CWA looped (using ISE2.1 and Catalyst 3850)

Rich Yim · ‎11-08-2016

I am setting up a Wired Central Web Authentication demo using ISE 2.1 and Catalyst 3850. I can successfully see the redirection to Web Authentication portal. After we authentication to the Web Authentication, it looped and redirected me back to the authentication portal again. Below are the captures of what I did. Please help to see if I did anything incorrectly?

Switch interface configuration:

ip access-list extended ACL_WEBAUTH_REDIRECT

permit udp any any eq bootpc

permit udp any eq bootpc any

permit tcp any any eq www

permit tcp any any eq 443

permit tcp any any eq domain

permit tcp any eq domain any

ip access-list extended redirect-acl

permit udp any any eq bootpc

permit udp any eq bootpc any

permit tcp any any eq www

permit tcp any any eq 443

permit tcp any any eq domain

permit tcp any eq domain any

permit icmp any any

permit tcp any any eq 8443

permit tcp any eq 8443 any

permit udp any any eq domain

permit udp any eq domain any

!

interface GigabitEthernet1/0/13

switchport access vlan 101

switchport mode access

ip access-group redirect-acl in

authentication event server dead action authorize vlan 101

authentication event server dead action authorize voice

authentication event server alive action reinitialize

authentication host-mode multi-auth

authentication open

authentication order mab webauth

authentication priority webauth

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

mab

dot1x pae authenticator

spanning-tree portfast

end

ammahend · ‎11-08-2016

your ACL does not seems to be right, whatever you permit on switch in redirect ACL is redirected, whatever you deny is not redirected. Typically you would want port 80 and 443 to be redirected (so permit), not dhcp, dns, ise IP etc. (so deny)

So modify your ACL and try again. Let me know

-hope this helps-

hslai · ‎11-08-2016

We should use separate ACLs -- one for URL redirect and the other for port ACL. Please see Cisco Switches for more info.

Below are examples for each:

-- ACL for URL redirect --

ip access-list extended ACL-URL-REDIRECT

deny tcp any host 10.1.100.222 eq www

permit tcp any any eq www

where 10.1.100.222 is a remediation web site so to "deny" it to allow the requests going through. Since there is an implicit deny, all non-HTTP connections will not trigger web redirect.

-- ACL to apply for default port access --

ip access-list extended ACL-DEFAULT

remark DHCP

permit udp any eq bootpc any eq bootps

remark DNS

permit udp any any eq domain

remark Ping

permit icmp any any

remark PXE / TFTP

permit udp any any eq tftp

remark Drop all the rest

deny ip any any log

Rich Yim · ‎01-17-2017

To share my troubleshoot result: I found that I missed out the COA configuration on both ISE and the switch configuration. Once the COA configurations were done, the loop problem vanished.