https://community.cisco.com/t5/network-security/wired-guest-access-cisco-ise/m-p/4169373#M1074940 <P>Hello Aref,</P><P>This is the ip device tracking configured on the switch,</P><P>ip device tracking probe auto-source override</P><P>&nbsp;</P><P>And this s the auth sess on the switch</P><P>&nbsp;</P><P>sh auth ses int gig1/0/10 det<BR />Interface: GigabitEthernet1/0/10<BR />MAC Address: 705a.0f2a.47de<BR />IPv6 Address: Unknown<BR />IPv4 Address: 10.100.105.39<BR />User-Name: 70-5A-0F-2A-47-DE<BR />Status: Authorized<BR />Domain: DATA<BR />Oper host mode: multi-auth<BR />Oper control dir: both<BR />Session timeout: N/A<BR />Restart timeout: N/A<BR />Session Uptime: 38s<BR />Common Session ID: 0AC8D064000000130016B6D8<BR />Acct Session ID: 0x0000000A<BR />Handle: 0x93000009<BR />Current Policy: POLICY_Gi1/0/10</P><P>Local Policies:<BR />Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)</P><P>Server Policies:<BR />URL Redirect: <A href="https://-ISE-PAN.tcra.go.tz:8443/portal/gateway?sess" target="_blank" rel="noopener">https://-ISE-PAN.go.tz:8443/portal/gateway?sess</A> ionId=0AC8D064000000130016B6D8&amp;portal=50fbc805-6bde-4e28-8a3e-17750f938538&amp;actio n=cwa&amp;token=9001b7aa3cef3be1632ca7c15df03a7b</P><P>URL Redirect ACL: ACL-WEB-REDIRECT<BR />ACS ACL: xACSACLx-IP-Web_Authentication_Policy-5f8975ae</P><P>Method status list:<BR />Method State</P><P>dot1x Stopped<BR />mab Authc Success</P> Mon, 19 Oct 2020 10:13:53 GMT Tutu 2020-10-19T10:13:53Z https://community.cisco.com/t5/network-security/wired-guest-access-cisco-ise/m-p/4168129#M1074862 <P>Hello,</P><P>&nbsp;</P><P>I am not able to use the user name and password created by a sponsor in Cisco ISE.</P><P>Also before i log in i can still access the internet but i cant access ISE.</P><P>&nbsp;</P><P>&nbsp;</P><P>Please help.</P> Fri, 16 Oct 2020 09:28:21 GMT https://community.cisco.com/t5/network-security/wired-guest-access-cisco-ise/m-p/4168129#M1074862 Tutu 2020-10-16T09:28:21Z https://community.cisco.com/t5/network-security/wired-guest-access-cisco-ise/m-p/4168137#M1074863 <P>If your 802.1x configured correctly on the switch, if the device not belong to any Group, and you redirecting them to guest access, it should work as expected.</P> <P>&nbsp;</P> <P><A href="https://community.cisco.com/t5/security-documents/ise-guest-access-prescriptive-deployment-guide/ta-p/3640475#toc-hId-58047160" target="_blank">https://community.cisco.com/t5/security-documents/ise-guest-access-prescriptive-deployment-guide/ta-p/3640475#toc-hId-58047160</A></P> <P>&nbsp;</P> <P>we are not clear "Also before i log in i can still access the internet but i cant access ISE." Can you share more information, how the switch configured ?</P> <P>&nbsp;</P> Fri, 16 Oct 2020 09:48:58 GMT https://community.cisco.com/t5/network-security/wired-guest-access-cisco-ise/m-p/4168137#M1074863 balaji.bandi 2020-10-16T09:48:58Z https://community.cisco.com/t5/network-security/wired-guest-access-cisco-ise/m-p/4168146#M1074864 <P>I have a normal user that i created through ise and it works because under user groups i have selected guest. But if i use a user that i created through Sponsor portal i can not log in.</P><P>&nbsp;</P><P>So what i meant was that before entering username and password to access the internet. i can already access google and everything else apart from ISE</P><P>This is my switch ACL config</P><P>&nbsp;</P><P>Extended IP access list ACL-ALLOW<BR />10 permit ip any any<BR />Extended IP access list ACL-WEB-REDIRECT ------ This is what redirects me to log in when i try to access cisco ise.<BR />10 permit tcp any any eq www<BR />20 permit tcp any any eq 443<BR />30 deny ip any any<BR />Extended IP access list Auth-Default-ACL-OPEN<BR />10 permit ip any any<BR />Extended IP access list CISCO-CWA-URL-REDIRECT-ACL<BR />100 deny udp any any eq domain<BR />101 deny tcp any any eq domain<BR />102 deny udp any eq bootps any<BR />103 deny udp any any eq bootpc<BR />104 deny udp any eq bootpc any<BR />105 permit tcp any any eq www<BR />Extended IP access list preauth_ipv4_acl (per-user)<BR />10 permit udp any any eq domain<BR />20 permit tcp any any eq domain<BR />30 permit udp any eq bootps any<BR />40 permit udp any any eq bootpc<BR />50 permit udp any eq bootpc any<BR />60 deny ip any any</P><P>&nbsp;</P> Fri, 16 Oct 2020 10:00:30 GMT https://community.cisco.com/t5/network-security/wired-guest-access-cisco-ise/m-p/4168146#M1074864 Tutu 2020-10-16T10:00:30Z https://community.cisco.com/t5/network-security/wired-guest-access-cisco-ise/m-p/4168180#M1074873 <P>Without seeing your policies it would be tricky to find out the root cause. Regarding accesses prior to authentication, if you don't have a dACL applied to the authz rule that redirects the users, that would allow full access during that time. You might need to create a limited-accesses dACL and apply it to the redirect authz profile.</P> Fri, 16 Oct 2020 11:09:42 GMT https://community.cisco.com/t5/network-security/wired-guest-access-cisco-ise/m-p/4168180#M1074873 Aref Alsouqi 2020-10-16T11:09:42Z https://community.cisco.com/t5/network-security/wired-guest-access-cisco-ise/m-p/4168780#M1074917 <P>Hello Aref,</P><P>These are my policies for Guest access and DACL for web authentication and Guest</P><P>DACL for web authentication profile</P><P>permit ip any host 10.100.200.82</P><P>permit udp any any eq bootps</P><P>permit udp any eq bootpc any</P><P>permit icmp any any</P><P>Guest DACL</P><P>permit ip any any</P><P>&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="guestaccess1policy.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/86201i9E3EC615C8067438/image-size/large?v=v2&amp;px=999" role="button" title="guestaccess1policy.png" alt="guestaccess1policy.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="guestportal.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/86199i514442156211BB57/image-size/large?v=v2&amp;px=999" role="button" title="guestportal.png" alt="guestportal.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="guestprofile.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/86202iADB25A7F7ACC5F1B/image-size/large?v=v2&amp;px=999" role="button" title="guestprofile.png" alt="guestprofile.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="webauthpolicyguest2.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/86200i2938B2863AEE1076/image-size/large?v=v2&amp;px=999" role="button" title="webauthpolicyguest2.png" alt="webauthpolicyguest2.png" /></span></P> Sat, 17 Oct 2020 18:22:56 GMT https://community.cisco.com/t5/network-security/wired-guest-access-cisco-ise/m-p/4168780#M1074917 Tutu 2020-10-17T18:22:56Z https://community.cisco.com/t5/network-security/wired-guest-access-cisco-ise/m-p/4168948#M1074923 <P>I don't see the dACL applied to the Web Portal Profile authz profile, did you apply it in there? if not, you need to apply it along with the redirections ACL as shown on the screenshot.</P> Sun, 18 Oct 2020 17:04:42 GMT https://community.cisco.com/t5/network-security/wired-guest-access-cisco-ise/m-p/4168948#M1074923 Aref Alsouqi 2020-10-18T17:04:42Z https://community.cisco.com/t5/network-security/wired-guest-access-cisco-ise/m-p/4168963#M1074926 <P>Yes i have applied dacl to the web auth profile.</P><P>permit ip any host 10.100.200.82</P><P>permit udp any any eq bootps</P><P>permit udp any eq bootpc any</P><P>permit icmp any any</P><P>&nbsp;</P> Sun, 18 Oct 2020 18:00:06 GMT https://community.cisco.com/t5/network-security/wired-guest-access-cisco-ise/m-p/4168963#M1074926 Tutu 2020-10-18T18:00:06Z https://community.cisco.com/t5/network-security/wired-guest-access-cisco-ise/m-p/4168971#M1074927 <P>Did you check if the dACL is actually being applied to the session?, you can check that with the command <STRONG>sh auth sess int x/x/x det</STRONG>. Also, did you make sure IP device tracking is enabled on the switch? if not, dACL won't work since the switch would not be able to replace the any keyword with the actual IP address of the client.</P> Sun, 18 Oct 2020 18:33:12 GMT https://community.cisco.com/t5/network-security/wired-guest-access-cisco-ise/m-p/4168971#M1074927 Aref Alsouqi 2020-10-18T18:33:12Z https://community.cisco.com/t5/network-security/wired-guest-access-cisco-ise/m-p/4169373#M1074940 <P>Hello Aref,</P><P>This is the ip device tracking configured on the switch,</P><P>ip device tracking probe auto-source override</P><P>&nbsp;</P><P>And this s the auth sess on the switch</P><P>&nbsp;</P><P>sh auth ses int gig1/0/10 det<BR />Interface: GigabitEthernet1/0/10<BR />MAC Address: 705a.0f2a.47de<BR />IPv6 Address: Unknown<BR />IPv4 Address: 10.100.105.39<BR />User-Name: 70-5A-0F-2A-47-DE<BR />Status: Authorized<BR />Domain: DATA<BR />Oper host mode: multi-auth<BR />Oper control dir: both<BR />Session timeout: N/A<BR />Restart timeout: N/A<BR />Session Uptime: 38s<BR />Common Session ID: 0AC8D064000000130016B6D8<BR />Acct Session ID: 0x0000000A<BR />Handle: 0x93000009<BR />Current Policy: POLICY_Gi1/0/10</P><P>Local Policies:<BR />Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)</P><P>Server Policies:<BR />URL Redirect: <A href="https://-ISE-PAN.tcra.go.tz:8443/portal/gateway?sess" target="_blank" rel="noopener">https://-ISE-PAN.go.tz:8443/portal/gateway?sess</A> ionId=0AC8D064000000130016B6D8&amp;portal=50fbc805-6bde-4e28-8a3e-17750f938538&amp;actio n=cwa&amp;token=9001b7aa3cef3be1632ca7c15df03a7b</P><P>URL Redirect ACL: ACL-WEB-REDIRECT<BR />ACS ACL: xACSACLx-IP-Web_Authentication_Policy-5f8975ae</P><P>Method status list:<BR />Method State</P><P>dot1x Stopped<BR />mab Authc Success</P> Mon, 19 Oct 2020 10:13:53 GMT https://community.cisco.com/t5/network-security/wired-guest-access-cisco-ise/m-p/4169373#M1074940 Tutu 2020-10-19T10:13:53Z