Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3364
Views
9
Helpful
19
Replies

Redirection URL missing

Go to solution
dgaikwad
Level 5
Level 5

‎06-27-2018 04:40 AM

Hi Experts,


While configuring for wired guest redirection using the sponsor guest portal, I have seen something weird that is happening here.


When I have the user redirect from a test switch to the Test ISE server, the redirection URL is working and can be seen on switch as well as the Test endpoint browser.

Then I, make the same to same configuration on our Production server, but there is no redirection URL!!


I have the same guest redirect ACL in test and production ISE instances.

Also, the AuthZ profiles and Policy and conditions are same as well.


Not sure what is going on?


Could any shed some light on this issue, and what are the things that could be missing out?

Any pointers are really helpful.

19 Replies 19

Go to solution
Craig Hyps
Level 10
Level 10
In response to dgaikwad

‎06-28-2018 06:49 AM

You need to get past failed AAA auth/server...

Runnable methods list:

       Method   State

       mab      Authc Failed

       dot1x    Not run


Critical Authorization is in effect for domain(s) DATA and VOICE


Go to solution
dgaikwad
Level 5
Level 5
In response to Craig Hyps

‎06-28-2018 07:13 AM

I am seeing this failed auth server when I am pointing it to the Prod ISE, not when I point it to test ISE server...

Is this due to two servers specifiedin the dynamic author command?

0 Helpful

Go to solution
gbekmezi-DD
Level 5
Level 5
In response to dgaikwad

‎06-28-2018 09:25 AM

Authorized By: Critical Auth

Critical Auth kicks in when the switch can’t communicate to the radius server. It’s probably a firewall issue. As far as the redirect being on another switch, it’s possible that happens if you have a switch upstream that is doing multi-auth on the downlink port…then than switch could possibly be sending an authc request to ISE for the same endpoint via MAB. I don’t recommend this design if you have it configured that way.

George

Go to solution
dgaikwad
Level 5
Level 5
In response to gbekmezi-DD

‎07-02-2018 01:03 AM

Hi all,

In the end it turned out that, the guy who had configured the policies and ACL for the prod has also created a specific dACL for the closed mode.

After applying the dACL for closed mode on the AuthZ profile, was to see the redirect URL on the switch as well.

0 Helpful

Go to solution
dgaikwad
Level 5
Level 5
In response to ognyan.totev

‎06-28-2018 04:24 AM

Here is the snippet of the configuration on the switch:

aaa new-model

!

!

aaa group server radius POC_ISE

server <Test ISE Server> auth-port 1812 acct-port 1813

!

aaa group server radius PROD_ISE

server <Prod PSN Server> auth-port 1812 acct-port 1813

!

aaa authentication login default local

aaa authentication dot1x default group PROD_ISE

aaa authorization exec default local

aaa authorization commands 15 default local

aaa authorization network default group PROD_ISE

aaa accounting dot1x default start-stop group PROD_ISE

!

!

aaa server radius dynamic-author

client <Test ISE Server> server-key 7 01100F175804575D72

client <Prod PSN Server> server-key 7 0802455D0A1625464058



interface FastEthernet1/0/3

switchport access vlan 230

switchport mode access

switchport voice vlan 260

authentication event server dead action authorize vlan 231

authentication event server dead action authorize voice

authentication event server alive action reinitialize

authentication host-mode multi-domain

authentication open

authentication order mab dot1x

authentication priority dot1x mab

authentication port-control auto

mab

dot1x pae authenticator

dot1x timeout tx-period 10

spanning-tree portfast


ip access-list extended GUEST_REDIRECT

deny   udp any any eq domain

deny   udp any eq bootps any eq bootpc

deny   udp any eq bootpc any eq bootps

deny   ip any host <Prod PSN Server>

permit tcp any any eq www

permit tcp any any eq 443


radius-server attribute 6 on-for-login-auth

radius-server attribute 8 include-in-access-req

radius-server attribute 25 access-request include

radius-server dead-criteria time 5 tries 2

radius-server host <Test ISE Server> auth-port 1812 acct-port 1813 key 7 1511021F07257A767B

radius-server host <Prod PSNr> auth-port 1812 acct-port 1813 key 7 062506324F4129485744

radius-server deadtime 10

radius-server vsa send accounting

radius-server vsa send authentication


Output when the switch is pointed to the production PSN:

NAC-3750v1#show authentication sessions interface fastEthernet 1/0/3

            Interface:  FastEthernet1/0/3

          MAC Address:  54e1.ad5d.194a

           IP Address:  10.226.242.13

            User-Name:  54e1ad5d194a

               Status:  Authz Success

               Domain:  DATA

      Security Policy:  Should Secure

      Security Status:  Unsecure

       Oper host mode:  multi-host

     Oper control dir:  both

        Authorized By:  Critical Auth

          Vlan Policy:  231

      Session timeout:  N/A

         Idle timeout:  N/A

    Common Session ID:  0AE2E8190000008A0E9F12A9

      Acct Session ID:  0x000000A4

               Handle:  0x3D00008A


Runnable methods list:

       Method   State

       mab      Authc Failed

       dot1x    Not run


Critical Authorization is in effect for domain(s) DATA and VOICE


Let me what else is needed.

0 Helpful
Customers Also Viewed These Support Documents