02-10-2016 07:30 AM - edited 03-10-2019 11:28 PM
LS,
I'm trying to configure CoA in our lab.
If I open a browser on the client I don't get automatically redirected to the guest portal. If I copy and paste the URL that I find under URL redirect manually, I get there. If I then login with an AD user everything goes smoothly.
Anyone an idea why the browser doesn't automatically send me to the guest portal.
Ise version: 2.0.0.306
Running config:
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname nonono
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$y5Lh$89rGSTBReNxUXtV1HQ4Ev1
!
username radius-test password 0 key4wolkluw
username admin privilege 15 secret 5 $1$x/Yr$C0tZ143qg/fTEAz/AXn.x1
aaa new-model
aaa group server radius ISE-group
server name ISE
!
aaa authentication login default enable
aaa authentication dot1x default group radius
aaa authorization exec ISE-AUTHO group tacacs+ local
aaa authorization commands 1 ISE-AUTHO group tacacs+ local
aaa authorization commands 15 ISE-AUTHO group tacacs+ local
aaa authorization network default group radius
aaa accounting update periodic 5
aaa accounting dot1x default start-stop group radius
!
!
!
!
!
aaa server radius dynamic-author
client nononon
server-key nononon
!
aaa session-id common
system mtu routing 1500
vtp domain RIM
vtp mode transparent
!
!
ip domain-name dev.dc
ip device tracking
!
device-sensor notify all-changes
epm logging
!
crypto pki trustpoint TP-self-signed-252061312
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-252061312
revocation-check none
rsakeypair TP-self-signed-252061312
!
!
crypto pki certificate chain TP-self-signed-252061312
certificate self-signed 01
quit
dot1x system-auth-control
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 800
name management
!
vlan 1140
name Dot1X
!
!
!
!
!
!
interface FastEthernet0/1
description Win7-PC-eth4
switchport access vlan 1140
switchport mode access
ip access-group SAMPLE-ACL in
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable
!
ip default-gateway nono
ip http server
ip http secure-server
!
ip access-list extended REDIRECT
permit tcp any any eq www
permit tcp any any eq 443
ip access-list extended REDIRECT_ACL
deny udp any eq bootpc any eq bootps
deny udp any any eq domain
deny tcp any host nonono eq 8443
permit tcp any any eq www
permit tcp any any eq 443
ip access-list extended SAMPLE-ACL
deny icmp any host 8.8.8.8
permit ip any any
logging origin-id ip
snmp-server community nono RO
snmp-server trap-source Vlan800
snmp-server enable traps snmp linkdown linkup
snmp-server enable traps mac-notification change move threshold
snmp-server host nonoversion 2c cisco mac-notification
tacacs server nono-T
address ipv4 nono
key Generic0
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
radius-server vsa send accounting
radius-server vsa send authentication
!
radius server ISE
address ipv4 nono auth-port 1812 acct-port 1813
key nono
#show authentication sessions int fa0/1
Interface: FastEthernet0/1
MAC Address: 68b5.99c8.40e2
IP Address: no
User-Name: 68-B5-99-C8-40-E2
Status: Authz Success
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
ACS ACL: xACSACLx-IP-Waiting_for_WebAuth-56bb2696
URL Redirect ACL: REDIRECT
URL Redirect: https://nonono:8443/portal/gateway?sessionId=0AA678B70000019863A32220&portal=1219fd00-cfed-11e5-a60a-000c29ce7ed9&action=cwa&token=8f0993cef3e50494b1afb86e6f8cb1ed
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0AA678B70000019863A32220
Acct Session ID: 0x00000248
Handle: 0x3E000199
Runnable methods list:
Method State
mab Authc Success
dot1x Not run
Extended IP access list REDIRECT
10 permit tcp any any eq www (422 matches)
20 permit tcp any any eq 443 (976 matches)
Extended IP access list REDIRECT_ACL
20 deny udp any eq bootpc any eq bootps
30 deny udp any any eq domain
40 deny tcp any host 10.166.4.33 eq 8443
50 permit tcp any any eq www
60 permit tcp any any eq 443
Extended IP access list SAMPLE-ACL
10 deny icmp any host 8.8.8.8
20 permit ip any any (15 matches)
Extended IP access list xACSACLx-IP-AD_Users_via_WebAuth-56bb26e4 (per-user)
10 permit ip any any
Interface: FastEthernet0/1
MAC Address: 68b5.99c8.40e2
IP Address: no
User-Name: nonono
Status: Authz Success
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
ACS ACL: xACSACLx-IP-AD_Users_via_WebAuth-56bb26e4
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0AA678B70000019863A32220
Acct Session ID: 0x00000248
Handle: 0x3E000199
Runnable methods list:
Method State
mab Authc Success
dot1x Not run
Thanks for your help!
With kind regards,
Geert
02-14-2016 10:51 AM
Hi Geert. From a quick look the config looks correct. A few questions here:
1. Which one from the listed ACLs do you have referenced in the Authorization Profile?
2. What is the syntax of the DACL that you are returning with the Authorization Profile?
Thank you for rating helpful posts!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide