This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
While configuring for wired guest redirection using the sponsor guest portal, I have seen something weird that is happening here.
When I have the user redirect from a test switch to the Test ISE server, the redirection URL is working and can be seen on switch as well as the Test endpoint browser.
Then I, make the same to same configuration on our Production server, but there is no redirection URL!!
I have the same guest redirect ACL in test and production ISE instances.
Also, the AuthZ profiles and Policy and conditions are same as well.
Not sure what is going on?
Could any shed some light on this issue, and what are the things that could be missing out?
Any pointers are really helpful.
Solved! Go to Solution.
Authorized By: Critical Auth
Critical Auth kicks in when the switch can’t communicate to the radius server. It’s probably a firewall issue. As far as the redirect being on another switch, it’s possible that happens if you have a switch upstream that is doing multi-auth on the downlink port…then than switch could possibly be sending an authc request to ISE for the same endpoint via MAB. I don’t recommend this design if you have it configured that way.
I have rechecked the configuration and all the things are in the right place.
There is a redirect ACL on the switch, and as off now I have only included only one PSN in the ACL.
I can see that the its hitting the right policy and condition, but even then I am not able to see any redirection URL on the switch.
The user is then presented with the guest login page, he enters the credentials, but then authentication fails and there is no access..
This is happening even when the user is present...
Tried with a completely new portal, yet I don't see the redirect URL on the switch where as on ISE I can see that its hitting the right policy and condition.
Also, the user is able to see the guest login page on his endpoint, but his authentication fails, even when the user is present in the guest users...
While further troubleshooting found that the redirection URL was being sent. but it was being sent by another switch.
User was able to authenticate and was able to gain access normally it would do.
So the question is that, if this switch is in open mode, in that case...
if the port 1812 and 1813 are not open between ISE and switch, will another switch that has ports open between ISE process the request?
Is this something strange or has been faced earlier as well?
Not clear what is meant by "sent by another switch". The redirection is originated by ISE, not the switch. Once redirect authorization applied to the access device, the user is redirected by the wireless controller or wired switch to which it is connected. The only way I see that happening is if you are hanging additional hubs/switches off an authenticating switch port.
You will see in RADIUS Live Logs the switch IP (Device IP and NAS-IP-Address) of the authenticating network access device. Authorization will be sent to that switch only. The URL redirect should be seen on connected switchport using the "sh auth session interface <x> detail" command (or similar command depending on model/version).
I think the answer is NO ,endpoint is connected to the 1 switch no mater if there are any other switches ,the request will be send exact form this switch and the answer must be on same switch on same port that endpoint is . Give us some configuration on the switch my opinion is NO.
I could see where 2 different switches are running and svi for same vlan perhaps and traffic is being proxied perhaps by another switch?
Ok lets say same SVI interface but this interface must have different IP address . 1 switch 1 ip address
and other 2 ip address on svi
In mine deployment most of switches are on same SVI example interface VLan 570 but all are have different
but all of them different IP address. And i never face this. ANd according to netowrok i dont think it is possible
Here is the output for Auth sessions:
NAC-3750v1#sh auth sess int fa1/0/3
MAC Address: 54e1.ad5d.194a
IP Address: 10.226.242.13
Status: Authz Success
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-host
Oper control dir: both
Authorized By: Critical Auth
Vlan Policy: 231
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0AE2E8190000008B0F0373F3
Acct Session ID: 0x000000A6
Runnable methods list:
mab Authc Failed
dot1x Not run
Critical Authorization is in effect for domain(s) DATA and VOICE
What exactly is needed from ilve logs?