Hey folks,
i'm trying to get this working. i jsut want a captive portal popping up when a wired client runs in the default rule.
i tried with 2960s and 2960x. and with different versions. it only works (i type e.g. www.google.com and i get redirected to ise.. works perfect) with an old Version and only on the 2960s:
c2960s-universalk9-mz.150-2.SE12.bin
2960x doenst work at all
So costumer wise i have to use the newest or recommendet ios and cant downgrade to 15.0x... at least for the 2960s.. as mentioned earlier... 2960x doenst work at all.. also tried with different IOS releases.
i used this guide here:
Thats my config:
aaa group server radius ISE_RADIUS
server name ISE01
ip radius source-interface Vlan172
!
aaa authentication dot1x default group ISE_RADIUS
aaa authorization network default group ISE_RADIUS
aaa accounting update newinfo periodic 2880
aaa accounting dot1x default start-stop group ISE_RADIUS
aaa accounting network default start-stop group ISE_RADIUS
!!
aaa server radius dynamic-author
client 172.17.0.60 server-key xxxx
dot1x system-auth-control
dot1x critical eapol
!
interface GigabitEthernet1/0/1
switchport access vlan 172
switchport mode access
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab webauth
authentication priority dot1x mab webauth
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 5
dot1x max-reauth-req 1
spanning-tree portfast
!
ip http server
ip device tracking
ip http secure-server
!
ip access-list extended cwa
permit tcp any any eq www
permit tcp any any eq 443
deny ip any host 172.17.0.60
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 10 tries 3
radius-server vsa send accounting
radius-server vsa send authentication
!
radius server ISE01
address ipv4 172.17.0.60 auth-port 1812 acct-port 1813
key xxxx
Output 2960x ... looks correct, but doesnt work. Yes i can copy the link and use it on thee client pc.. works...
Cat2960x#sho authentication sess int g1/0/4 d
Interface: GigabitEthernet1/0/4
MAC Address: 3c52.824a.646f
IPv6 Address: Unknown
IPv4 Address: 172.17.0.211
User-Name: 3C-52-82-4A-64-6F
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Restart timeout: N/A
Periodic Acct timeout: 172800s (local), Remaining: 172800s
Session Uptime: 12s
Common Session ID: AC1200290000000D0003ECAE
Acct Session ID: 0x00000003
Handle: 0xBD000002
Current Policy: POLICY_Gi1/0/4
Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Server Policies:
URL Redirect: https://ise26.conti-ise.lan:8443/portal/gateway?sessionId=AC1200290000000D0003ECAE&portal=84b42d60-32ed-11ea-8487-460b91b8ec2e&action=cwa&token=3aecb01eb4c7adad773476c53309080a
URL Redirect ACL: cwa
ACS ACL: xACSACLx-IP-cwa_dacl-5e1732ca
Method status list:
Method State
dot1x Stopped
mab Authc Success
ISE Config:
So, what do i do wrong? i really have no idea.
Thanks in advance!
Accepted Solutions
