-7-PLATFORM: 1 process wcm: 8c62.5a7f.41c1 WCDB_IP_BIND: w/ IPv4 0.0.0.0 ip_learn_type 0 add_delete 0,options_length 0<BR />*May &nbsp;1 08:54:32.618: %IOSXE-7-PLATFORM: 1 process wcm: 8c62.5a7f.41c1 WCDB_IP_BIND: w/ IPv4 10.8.3.10 ip_learn_type DHCP add_delete 1,options_length 0<BR />*May &nbsp;1 08:54:32.618: %IOSXE-7-PLATFORM: 1 process wcm: 8c62.5a7f.41c1 WcdbClientUpdate: IP Binding from WCDB ip_learn_type 0, add_or_delete 0<BR />*May &nbsp;1 08:54:32.618: %IOSXE-7-PLATFORM: 1 process wcm: 8c62.5a7f.41c1 IPv4 Addr: 0:0:0:0<BR />*May &nbsp;1 08:54:32.618: %IOSXE-7-PLATFORM: 1 process wcm: 8c62.5a7f.41c1 Incrementing the Reassociation Count 1 for client (of interface GUEST)<BR />*May &nbsp;1 08:54:32.618: %IOSXE-7-PLATFORM: 1 process wcm: 8c62.5a7f.41c1 MS got the IP, resetting the Reassociation Count 0 for client<BR />*May &nbsp;1 08:54:32.618: %IOSXE-7-PLATFORM: 1 process wcm: 8c62.5a7f.41c1 Clearing Address 10.8.3.9 on mobile<BR />*May &nbsp;1 08:54:32.618: %IOSXE-7-PLATFORM: 1 process wcm: &nbsp;8c62.5a7f.41c1 &nbsp;10.8.3.9 WEBAUTH_REQD (8) pemAdvanceState2 3504, Adding TMP rule<BR />*May &nbsp;1 08:54:32.618: %IOSXE-7-PLATFORM: 1 process wcm: &nbsp;8c62.5a7f.41c1 &nbsp;10.8.3.9 WEBAUTH_REQD (8) Replacing Fast Path rule^M &nbsp; on AP &nbsp;0000.0000.0000 , slot 0 802.1P = 0^M<BR />*May &nbsp;1 08:54:32.618: %IOSXE-7-PLATFORM: 1 process wcm: &nbsp;8c62.5a7f.41c1 &nbsp;10.8.3.9 WEBAUTH_REQD (8) Successfully plumbed mobile rule<BR />*May &nbsp;1 08:54:32.618: %IOSXE-7-PLATFORM: 1 process wcm: 8c62.5a7f.41c1 Change state to DHCP_REQD (7) last state WEBAUTH_REQD (8)<BR />*May &nbsp;1 08:54:32.618: %IOSXE-7-PLATFORM: 1 process wcm: 8c62.5a7f.41c1 WCDB_CHANGE: Client 1 m_vlan 11 Radio iif id 0x0 bssid iif id 0x0, bssid 0000.0000.0000<BR />*May &nbsp;1 08:54:32.618: %IOSXE-7-PLATFORM: 1 process wcm: 8c62.5a7f.41c1 WCDB_AUTH: Adding opt82 len 0<BR />*May &nbsp;1 08:54:32.619: %IOSXE-7-PLATFORM: 1 process wcm: 8c62.5a7f.41c1 WCDB_LLM: NoRun Prev Mob 2, Curr Mob 2 llmReq 3, return False<BR />*May &nbsp;1 08:54:32.619: %IOSXE-7-PLATFORM: 1 process wcm: 8c62.5a7f.41c1 auth state 2 mob state 2 setWme 0 wme 0 roam_sent 0<BR />*May &nbsp;1 08:54:32.619: %IOSXE-7-PLATFORM: 1 process wcm: 8c62.5a7f.41c1 WCDB_CHANGE: auth=LEARN_IP(2) vlan 11 radio 0 client_id 0x4d99c0000041c9 mobility=ExpAnchor(2) src_int 0x7bbcc000002fac dst_int 0x0 ackflag 2 reassoc_client 0 llm_notif 0 ip &nbsp;10.8.3.9 ip_learn_type 0<BR />*May &nbsp;1 08:54:32.619: %IOSXE-7-PLATFORM: 1 process wcm: 8c62.5a7f.41c1 WcdbClientUpdate: IP Binding from WCDB ip_learn_type 1, add_or_delete 1<BR />*May &nbsp;1 08:54:32.619: %IOSXE-7-PLATFORM: 1 process wcm: 8c62.5a7f.41c1 IPv4 Addr: 10:9:65:39<BR />*May &nbsp;1 08:54:32.619: %IOSXE-7-PLATFORM: 1 process wcm: 8c62.5a7f.41c1 MS got the IP, resetting the Reassociation Count 0 for client<BR />*May &nbsp;1 08:54:32.619: %IOSXE-7-PLATFORM: 1 process wcm: 8c62.5a7f.41c1 Change state to WEBAUTH_REQD (8) last state DHCP_REQD (7)<BR />*May &nbsp;1 08:54:32.619: %IOSXE-7-PLATFORM: 1 process wcm: 8c62.5a7f.41c1 WCDB_CHANGE: Client 1 m_vlan 11 Radio iif id 0x0 bssid iif id 0x0, bssid 0000.0000.0000<BR />*May &nbsp;1 08:54:32.619: %IOSXE-7-PLATFORM: 1 process wcm: 8c62.5a7f.41c1 WCDB_AUTH: Adding opt82 len 0<BR />*May &nbsp;1 08:54:32.619: %IOSXE-7-PLATFORM: 1 process wcm: 8c62.5a7f.41c1 WCDB_LLM: NoRun Prev Mob 2, Curr Mob 2 llmReq 3, return False<BR />*May &nbsp;1 08:54:32.619: %IOSXE-7-PLATFORM: 1 process wcm: 8c62.5a7f.41c1 auth state 3 mob state 2 setWme 0 wme 0 roam_sent 0<BR />*May &nbsp;1 08:54:32.619: %IOSXE-7-PLATFORM: 1 process wcm: 8c62.5a7f.41c1 WCDB_CHANGE: auth=L3_AUTH(3) vlan 11 radio 0 client_id 0x4d99c0000041c9 mobility=ExpAnchor(2) src_int 0x7bbcc000002fac dst_int 0x0 ackflag 2 reassoc_client 0 llm_notif 0 ip &nbsp;10.8.3.10 ip_learn_type DHCP<BR />*May &nbsp;1 08:54:32.619: %IOSXE-7-PLATFORM: 1 process wcm: 8c62.5a7f.41c1 Posture or Central Web Auth client, start session on IOS after client moves to RUN state<BR />*May &nbsp;1 08:54:32.619: %IOSXE-7-PLATFORM: 1 process wcm: &nbsp;8c62.5a7f.41c1 &nbsp;10.8.3.10 WEBAUTH_REQD (8) pemAdvanceState2 4388, Adding TMP rule<BR />*May &nbsp;1 08:54:32.619: %IOSXE-7-PLATFORM: 1 process wcm: &nbsp;8c62.5a7f.41c1 &nbsp;10.8.3.10 WEBAUTH_REQD (8) Replacing Fast Path rule^M &nbsp; on AP &nbsp;0000.0000.0000 , slot 0 802.1P = 0^M<BR />*May &nbsp;1 08:54:32.619: %IOSXE-7-PLATFORM: 1 process wcm: &nbsp;8c62.5a7f.41c1 &nbsp;10.8.3.10 WEBAUTH_REQD (8) Successfully plumbed mobile rule<BR />*May &nbsp;1 08:54:32.620: %IOSXE-7-PLATFORM: 1 process wcm: 8c62.5a7f.41c1 Plumbing web-auth redirect rule due to user logout<BR />*May &nbsp;1 08:54:32.620: %IOSXE-7-PLATFORM: 1 process wcm: 8c62.5a7f.41c1 &nbsp; Sending IPv4 update to Controller 10.8.252.83<BR />*May &nbsp;1 08:54:32.620: %IOSXE-7-PLATFORM: 1 process wcm: 8c62.5a7f.41c1 Guest User() &nbsp;assigned IP Address (10.8.3.10)<BR />*May &nbsp;1 08:54:32.620: %IOSXE-7-PLATFORM: 1 process wcm: 8c62.5a7f.41c1 Assigning Address 10.8.3.10 to mobile<BR />*May &nbsp;1 08:54:32.620: %IOSXE-7-PLATFORM: 1 process wcm: PEM recv processing msg Add SCB(3)<BR />*May &nbsp;1 08:54:32.620: %IOSXE-7-PLATFORM: 1 process wcm: 8c62.5a7f.41c1 10.8.3.9, auth_state 8 mmRole ExpAnchor !!!<BR />*May &nbsp;1 08:54:32.620: %IOSXE-7-PLATFORM: 1 process wcm: 8c62.5a7f.41c1 10.8.3.9, auth_state 8 mmRole ExpAnchor, updating wcdb not needed<BR />*May &nbsp;1 08:54:32.620: %IOSXE-7-PLATFORM: 1 process wcm: 8c62.5a7f.41c1 Tclas Plumb needed: 0<BR />*May &nbsp;1 08:54:32.620: %IOSXE-7-PLATFORM: 1 process wcm: PEM recv processing msg Add SCB(3)<BR />*May &nbsp;1 08:54:32.620: %IOSXE-7-PLATFORM: 1 process wcm: 8c62.5a7f.41c1 10.8.3.10, auth_state 8 mmRole ExpAnchor !!!<BR />*May &nbsp;1 08:54:32.620: %IOSXE-7-PLATFORM: 1 process wcm: 8c62.5a7f.41c1 10.8.3.10, auth_state 8 mmRole ExpAnchor, updating wcdb not needed<BR />*May &nbsp;1 08:54:32.620: %IOSXE-7-PLATFORM: 1 process wcm: 8c62.5a7f.41c1 Tclas Plumb needed: 0<BR />*May &nbsp;1 08:55:05.409: %IOSXE-7-PLATFORM: 1 process wcm: WCDB_IIF: Ack Message ID: 0x682740000041e1 code 1003</SMALL></P><P>I find quite weird that there is no reference about changing from ACL "none" to "pre-auth-acl" or any other indication that ISE is pushing the Authorization profile (current name GUEST-CWA). I am quite sure I have seen that before as a result of debug command. However, according to the client information the profile is applied and the URL redirect is also specified...</P><P>Thanks&nbsp;<A about="/users/favoritevanilla" class="username" datatype="" href="https://supportforums.cisco.com/users/favoritevanilla" property="foaf:name" title="View user profile." typeof="sioc:UserAccount" lang="">Poonam Garg</A>&nbsp;and sorry for the confusion.</P><P>Joana.</P> Thu, 01 May 2014 09:29:32 GMT https://community.cisco.com/t5/network-access-control/wism2-ise-central-web-authentication-redirection-acl-does-not/m-p/2425234#M86606 Joana Manzano 2014-05-01T09:29:32Z https://community.cisco.com/t5/network-access-control/wism2-ise-central-web-authentication-redirection-acl-does-not/m-p/2425235#M86607 <P>Please check if your guest anchor WLC is able to connect to ISE on port 8443 as once the redirect acl is applied on wlc, its the guest anchor WLC which will redirect the url request to ISE guest portal.</P> Thu, 01 May 2014 14:07:14 GMT https://community.cisco.com/t5/network-access-control/wism2-ise-central-web-authentication-redirection-acl-does-not/m-p/2425235#M86607 Poonam Garg 2014-05-01T14:07:14Z https://community.cisco.com/t5/network-access-control/wism2-ise-central-web-authentication-redirection-acl-does-not/m-p/2425236#M86609 <P>Yes, the anchor can talk to ISE:</P><P><SMALL>anchorwlc5760-primary#telnet 10.9.1.2 8443<BR />Trying 10.9.1.2, 8443 ... Open</SMALL></P><P>It is quite frustrating... <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span>&nbsp;</P><P>I have configured my pre-auth-acl with a deny entry in both foreign/anchor WLCs:</P><P>ip access-list extended pre-auth-acl<BR />&nbsp;1&nbsp;deny ip any any</P><P>My laptop was not able to get an IP address when joined the GUEST SSID. This is what I would expect, so that's fine. Then, I allowed DHCP so clients would be able to get an IP:</P><P>ip access-list extended pre-auth-acl<BR />&nbsp;1 permit udp any eq bootpc any eq bootps<BR />&nbsp;2 permit udp any eq bootps any eq bootpc<BR />&nbsp;3 deny ip any any</P><P>I was able to get an IP but I also was able to do DNS requests (nslookup from cmd), access ISE and access the Internet. How is that possible if my ACLs configured on the foreign/anchor controllers only allow DHCP? I think the pre-auth-acl is not applied once you get an IP. I know it sounds weird... but it is what happens. I have DHCP Snooping configured on the anchor controller, could it affect to AAA override in some way?: (GUEST VLAN is 11)</P><P>ip dhcp snooping vlan 1,11-13<BR />ip dhcp snooping wireless bootp-broadcast enable<BR />ip dhcp snooping</P><P>interface TenGigabitEthernet1/0/2<BR />&nbsp;switchport trunk allowed vlan 1,11-13<BR />&nbsp;switchport mode trunk<BR />&nbsp;ip dhcp relay information trusted<BR />&nbsp;ip dhcp snooping trust<BR />end</P><P>&nbsp;</P><P>Thanks for your help!</P><P>Joana.</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 01 May 2014 14:25:59 GMT https://community.cisco.com/t5/network-access-control/wism2-ise-central-web-authentication-redirection-acl-does-not/m-p/2425236#M86609 Joana Manzano 2014-05-01T14:25:59Z https://community.cisco.com/t5/network-access-control/wism2-ise-central-web-authentication-redirection-acl-does-not/m-p/2425237#M86612 <P>I have removed dhcp snooping configuration for testing purposes but clients are not able to get an IP, they are stuck in DHCP_REQD status.</P><P>Joana.</P> Thu, 01 May 2014 15:32:41 GMT https://community.cisco.com/t5/network-access-control/wism2-ise-central-web-authentication-redirection-acl-does-not/m-p/2425237#M86612 Joana Manzano 2014-05-01T15:32:41Z