cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

809
Views
0
Helpful
1
Replies
payala
Beginner

IBNS 2.0 webauth not working as expected

Hello,

I would like to know if you can help me before I open a TAC case. My problem is quite simple, my scenario:

Laptop (no supplicant) --- SW (WS-C3560-CG) --- SW (Internal resources) --- ISE

From the laptop I'm trying to webauth with the "new configuration form" IBNS 2.0 or C3PL, the problem that I'm facing is that the switch receives the update from the ISE but for some reason is not applying the redirect ACL, that is configured ont he SW, here is the configuration.

aaa group server tacacs+ ISE_GROUP
server name ISE
!
aaa group server radius ISE
server name ISE2_Server
server name ISE1_Server
ip radius source-interface Vlan100
load-balance method least-outstanding batch-size 1
!
aaa authentication login AAA group ISE_GROUP local
aaa authentication enable default group ISE_GROUP enable
aaa authentication dot1x default group ISE
aaa authorization console
aaa authorization config-commands
aaa authorization exec AAA group ISE_GROUP local
aaa authorization commands 0 AAA group ISE_GROUP local
aaa authorization commands 1 AAA group ISE_GROUP local
aaa authorization commands 15 AAA group ISE_GROUP local
aaa authorization network default group ISE
aaa authorization network cts-list group ISE
aaa accounting update periodic 15
aaa accounting identity default start-stop group ISE
!
aaa server radius dynamic-author
client 10.254.17.110 server-key 7 15315A1F07257A767B72
client 10.254.4.86 server-key 7 0822455D0A16
client 10.254.4.89 server-key 7 0822455D0A16
server-key 7 104D000A0618
!
aaa session-id common
clock timezone ET -5 0
clock summer-time ET recurring 1 Sun May 2:00 last Sun Nov 2:00
system mtu routing 1500
!
device-sensor filter-list lldp list lldp-list
tlv name port-id
tlv name port-description
tlv name system-name
tlv name system-description
tlv number 28
!
device-sensor filter-list dhcp list dhcp-list
option name host-name
option name domain-name
option number 34
option name requested-address
option name parameter-request-list
option name class-identifier
option name client-identifier
!
device-sensor filter-list cdp list cdp-list
tlv name device-name
tlv name address-type
tlv name capabilities-type
tlv name platform-type
tlv name native-vlan-type
tlv number 34
device-sensor filter-spec dhcp include list dhcp-list
device-sensor filter-spec lldp include list lldp-list
device-sensor filter-spec cdp include list cdp-list
device-sensor notify all-changes
ip routing
!
!
ip dhcp snooping vlan 1,100
ip dhcp snooping
ip flow-cache timeout active 1
!
cts authorization list cts-list
memory reserve critical 4096
memory free low-watermark processor 20000
memory free low-watermark IO 20000
dot1x system-auth-control
service-template webauth-global-inactive
inactivity-timer 3600
service-template DEFAULT_LINKSEC_POLICY_MUST_SECURE
linksec policy must-secure
service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
linksec policy should-secure
service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
service-template CRITICAL
description < Apply when none of the RADIUS servers are reachable >
access-group PERMIT-ANY
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
!
vlan internal allocation policy ascending
!
lldp run
!
class-map type control subscriber match-all AAA_SVR_DOWN
match result-type aaa-timeout
!
class-map type control subscriber match-all AAA_SVR_DOWN_AUTHD_HOST
match result-type aaa-timeout
match authorization-status authorized
!
class-map type control subscriber match-all AAA_SVR_DOWN_UNAUTHD_HOST
match result-type aaa-timeout
match authorization-status unauthorized
!
class-map type control subscriber match-all DOT1X
match method dot1x
!
class-map type control subscriber match-all DOT1X_FAILED
match method dot1x
match result-type method dot1x authoritative
!
class-map type control subscriber match-all DOT1X_MEDIUM_PRIO
match authorizing-method-priority gt 20
!
class-map type control subscriber match-all DOT1X_NO_RESP
match method dot1x
match result-type method dot1x agent-not-found
!
class-map type control subscriber match-all DOT1X_TIMEOUT
match method dot1x
match result-type method dot1x method-timeout
!
class-map type control subscriber match-all MAB
match method mab
!
class-map type control subscriber match-all MAB_FAILED
match method mab
match result-type method mab authoritative
!
!
!
policy-map type control subscriber POLICY_Gi_Global
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x retries 2 retry-time 0 priority 10
20 authenticate using mab
event authentication-failure match-first
5 class DOT1X_FAILED do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
10 class DOT1X_NO_RESP do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
20 class MAB_FAILED do-until-failure
10 terminate mab
20 authentication-restart 60
40 class always do-until-failure
10 terminate dot1x
20 terminate mab
30 authentication-restart 60
event agent-found match-all
10 class always do-until-failure
10 terminate mab
20 authenticate using dot1x retries 2 retry-time 0 priority 10
event inactivity-timeout match-all
10 class always do-until-failure
10 clear-session
event authentication-success match-all
10 class always do-until-failure
10 activate service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
event violation match-all
10 class always do-until-failure
10 restrict
!
!
!
interface GigabitEthernet0/5
description < Wired Guest Test >
subscriber aging inactivity-timer 60 probe
switchport access vlan 36
switchport mode access
switchport voice vlan 35
ip flow ingress
ip flow egress
ip access-group LOW_IMPACT_ACL in
authentication periodic
authentication timer reauthenticate server
access-session host-mode multi-domain
access-session port-control auto
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
no snmp trap link-status
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree bpduguard enable
service-policy type control subscriber POLICY_Gi_Global
!
interface Vlan1
no ip address
shutdown
!
interface Vlan100
ip flow ingress
ip flow egress
ip address 10.254.11.51 255.255.255.0
!
ip default-gateway 10.254.11.2
ip forward-protocol nd
ip http server
ip http secure-server
ip http secure-active-session-modules none
ip http active-session-modules none
ip flow-capture ttl
ip flow-capture vlan-id
ip flow-capture icmp
ip flow-capture ip-id
ip flow-capture mac-addresses
ip flow-export source Vlan100
ip flow-export version 9
ip flow-export destination 10.254.4.86 9996
!
ip route 0.0.0.0 0.0.0.0 10.254.11.2
ip ssh version 2
!
ip access-list extended ACL_REDIRECT
deny udp any eq bootpc any eq bootps
deny udp any any eq domain
deny ip any host 10.254.4.86
permit tcp any any eq www
permit tcp any any eq 443
deny ip any any
ip access-list extended LOW_IMPACT_ACL
permit udp any eq bootpc any eq bootps
permit udp any any eq domain
permit icmp any any
permit udp any any eq tftp
permit ip any host 10.254.4.86
deny ip any any
ip access-list extended MONITOR
permit ip any any
ip access-list extended PERMIT-ANY
permit ip any any
!
!
snmp-server community cisco RO
snmp-server enable traps snmp linkdown linkup
snmp-server enable traps mac-notification change move
snmp ifmib ifindex persist
tacacs server ISE
address ipv4 10.254.4.86
key 7 104D000A0618
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 4
radius-server deadtime 5
!
radius server ISE1_Server
address ipv4 10.254.4.86 auth-port 1812 acct-port 1813
timeout 10
pac key 7 01100F175804
!
radius server ISE2_Server
address ipv4 10.254.4.89 auth-port 1812 acct-port 1813
timeout 10
pac key 7 01100F175804
!

When I connect the client then I can see the access-session going on but I can't see why the ACL is replaced:

WS-C3560CG#show access-session int g0/5

Interface MAC Address Method Domain Status Fg Session ID
----------------------------------------------------------------------
Gi0/5 e411.5b30.8626 mab DATA Auth 0AFE0B3300000019038D54FD


Key to Session Events Blocked Status Flags:

A - Applying Policy (multi-line status for details)
D - Awaiting Deletion
F - Final Removal in progress
I - Awaiting IIF ID allocation
N - Waiting for AAA to come up
P - Pushed Session
R - Removing User Profile (multi-line status for details)
U - Applying User Profile (multi-line status for details)
X - Unknown Blocker

Runnable methods list:
Handle Priority Name
9 5 dot1x
19 10 mab
17 15 webauth

WS-C3560CG#show access-session int g0/5 det
Interface: GigabitEthernet0/5
MAC Address: e411.5b30.8626
IPv6 Address: Unknown
IPv4 Address: 10.254.36.204
User-Name: E4-11-5B-30-86-26
Status: Authorized
Domain: DATA
Oper host mode: multi-domain
Oper control dir: both
Session timeout: N/A
Restart timeout: N/A
Session Uptime: 370s
Common Session ID: 0AFE0B3300000019038D54FD
Acct Session ID: 0x0000000D
Handle: 0xEC00000A
Current Policy: POLICY_Gi_Global

Local Policies:
Idle timeout: 60 sec
arp-probe-timeout: yes
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure
Security Status: Link Unsecure

Server Policies:
URL Redirect: https://USNJISE19.svlab.local:8443/portal/gateway?sessionId=0AFE0B3300000019038D54FD&portal=a60e04d0-2230-11e6-99ab-005056bf55e0&action=cwa&type=drw&token=769ce4152866adfa0ad85ecd6eddbf3e
URL Redirect ACL: ACL_REDIRECT

Method status list:
Method State

dot1x Stopped
mab Authc Success

WS-C3560CG#show ip access-list int g0/5
Extended IP access list LOW_IMPACT_ACL
10 permit udp any eq bootpc any eq bootps
20 permit udp any any eq domain
30 permit icmp any any
40 permit udp any any eq tftp
50 permit ip any host 10.254.4.86
60 deny ip any any
WS-C3560CG#

I'm attaching some screenshots from the ISE server. I hope that someone could help me on this issue.

Thanks 

1 REPLY 1

In your port configuration, you have hardcoded the Low Impact ACL. In this scenario, you need to send a different ACL from ISE if you want it to be replaced. In the ISE Authorization profile add an ACL to filter the traffic. The redirect ACL is being applied. However, you won't see it with the show ip access-list command (but you can see that it has been applied int the show authentication sessions).

Twitter: @berna_tllz 

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube