03-29-2017 03:11 AM - edited 03-11-2019 12:34 AM
Hi Guys,
I've strange problem on catalyst 3750 I don't know if connected to the IOS or some missing on the configuration.
I'd like to authenticate some users with MAB-wired, from ISE radius log everithings seems look good, but on the "show authentication sessions" are missing some parameters that usually should appear:
SW-3750#sh authentication sessions interface fa1/0/11
Interface: FastEthernet1/0/11
MAC Address: 0021.ccd9.37be
IP Address: 10.40.40.199
User-Name: 00-21-CC-D9-37-BE
Status: Authz Success
Domain: DATA
Oper host mode: single-host
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A0A0AFC000000010017381D
Acct Session ID: 0x00000002
Handle: 0xFD000001
Runnable methods list:
Method State
mab Authc Success
As you can see, part from URL redirect and URL redirect ACL are not showing!?
I was thinking some radius and vsa part missing, but on the switch I've:
aaa authentication dot1x default group radius
aaa server radius dynamic-author
client 10.20.20.200 server-key estremo
auth-type all
radius-server host 10.20.20.200 auth-port 1645 acct-port 1646
radius-server key xxxxxx
radius-server vsa send accounting
radius-server vsa send authentication
interface FastEthernet1/0/11
description GUEST
switchport access vlan 40
switchport mode access
authentication order mab
authentication priority mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x max-req 10
dot1x max-reauth-req 10
spanning-tree portfast
SW-3750#sh aaa servers
RADIUS: id 1, priority 1, host 10.20.20.200, auth-port 1645, acct-port 1646
State: current UP, duration 3192s, previous duration 0s
Dead: total time 0s, count 0
Quarantined: No
Authen: request 1, timeouts 0
dot1x system-auth-control
dot1x critical eapol
ip device tracking
ip http server
ip http secure-server
ip access-list extended ACL_WEBAUTH_REDIRECT
deny ip any host 10.20.20.200
deny udp any any eq domain
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq 8443
On the ISE monitoring, auth seems send the correct AV parameters:
User-Name | 00-21-CC-D9-37-BE |
State | ReauthSession:0A0A0AFC000000010017381D |
Class | CACS:0A0A0AFC000000010017381D:ise1/280058218/272 |
cisco-av-pair | url-redirect-acl=ACL_WEBAUTH_REDIRECT |
cisco-av-pair | url-redirect=https://ise1.estremo.local:8443/portal/gateway?sessionId=0A0A0AFC000000010017381D&portal=a692c530-2230-11e6-99ab-005056bf55e0&action=cwa&token=e5afe6a346055cbaca8dab304e3541af |
cisco-av-pair | ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-pre-webauth-ACL-58da9681 |
cisco-av-pair | profile-name=Unknown |
LicenseTypes | Base license consumed |
And Policy auth auth are configured in attachement
Do you have some ideas?
regards
03-29-2017 02:01 PM
Anybody? :-)
06-13-2018 04:32 AM
06-13-2018 05:21 AM
@trimmy post your configuration please. This is an old thread but from the output provided it looks like the "aaa authorization...." commands are missing.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide