cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

396
Views
0
Helpful
3
Replies
Highlighted
Cisco Employee

CWA looped (using ISE2.1 and Catalyst 3850)

I am setting up a Wired Central Web Authentication demo using ISE 2.1 and Catalyst 3850. I  can successfully see the redirection to Web Authentication portal. After we authentication to the Web Authentication, it looped and redirected me back to the authentication portal again. Below are the captures of what I did. Please help to see if I did anything incorrectly?

Switch interface configuration:

ip access-list extended ACL_WEBAUTH_REDIRECT

permit udp any any eq bootpc

permit udp any eq bootpc any

permit tcp any any eq www

permit tcp any any eq 443

permit tcp any any eq domain

permit tcp any eq domain any

ip access-list extended redirect-acl

permit udp any any eq bootpc

permit udp any eq bootpc any

permit tcp any any eq www

permit tcp any any eq 443

permit tcp any any eq domain

permit tcp any eq domain any

permit icmp any any

permit tcp any any eq 8443

permit tcp any eq 8443 any

permit udp any any eq domain

permit udp any eq domain any

!

interface GigabitEthernet1/0/13

switchport access vlan 101

switchport mode access

ip access-group redirect-acl in

authentication event server dead action authorize vlan 101

authentication event server dead action authorize voice

authentication event server alive action reinitialize

authentication host-mode multi-auth

authentication open

authentication order mab webauth

authentication priority webauth

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

mab

dot1x pae authenticator

spanning-tree portfast

end

Everyone's tags (2)
3 REPLIES 3
Contributor

Re: CWA looped (using ISE2.1 and Catalyst 3850)

your ACL does not seems to be right, whatever you permit on switch in redirect ACL is redirected, whatever you deny is not redirected. Typically you would want port 80 and 443 to be redirected (so permit), not dhcp, dns, ise IP etc. (so deny)

So modify your ACL and try again. Let me know

-Rate helpful posts-
Cisco Employee

Re: CWA looped (using ISE2.1 and Catalyst 3850)

We should use separate ACLs -- one for URL redirect and the other for port ACL. Please see Cisco Switches for more info.

Below are examples for each:

-- ACL for URL redirect --

ip access-list extended ACL-URL-REDIRECT

deny   tcp any host 10.1.100.222 eq www

permit tcp any any eq www

where 10.1.100.222 is a remediation web site so to "deny" it to allow the requests going through. Since there is an implicit deny, all non-HTTP connections will not trigger web redirect.

-- ACL to apply for default port access --

ip access-list extended ACL-DEFAULT

remark DHCP

permit udp any eq bootpc any eq bootps

remark DNS

permit udp any any eq domain

remark Ping

permit icmp any any

remark PXE / TFTP

permit udp any any eq tftp

remark Drop all the rest

deny   ip any any log

Cisco Employee

Re: CWA looped (using ISE2.1 and Catalyst 3850)

To share my troubleshoot result: I found that I missed out the COA configuration on both ISE and the switch configuration. Once the COA configurations were done, the loop problem vanished.