Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5132
Views
2
Helpful
14
Replies

Guest CWA - portal not redirecting

Go to solution
creserva1
Level 1
Level 1

‎06-06-2018 01:26 PM

I have been testing WebAuth on a switch but I have been stuck and unable to get the url redirection comes up. The policy for authentication and authorization it hits on ISE but the redirections is not working.

interface GigabitEthernet0/5

switchport access vlan 14

switchport mode access

ip access-group ACL-DEFAULT in

authentication periodic

authentication timer reauthenticate server

access-session port-control auto

access-session control-direction in

mab

dot1x pae authenticator

dot1x timeout tx-period 10

spanning-tree portfast

spanning-tree bpduguard enable

service-policy type control subscriber DOT1X-DEFAULT

3560X#show access-session int gi 0/5 de

3560X#show access-session int gi 0/5 details

            Interface:  GigabitEthernet0/5

          MAC Address:  XX-XX-XX-XX

         IPv6 Address:  Unknown

         IPv4 Address:  10.x.x.x

            User-Name:  XX-XX-XX-XX

               Status:  Unauthorized

               Domain:  DATA

       Oper host mode:  multi-auth

     Oper control dir:  in

      Session timeout:  N/A

    Common Session ID:  0A0A0110000005C686B230A0

      Acct Session ID:  Unknown

               Handle:  0x0D00050C

       Current Policy:  DOT1X-DEFAULT

Method status list:

       Method           State

       dot1x            Stopped

       mab              Authc Success

ACL Switch

ip access-list extended ACL-DEFAULT

permit udp any eq bootpc any eq bootps

permit udp any any eq domain

permit icmp any any

permit udp any any eq tftp

permit tcp any host 10.96.50.181 eq www

permit tcp any host 10.96.50.181 eq 443

permit tcp any host 10.96.50.181 eq 8443

permit tcp any host 10.96.50.182 eq www

permit tcp any host 10.96.50.182 eq 443

permit tcp any host 10.96.50.182 eq 8443

deny   ip any any log

ip access-list extended ACL-WEBAUTH-REDIRECT

deny   udp any any eq domain

deny   tcp any any eq 8905

deny   tcp any any eq 8443

permit tcp any any eq www

permit tcp any any eq 443

deny   ip any any

DACL

permit udp any any eq bootps

permit udp any any eq domain

permit tcp any any eq domain

remark ping for troubleshooting

permit icmp any any echo

permit icmp any any echo-reply

remark allow web traffic to kick off redirect

permit tcp any any eq www

permit tcp any any eq 443

remark mandatory for ISE PSN for Guest Portal Access

permit tcp any host 10.96.50.181 eq 8443

permit tcp any host 10.96.50.181 eq 8905

permit tcp any host 10.96.50.181 eq 8909

permit tcp any host 10.96.50.181 range 8905 8906

permit udp any host 10.96.50.181 eq 8909

permit tcp any host 10.96.50.182 eq 8443

permit tcp any host 10.96.50.182 eq 8905

permit tcp any host 10.96.50.182 eq 8909

permit tcp any host 10.96.50.182 range 8905 8906

permit udp any host 10.96.50.182 eq 8909

deny ip any any

Preview file
20 KB
Preview file
9 KB
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to creserva1

‎06-07-2018 03:29 PM

Since the session is mac authc success but unauthorized, I would suggest to double check the text typed in as the redirect ACL. It can be a problem when copied from a word doc or PDF file such that "-" is not regular ASCII character. If that does not help, then please look it up in the Cisco IOS release used on the switch and find what debug commands equivalent to "debug aaa attr" and "debug aaa authorization".

View solution in original post

0 Helpful
14 Replies 14

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee

‎06-07-2018 06:26 AM

Are you referencing ACL-WEBAUTH-REDIRECT in your authorization result?

Regards,

-Tim

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Timothy Abbott

‎06-07-2018 08:05 AM

Did you check this document as well?

https://communities.cisco.com/docs/DOC-77590

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to creserva1

‎06-07-2018 01:22 PM

Would recommend contacting the tac to see what you’re doing wrong then

0 Helpful

Go to solution
creserva1
Level 1
Level 1
In response to Timothy Abbott

‎06-07-2018 01:19 PM

Yes I am. I have that on under profile authorizations then CWA then ACL were I added the name ACL-WEBAUTH-REDIRECT.  It is applying authentication and authorization it is just the CWA does not comes up.

I also tried remove the dot1x system auth kind a disabling the dot1x globally and then re-adding it back.

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to creserva1

‎06-07-2018 03:29 PM

Since the session is mac authc success but unauthorized, I would suggest to double check the text typed in as the redirect ACL. It can be a problem when copied from a word doc or PDF file such that "-" is not regular ASCII character. If that does not help, then please look it up in the Cisco IOS release used on the switch and find what debug commands equivalent to "debug aaa attr" and "debug aaa authorization".

0 Helpful

Go to solution
creserva1
Level 1
Level 1
In response to hslai

‎06-08-2018 07:09 AM

Here is my

Switch ACL

ACL-DEFAULT

10 permit udp any eq bootpc any eq bootps

20 permit udp any any eq domain

30 permit icmp any any

40 permit udp any any eq tftp

50 permit tcp any host 10.x.x.x eq www

60 permit tcp any host 10.x.x.x eq 443

70 permit tcp any host 10.x.x.x eq 8443

80 permit tcp any host 10.x.x.x eq www

90 permit tcp any host 10.x.x.x eq 443

100 permit tcp any host 10.x.x.x eq 8443

Switch ACL

ACL-WEBAUTH-REDIRECT

9 deny udp any any eq domain (2 matches)

20 permit tcp any any eq www (10 matches)

30 permit tcp any any eq 443 (28 matches)

ISE - DACL-pre-WebAuth

permit udp any any eq bootps

permit udp any any eq domain

permit tcp any any eq domain

remark ping for troubleshooting

permit icmp any any echo

permit icmp any any echo-reply

remark allow web traffic to kick off redirect

permit tcp any any eq www

permit tcp any any eq 443

remark mandatory for ISE PSN for Guest Portal Access

permit tcp any host 10.x.x.x eq 8443

permit tcp any host 10.x.x.x eq 8905

permit tcp any host 10.x.x.x eq 8909

permit tcp any host 10.x.x.x range 8905 8906

permit udp any host 10.x.x.x eq 8909

permit tcp any host 10.x.x.x eq 8443

permit tcp any host 10.x.x.x eq 8905

permit tcp any host 10.x.x.x eq 8909

permit tcp any host 10.x.x.x range 8905 8906

permit udp any host 10.x.x.x eq 8909

Profile-GuestWebAuth

Access Type = ACCESS_ACCEPT

DACL = DACL-pre-WebAuth

cisco-av-pair = url-redirect-acl=ACL_WEBAUTH_REDIRECT

cisco-av-pair = url-redirect=https://10.x.x.x:port/portal/gateway?sessionId=(I removed the sessions id)=cwa

I turn on debug for radius

Log Buffer (4096 bytes):

  8 14:00:54.026: RADIUS:  Vendor, Cisco       [26]  47 

Jun  8 14:00:54.026: RADIUS:   Cisco AVpair       [1]   41  "ip:inacl#2=permit udp any any eq domain"

Jun  8 14:00:54.026: RADIUS:  Vendor, Cisco       [26]  47 

Jun  8 14:00:54.026: RADIUS:   Cisco AVpair       [1]   41  "ip:inacl#3=permit tcp any any eq domain"

Jun  8 14:00:54.026: RADIUS:  Vendor, Cisco       [26]  50 

Jun  8 14:00:54.026: RADIUS:   Cisco AVpair       [1]   44  "ip:inacl#4=remark ping for troubleshooting"

Jun  8 14:00:54.026: RADIUS:  Vendor, Cisco       [26]  43 

Jun  8 14:00:54.026: RADIUS:   Cisco AVpair       [1]   37  "ip:inacl#5=permit icmp any any echo"

Jun  8 14:00:54.026: RADIUS:  Vendor, Cisco       [26]  49 

Jun  8 14:00:54.026: RADIUS:   Cisco AVpair       [1]   43  "ip:inacl#6=permit icmp any any echo-reply"

Jun  8 14:00:54.026: RADIUS:  Vendor, Cisco       [26]  64 

Jun  8 14:00:54.026: RADIUS:   Cisco AVpair       [1]   58  "ip:inacl#7=remark allow web traffic to kick off redirect"

Jun  8 14:00:54.026: RADIUS:  Vendor, Cisco       [26]  44 

Jun  8 14:00:54.026: RADIUS:   Cisco AVpair       [1]   38  "ip:inacl#8=permit tcp any any eq www"

Jun  8 14:00:54.026: RADIUS:  Vendor, Cisco       [26]  44 

Jun  8 14:00:54.026: RADIUS:   Cisco AVpair       [1]   38  "ip:inacl#9=permit tcp any any eq 443"

Jun  8 14:00:54.026: RADIUS:  Vendor, Cisco       [26]  72 

Jun  8 14:00:54.026: RADIUS:   Cisco AVpair       [1]   66  "ip:inacl#10=remark mandatory for ISE PSN for Guest Portal Access"

Jun  8 14:00:54.026: RADIUS:  Vendor, Cisco       [26]  60 

Jun  8 14:00:54.026: RADIUS:   Cisco AVpair       [1]   54  "ip:inacl#11=permit tcp any host 10.x.x.x eq 8443"

Jun  8 14:00:54.026: RADIUS:  Vendor, Cisco       [26]  60 

Jun  8 14:00:54.026: RADIUS:   Cisco AVpair       [1]   54  "ip:inacl#12=permit tcp any host 10.x.x.x eq 8905"

Jun  8 14:00:54.026: RADIUS:  Vendor, Cisco       [26]  60 

Jun  8 14:00:54.026: RADIUS:   Cisco AVpair       [1]   54  "ip:inacl#13=permit tcp any host 10.x.x.x eq 8909"

Jun  8 14:00:54.026: RADIUS:  Vendor, Cisco       [26]  68 

Jun  8 14:00:54.026: RADIUS:   Cisco AVpair       [1]   62  "ip:inacl#14=permit tcp any host 10.x.x.x range 8905 8906"

Jun  8 14:00:54.026: RADIUS:  Vendor, Cisco       [26]  60 

Jun  8 14:00:54.026: RADIUS:   Cisco AVpair       [1]   54  "ip:inacl#15=permit udp any host 10.x.x.x eq 8909"

Jun  8 14:00:54.026: RADIUS:  Vendor, Cisco       [26]  60 

Jun  8 14:00:54.026: RADIUS:   Cisco AVpair       [1]   54  "ip:inacl#16=permit tcp any host 10.x.x.x eq 8443"

Jun  8 14:00:54.026: RADIUS:  Vendor, Cisco       [26]  60 

Jun  8 14:00:54.026: RADIUS:   Cisco AVpair       [1]   54  "ip:inacl#17=permit tcp any host 10.x.x.x eq 8905"

Jun  8 14:00:54.026: RADIUS:  Vendor, Cisco       [26]  60 

Jun  8 14:00:54.026: RADIUS:   Cisco AVpair       [1]   54  "ip:inacl#18=permit tcp any host 10.x.x.x eq 8909"

Jun  8 14:00:54.026: RADIUS:  Vendor, Cisco       [26]  68 

Jun  8 14:00:54.026: RADIUS:   Cisco AVpair       [1]   62  "ip:inacl#19=permit tcp any host 10.x.x.x range 8905 8906"

Jun  8 14:00:54.026: RADIUS:  Vendor, Cisco       [26]  60 

Jun  8 14:00:54.026: RADIUS:   Cisco AVpair       [1]   54  "ip:inacl#20=permit udp any host 10.x.x.x eq 8909"

Jun  8 14:00:54.026: RADIUS(00000000): Received from id 1645/167

Jun  8 14:00:54.387: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (xxxx.xxxx.xxxx) on Interface Gi0/5 AuditSessionID xxxx.xxxx.xxxx

Jun  8 14:00:54.832: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/5, changed state to up

Jun  8 14:01:24.844: %DOT1X-5-FAIL: Authentication failed for client (xxxx.xxxx.xxxx) on Interface Gi0/5 AuditSessionID xxxx.xxxx.xxxx

Jun  8 14:01:24.844: %AUTHMGR-7-STOPPING: Stopping 'dot1x' for client xxxx.xxxx.xxxx on Interface Gi0/5 AuditSessionID xxxx.xxxx.xxxx

Jun  8 14:01:26.455: %SYS-5-CONFIG_I: Configured from console by xxxx.xxxx.xxxx on vty0 (xxxx.xxxx.xxxx)

Jun  8 14:01:40.085: %SYS-5-CONFIG_I: Configured from console by xxxx.xxxx.xxxx on vty0 (xxxx.xxxx.xxxx)

C3560X#

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to creserva1

‎06-08-2018 08:02 AM

I see you have 8909 UDP/TCP twice. ISE is no longer using 8909.

I would suggest to try a simpler DACL (e.g. permit ip any any) and see if that work, then adding more entries to narrow down which one(s) causing the problem.

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to creserva1

‎06-08-2018 08:33 AM

This may seem slightly odd but I remember there being a bug causing mab authz failures when there was a remark present in the DACL.  If it was me I would remove the remarks and test again, easy to check. 

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to Damien Miller

‎06-08-2018 08:47 AM

That worths a shot. Hari said,

IP ACLs with remarks has worked for me all the times. ACEs with additional options have issues.

There are couple of release notes for the 4500 software that states this limitation :

•Dynamic ACLs do not function correctly if they include advanced operators, including dscp/ipp/tos, log/log-input, fragments and/or tcp flag operators.

Workaround: Remove these operators from any dynamic ACLs. CSCts05302

Open Caveats in Cisco IOS Release 15.0(2)SG7

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/release/note/OL_24730.html#wp932647

Open Caveats for Cisco IOS XE Release 3.2.7SG

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/release/note/OL_24726.html#wp2594827

And, "debug epm all" or similar might help.

0 Helpful

Go to solution
creserva1
Level 1
Level 1
In response to hslai

‎06-08-2018 12:39 PM

Here are the debu using emp all. The dACL on ISE is just using permit ip any any and local ACL on and this acl is on ISE authorization profile common task Centralized Web Auth -  ACL-WEBAUTH-REDIRECT are also permit ip any any. The ACL-DEFAULT which is applied


Jun  8 18:32:27.591: EPM_SESS_EVENT: Executed [ip access-list extended xACSACLx-IP-DACL-pre-WebAuth-5b1aafd6] command through parse_cmd. Result= 0

Jun  8 18:32:27.591: EPM_SESS_EVENT: Executed [1 permit ip any any] command through parse_cmd. Result= 0

Jun  8 18:32:27.591: EPM_API: Inside epm_cache_mgr_acl_modified

Jun  8 18:32:27.591: EPM_API: Inside epm_cache_mgr_attr_modified

Jun  8 18:32:27.591: EPM_API: Inside epm_cache_mgr_get_entry

Jun  8 18:32:27.591: EPM_API: Inside epm_cache_mgr_attr_modified

Jun  8 18:32:27.591: EPM_API: Inside epm_cache_mgr_get_entry

Jun  8 18:32:27.591: EPM_SESS_EVENT: Executed [end] command through parse_cmd. Result= 0

Jun  8 18:32:27.591: EPM_API: Inside epm_cache_mgr_sync_attr_template

Jun  8 18:32:27.591: EPM_API: Inside epm_cache_mgr_get_attr_fv

Jun  8 18:32:27.591: EPM_SESS_EVENT: EPM_HA: Sync not required

Jun  8 18:32:27.591: EPM_API: Inside epm_cache_mgr_notify_status_change

Jun  8 18:32:27.591: EPM_API: Inside fn epm_acl_cache_mgr_updates

Jun  8 18:32:27.591: EPM_API: Inside epm_dl_mgr_cleanup_context

Jun  8 18:32:27.591: EPM_API: [0x52000031]:Inside Function epm_acl_create_nacl_feature_config

Jun  8 18:32:27.591: EPM_API: Inside epm_acl_policy_process_action

Jun  8 18:32:27.591: EPM_SESS_EVENT: IN ACL configured.. not attaching def ACL

Jun  8 18:32:27.591: EPM_API: [0x52000031]:Inside epm_acl_check_open_dir_acl

Jun  8 18:32:27.591: EPM_API: [0x52000031]:Applying Open dir for current session

Jun  8 18:32:27.600: EPM_API: [0x52000031]:ACL Feat available for session open dir not required

Jun  8 18:32:27.600: EPM_API: In Function epm_acl_apply_feature_order

Jun  8 18:32:27.600: EPM_SESS_EVENT: Feature re-order required

Jun  8 18:32:27.600: EPM_API: [0x52000031]:In function epm_acl_apply_access_policies

Jun  8 18:32:27.600: EPM_API: [0x52000031]:In function epm_acl_apply_nacl

Jun  8 18:32:27.600: EPM_API: [0x52000031]:[0xE4000039]:In function epm_acl_add_item

Jun  8 18:32:27.600: EPM_API: Inside Function epm_acl_host_policy_update

Jun  8 18:32:27.600: EPM_API: In Function epm_acl_check_tcam_opt

Jun  8 18:32:27.600: EPM_SESS_EVENT: open access in non MH mode no tcam opt

Jun  8 18:32:27.600: EPM_SESS_EVENT: Applying policy in PD for IP 10.x.x.x ip_flag 1 type 1

Jun  8 18:32:27.600: EPM_SESS_EVENT: ACL xACSACLx-IP-DACL-pre-WebAuth-5b1aafd6 provisioning successful

Jun  8 18:32:27.600: EPM_API: [0x52000031]:Inside epm_acl_appn_success_action

Jun  8 18:32:27.600: EPM_API: Inside epm_feature_notify_status

Jun  8 18:32:27.600: EPM_API: Inside epm_get_feature_info_from_hdl

Jun  8 18:32:27.600: EPM_API: Inside epm_get_authz_info_from_hdl

Jun  8 18:32:27.608: EPM_SESS_EVENT: Feature (EPM ACL PLUG-IN) Status (1) Notified

Jun  8 18:32:27.608: EPM_API: [0x30000DE]:Inside epm_update_authz_terminal_status

Jun  8 18:32:27.608: EPM_SESS_EVENT: Successful feature attrs provided for SM ACCOUNTING PLUG-IN

Jun  8 18:32:27.608: EPM_SESS_EVENT: Failed feature attrs provided for EPM URL PLUG-IN

Jun  8 18:32:27.608: EPM_SESS_EVENT: Successful feature attrs provided for EPM ACL PLUG-IN

Jun  8 18:32:27.608: EPM_API: [0x30000DE]:Inside epm_notify_authz_terminal_status

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to creserva1

‎06-08-2018 03:20 PM

Jun  8 18:32:27.608: EPM_SESS_EVENT: Failed feature attrs provided for EPM URL PLUG-IN


My guess is the problem around the web redirect ACL name. Please verify it by disabling web redirect. I would suggest to try a simpler name without any punctuation characters; e.g. urlacl. Also, try typing it in but not copy-and-paste and ensure no preceding or trailing space characters.

Also, you may remove the first ACE "deny udp any any domain" as it's implicitly denied.

If that still not helping, try reloading the switch once. It might be some IOS switch bug and you might consider a different IOS train.

Go to solution
creserva1
Level 1
Level 1
In response to hslai

‎06-09-2018 06:46 AM

I got it this on figured out. It was something on to do on ACL naming. It is very easy to missed this kind of mis configurations.

0 Helpful

Go to solution
Dustin Anderson
VIP Alumni
VIP Alumni

‎06-07-2018 02:30 PM

Not sure, but one thing we have that I don't see  is permitting DNS? I also only have a redirect on wireless, so may be different.

0 Helpful
Customers Also Viewed These Support Documents