06-27-2018 04:40 AM
Hi Experts,
While configuring for wired guest redirection using the sponsor guest portal, I have seen something weird that is happening here.
When I have the user redirect from a test switch to the Test ISE server, the redirection URL is working and can be seen on switch as well as the Test endpoint browser.
Then I, make the same to same configuration on our Production server, but there is no redirection URL!!
I have the same guest redirect ACL in test and production ISE instances.
Also, the AuthZ profiles and Policy and conditions are same as well.
Not sure what is going on?
Could any shed some light on this issue, and what are the things that could be missing out?
Any pointers are really helpful.
Solved! Go to Solution.
06-28-2018 06:49 AM
You need to get past failed AAA auth/server...
Runnable methods list:
Method State
mab Authc Failed
dot1x Not run
Critical Authorization is in effect for domain(s) DATA and VOICE
06-28-2018 07:13 AM
I am seeing this failed auth server when I am pointing it to the Prod ISE, not when I point it to test ISE server...
Is this due to two servers specifiedin the dynamic author command?
06-28-2018 09:25 AM
Authorized By: Critical Auth
Critical Auth kicks in when the switch can’t communicate to the radius server. It’s probably a firewall issue. As far as the redirect being on another switch, it’s possible that happens if you have a switch upstream that is doing multi-auth on the downlink port…then than switch could possibly be sending an authc request to ISE for the same endpoint via MAB. I don’t recommend this design if you have it configured that way.
George
07-02-2018 01:03 AM
Hi all,
In the end it turned out that, the guy who had configured the policies and ACL for the prod has also created a specific dACL for the closed mode.
After applying the dACL for closed mode on the AuthZ profile, was to see the redirect URL on the switch as well.
06-28-2018 04:24 AM
Here is the snippet of the configuration on the switch:
aaa new-model
!
!
aaa group server radius POC_ISE
server <Test ISE Server> auth-port 1812 acct-port 1813
!
aaa group server radius PROD_ISE
server <Prod PSN Server> auth-port 1812 acct-port 1813
!
aaa authentication login default local
aaa authentication dot1x default group PROD_ISE
aaa authorization exec default local
aaa authorization commands 15 default local
aaa authorization network default group PROD_ISE
aaa accounting dot1x default start-stop group PROD_ISE
!
!
aaa server radius dynamic-author
client <Test ISE Server> server-key 7 01100F175804575D72
client <Prod PSN Server> server-key 7 0802455D0A1625464058
interface FastEthernet1/0/3
switchport access vlan 230
switchport mode access
switchport voice vlan 260
authentication event server dead action authorize vlan 231
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
ip access-list extended GUEST_REDIRECT
deny udp any any eq domain
deny udp any eq bootps any eq bootpc
deny udp any eq bootpc any eq bootps
deny ip any host <Prod PSN Server>
permit tcp any any eq www
permit tcp any any eq 443
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 2
radius-server host <Test ISE Server> auth-port 1812 acct-port 1813 key 7 1511021F07257A767B
radius-server host <Prod PSNr> auth-port 1812 acct-port 1813 key 7 062506324F4129485744
radius-server deadtime 10
radius-server vsa send accounting
radius-server vsa send authentication
Output when the switch is pointed to the production PSN:
NAC-3750v1#show authentication sessions interface fastEthernet 1/0/3
Interface: FastEthernet1/0/3
MAC Address: 54e1.ad5d.194a
IP Address: 10.226.242.13
User-Name: 54e1ad5d194a
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-host
Oper control dir: both
Authorized By: Critical Auth
Vlan Policy: 231
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0AE2E8190000008A0E9F12A9
Acct Session ID: 0x000000A4
Handle: 0x3D00008A
Runnable methods list:
Method State
mab Authc Failed
dot1x Not run
Critical Authorization is in effect for domain(s) DATA and VOICE
Let me what else is needed.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide