06-27-2018 04:40 AM
Hi Experts,
While configuring for wired guest redirection using the sponsor guest portal, I have seen something weird that is happening here.
When I have the user redirect from a test switch to the Test ISE server, the redirection URL is working and can be seen on switch as well as the Test endpoint browser.
Then I, make the same to same configuration on our Production server, but there is no redirection URL!!
I have the same guest redirect ACL in test and production ISE instances.
Also, the AuthZ profiles and Policy and conditions are same as well.
Not sure what is going on?
Could any shed some light on this issue, and what are the things that could be missing out?
Any pointers are really helpful.
Solved! Go to Solution.
06-28-2018 09:25 AM
Authorized By: Critical Auth
Critical Auth kicks in when the switch can’t communicate to the radius server. It’s probably a firewall issue. As far as the redirect being on another switch, it’s possible that happens if you have a switch upstream that is doing multi-auth on the downlink port…then than switch could possibly be sending an authc request to ISE for the same endpoint via MAB. I don’t recommend this design if you have it configured that way.
George
06-27-2018 05:06 AM
Firewall between deployment switch and ISE ??
Blocked port 1812,1813 ,1645,1646
06-27-2018 11:26 PM
Yes, these ports are open and I can see that the request is hitting the right policy and condition on ISE server.
06-27-2018 05:14 AM
Would suggest trying a new portal on your production
Use the tac to debug
06-27-2018 05:16 AM
Also try different browser
06-27-2018 05:47 AM
06-27-2018 11:25 PM
I have rechecked the configuration and all the things are in the right place.
There is a redirect ACL on the switch, and as off now I have only included only one PSN in the ACL.
I can see that the its hitting the right policy and condition, but even then I am not able to see any redirection URL on the switch.
The user is then presented with the guest login page, he enters the credentials, but then authentication fails and there is no access..
This is happening even when the user is present...
06-27-2018 11:28 PM
Tried with a completely new portal, yet I don't see the redirect URL on the switch where as on ISE I can see that its hitting the right policy and condition.
Also, the user is able to see the guest login page on his endpoint, but his authentication fails, even when the user is present in the guest users...
06-28-2018 03:09 AM
While further troubleshooting found that the redirection URL was being sent. but it was being sent by another switch.
User was able to authenticate and was able to gain access normally it would do.
So the question is that, if this switch is in open mode, in that case...
if the port 1812 and 1813 are not open between ISE and switch, will another switch that has ports open between ISE process the request?
Is this something strange or has been faced earlier as well?
06-28-2018 03:19 AM
Not clear what is meant by "sent by another switch". The redirection is originated by ISE, not the switch. Once redirect authorization applied to the access device, the user is redirected by the wireless controller or wired switch to which it is connected. The only way I see that happening is if you are hanging additional hubs/switches off an authenticating switch port.
You will see in RADIUS Live Logs the switch IP (Device IP and NAS-IP-Address) of the authenticating network access device. Authorization will be sent to that switch only. The URL redirect should be seen on connected switchport using the "sh auth session interface <x> detail" command (or similar command depending on model/version).
06-28-2018 03:19 AM
I think the answer is NO ,endpoint is connected to the 1 switch no mater if there are any other switches ,the request will be send exact form this switch and the answer must be on same switch on same port that endpoint is . Give us some configuration on the switch my opinion is NO.
06-28-2018 04:18 AM
I could see where 2 different switches are running and svi for same vlan perhaps and traffic is being proxied perhaps by another switch?
06-28-2018 04:26 AM
Ok lets say same SVI interface but this interface must have different IP address . 1 switch 1 ip address
and other 2 ip address on svi
In mine deployment most of switches are on same SVI example interface VLan 570 but all are have different
but all of them different IP address. And i never face this. ANd according to netowrok i dont think it is possible
06-28-2018 04:37 AM
show authentication sessions interface fastEthernet 1/0/3 details please
And screen shot from radius live logs
06-28-2018 04:58 AM
Here is the output for Auth sessions:
NAC-3750v1#sh auth sess int fa1/0/3
Interface: FastEthernet1/0/3
MAC Address: 54e1.ad5d.194a
IP Address: 10.226.242.13
User-Name: 54e1ad5d194a
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-host
Oper control dir: both
Authorized By: Critical Auth
Vlan Policy: 231
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0AE2E8190000008B0F0373F3
Acct Session ID: 0x000000A6
Handle: 0x1400008B
Runnable methods list:
Method State
mab Authc Failed
dot1x Not run
Critical Authorization is in effect for domain(s) DATA and VOICE
Live logs:
What exactly is needed from ilve logs?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide