本帖最后由 billywai 于 2017-11-17 14:55 编辑
小弟在Web-Auth的時侯遇點問題,大約分為三大部份
1.在lan port認證時不能自動轉到Guest Portal, 以下是端口和相關ACL信息
ISETEST#sh authentication sessions interface g1/0/5
Interface: GigabitEthernet1/0/5
MAC Address: f0dc.f1ab.4142
IP Address: 192.168.3.56
User-Name: F0-DC-F1-AB-41-42
Status: Authz Success
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
URL Redirect ACL: cwa_redirect
URL Redirect: https://ciscoise.testise.com.cn:8443/portal/gateway?ses sionId=C0A802F4000000787BAA3138&portal=4afcf440-e371-11e6-92ce-005056873bd0&acti on=cwa&type=drw&token=1eec267384802ba3979b50f58652796f
Session timeout: N/A
Idle timeout: N/A
Common Session ID: C0A802F4000000787BAA3138
Acct Session ID: 0x0000014B
Handle: 0x7B000079
Runnable methods list:
Method State
dot1x Failed over
ACL:
Extended IP access list cwa_redirect
10 deny ip any host 192.168.2.206 (2349 matches)
20 permit tcp any any eq www (1220 matches)
30 permit tcp any any eq 443 (2198 matches)
2.Wifi hotspot認證問題
認證成功,但live log出現以下問題
Authentication Details
Ps: Core - switch 尚未開啟 aaa-server radius dynamic-author
3.Web-auth二次認證問題
第一次輸入access code成功認證後,第二次登入時不需輸入access code便直接連線成功
以下是認證的policy
live log:
小弟在Web-Auth的時侯遇點問題,大約分為三大部份
1.在lan port認證時不能自動轉到Guest Portal, 以下是端口和相關ACL信息
ISETEST#sh authentication sessions interface g1/0/5
Interface: GigabitEthernet1/0/5
MAC Address: f0dc.f1ab.4142
IP Address: 192.168.3.56
User-Name: F0-DC-F1-AB-41-42
Status: Authz Success
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
URL Redirect ACL: cwa_redirect
URL Redirect: https://ciscoise.testise.com.cn:8443/portal/gateway?ses sionId=C0A802F4000000787BAA3138&portal=4afcf440-e371-11e6-92ce-005056873bd0&acti on=cwa&type=drw&token=1eec267384802ba3979b50f58652796f
Session timeout: N/A
Idle timeout: N/A
Common Session ID: C0A802F4000000787BAA3138
Acct Session ID: 0x0000014B
Handle: 0x7B000079
Runnable methods list:
Method State
dot1x Failed over
ACL:
Extended IP access list cwa_redirect
10 deny ip any host 192.168.2.206 (2349 matches)
20 permit tcp any any eq www (1220 matches)
30 permit tcp any any eq 443 (2198 matches)
2.Wifi hotspot認證問題
認證成功,但live log出現以下問題
Authentication Details
Source Timestamp | 2017-11-17 14:24:30.763 |
Received Timestamp | 2017-11-17 14:24:30.764 |
Policy Server | ciscoise |
Event | 5417 Dynamic Authorization failed |
Failure Reason | 11103 RADIUS-Client encountered error during processing flow |
Resolution | Do the following: 1) Verify shared secret matches on the ISE Server and corresponding AAA Client, External AAA Server or External RADIUS Token Server. 2) Check the AAA Client or External Server for hardware problems. 3) Check the network devices that connect the AAA peer to ISE for hardware problems. 4) Check whether the network device or AAA Client has any known RADIUS compatibility issues. |
Root cause | RADIUS-Client encountered an error during processing flow |
3.Web-auth二次認證問題
第一次輸入access code成功認證後,第二次登入時不需輸入access code便直接連線成功
以下是認證的policy
live log:
