10-16-2017 02:37 AM - edited 02-21-2020 10:36 AM
Hello Guys,
I am studying for Cisco SISAS exam and trying to learn CWA using ISE 1.4 and the test PC is connected to a 3750V2 Switch Running code 15.0(2)SE10. The problem I am having is that the redirect is not working. Switch is successfully able to download the Dynamic ACL for Phase 1 (which I set to permit ip any any for now). I have searched and tried different REDIRECT ACLs but nothing make the client PC to get the redirect page when trying from client PC. When I am trying to directly access the link downloaded from ISe I get "400 Bad Request"
I am pasting my relevant switch configs here:
aaa new-model
aaa group server radius ISE
server name ISE
aaa authentication login default local
aaa authentication dot1x default group ISE
aaa authorization exec default local
aaa authorization network default group ISE
aaa authorization auth-proxy default group ISE
aaa accounting auth-proxy default start-stop group ISE
aaa accounting dot1x default start-stop group ISE
aaa server radius dynamic-author
client 172.16.3.100 server-key KEY
radius server ISE
address ipv4 172.16.3.100 auth-port 1812 acct-port 1813
timeout 10
retransmit 5
key KEY
ip access-list extended CWA-REDIRECT
deny ip any host 172.16.3.100
deny udp any any eq domain
deny icmp any any
permit tcp any any eq www
permit tcp any any eq 443
!
ip radius source-interface Vlan301
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server vsa send accounting
radius-server vsa send authentication
interface Vlan301
ip address 150.1.100.10 255.255.255.0
no ip route-cache
!
ip default-gateway 150.1.100.16
ip http server
ip http secure-server
interface FastEthernet1/0/4
description For Testing CWA
switchport access vlan 91
switchport mode access
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
p domain-name inelab.local
ip name-server 172.16.20.100
ip device tracking probe count 2
ip device tracking probe interval 200
ip device tracking probe use-svi
ip device tracking
3750V2#show authen ses
*Mar 1 00:37:08.777: %SYS-5-CONFIG_I: Configured from console by root on consoles int fa 1/0/4
Interface: FastEthernet1/0/4
MAC Address: 848f.69c9.b545
IP Address: 136.1.91.10
User-Name: 84-8F-69-C9-B5-45
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: single-host
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
ACS ACL: xACSACLx-IP-CWA-PHASE1-DACL-59e3d98b
URL Redirect ACL: CWA-REDIRECT
URL Redirect: https://ise.inelab.local:8443/portal/gateway?sessionId=9601640A0000000C000AD3B6&portal=27ffafe0-e96e-11e4-a30a-005056bf01c9&action=cwa&token=a4c8c56277b83b5eb81e289db7adec70
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 9601640A0000000C000AD3B6
Acct Session ID: 0x0000000E
Handle: 0xF000000D
Runnable methods list:
Method State
mab Authc Success
dot1x Not run
3750V2#show epm sess ip 136.1.91.10
Admission feature: DOT1X
ACS ACL: xACSACLx-IP-CWA-PHASE1-DACL-59e3d98b
URL Redirect ACL: CWA-REDIRECT
URL Redirect: https://ise.inelab.local:8443/portal/gateway?sessionId=9601640A0000000C000AD3B6&portal=27ffafe0-e96e-11e4-a30a-005056bf01c9&action=cwa&token=a4c8c56277b83b5eb81e289db7adec70
3750V2#show access-list
Extended IP access list Auth-Default-ACL
10 permit udp any range bootps 65347 any range bootpc 65348
20 permit udp any any range bootps 65347
30 deny ip any any (7 matches)
Extended IP access list CWA-REDIRECT ===>> This is REDIRECT ACL
10 deny ip any host 172.16.3.100 (362 matches)
20 deny udp any any eq domain (225 matches)
30 deny icmp any any (22 matches)
40 permit tcp any any eq www (508 matches)
50 permit tcp any any eq 443 (1008 matches)
Extended IP access list xACSACLx-IP-CWA-PHASE1-DACL-59e3d98b (per-user) ==>> This is DACL
10 permit ip any any
Can someone please help me understanding what I am doing wrong. Please note that my client pc can resolve dns for ise and www.google.com etc. The error when trying the direct URL is as below:
Mar 1 00:47:36.891: epm-redirect:IDB=FastEthernet1/0/4: In epm_host_ingress_traffic_qualify ...
*Mar 1 00:47:36.891: epm-redirect:epm_redirect_cache_gen_hash: IP=136.1.91.10 Hash=238
*Mar 1 00:47:36.891: epm-redirect:IP=136.1.91.10: CacheEntryGet Success
*Mar 1 00:47:36.891: epm-redirect:IP=136.1.91.10: Ingress packet on [idb= FastEthernet1/0/4] matched with [acl=CWA-REDIRECT]
*Mar 1 00:47:36.891: epm-redirect:IDB=FastEthernet1/0/4: Enqueue the packet with if_input=FastEthernet1/0/4
*Mar 1 00:47:36.891: epm-redirect:IDB=FastEthernet1/0/4: In epm_host_ingress_traffic_process ...
*Mar 1 00:47:36.891: epm-redirect:epm_redirect_cache_gen_hash: IP=136.1.91.10 Hash=238
*Mar 1 00:47:36.891: epm-redirect:IP=136.1.91.10: CacheEntryGet Success
*Mar 1 00:47:36.891: epm-redirect:IP=136.1.91.10: ingress traffic on [idb=FastEthernet1/0/4] matches url acl [CWA-REDIRECT]. ip_enqueue the packet
*Mar 1 00:47:37.017: epm-redirect:IDB=FastEthernet1/0/4: In epm_host_ingress_traffic_qualify ...
*Mar 1 00:47:37.017: epm-redirect:epm_redirect_cache_gen_hash: IP=136.1.91.10 Hash=238
*Mar 1 00:47:37.017: epm-redirect:IP=136.1.91.10: CacheEntryGet Success
*Mar 1 00:47:37.017: epm-redirect:IP=136.1.91.10: Ingress packet on [idb= FastEthernet1/0/4] matched with [acl=CWA-REDIRECT]
*Mar 1 00:47:37.017: epm-redirect:IDB=FastEthernet1/0/4: Enqueue the packet with if_input=FastEthernet1/0/4
*Mar 1 00:47:37.017: epm-redirect:IDB=FastEthernet1/0/4: In epm_host_ingress_traffic_process ...
*Mar 1 00:47:37.017: epm-redirect:epm_redirect_cache_gen_hash: IP=136.1.91.10 Hash=238
*Mar 1 00:47:37.017: epm-redirect:IP=136.1.91.10: CacheEntryGet Success
*Mar 1 00:47:37.017: epm-redirect:IP=136.1.91.10: ingress traffic on [idb=FastEthernet1/0/4] matches url acl [CWA-REDIRECT]. ip_enqueue the packet
*Mar 1 00:47:37.025: epm-redirect:IDB=FastEthernet1/0/4: In epm_host_ingress_traffic_qualify ...
*Mar 1 00:47:37.025: epm-redirect:epm_redirect_cache_gen_hash: IP=136.1.91.10 Hash=238
*Mar 1 00:47:37.025: epm-redirect:IP=136.1.91.10: CacheEntryGet Success
*Mar 1 00:47:37.025: epm-redirect:IP=136.1.91.10: Ingress packet on [idb= FastEthernet1/0/4] matched with [acl=CWA-REDIRECT]
*Mar 1 00:47:37.025: epm-redirect:IDB=FastEthernet1/0/4: Enqueue the packet with if_input=FastEthernet1/0/4
*Mar 1 00:47:37.025: epm-redirect:IDB=FastEthernet1/0/4: In epm_host_ingress_traffic_process ...
*Mar 1 00:47:37.025: epm-redirect:epm_redirect_cache_gen_hash: IP=136.1.91.10 Hash=238
*Mar 1 00:47:37.025: epm-redirect:IP=136.1.91.10: CacheEntryGet Success
*Mar 1 00:47:37.025: epm-redirect:IP=136.1.91.10: ingress traffic on [idb=FastEthernet1/0/4] matches url acl [CWA-REDIRECT]. ip_enqueue the packet
*Mar 1 00:47:37.143: epm-redirect:IDB=FastEthernet1/0/4: In epm_host_ingress_traffic_qualify ...
*Mar 1 00:47:37.143: epm-redirect:epm_redirect_cache_gen_hash: IP=136.1.91.10 Hash=238
*Mar 1 00:47:37.143: epm-redirect:IP=136.1.91.10: CacheEntryGet Success
*Mar 1 00:47:37.143: epm-redirect:IP=136.1.91.10: Ingress packet on [idb= FastEthernet1/0/4] matched with [acl=CWA-REDIRECT]
*Mar 1 00:47:37.143: epm-redirect:IDB=FastEthernet1/0/4: Enqueue the packet with if_input=FastEthernet1/0/4
*Mar 1 00:47:37.143: epm-redirect:IDB=FastEthernet1/0/4: In epm_host_ingress_traffic_process ...
*Mar 1 00:47:37.143: epm-redirect:epm_redirect_cache_gen_hash: IP=136.1.91.10 Hash=238
*Mar 1 00:47:37.143: epm-redirect:IP=136.1.91.10: CacheEntryGet Success
*Mar 1 00:47:37.143: epm-redirect:IP=136.1.91.10: ingress traffic on [idb=FastEthernet1/0/4] matches url acl [CWA-REDIRECT]. ip_enqueue the packet
*Mar 1 00:47:37.352: epm-redirect:IDB=FastEthernet1/0/4: In epm_host_ingress_traffic_qualify ...
*Mar 1 00:47:37.352: epm-redirect:epm_redirect_cache_gen_hash: IP=136.1.91.10 Hash=238
*Mar 1 00:47:37.352: epm-redirect:IP=136.1.91.10: CacheEntryGet Success
*Mar 1 00:47:37.352: epm-redirect:IP=136.1.91.10: Ingress packet on [idb= FastEthernet1/0/4] matched with [acl=CWA-REDIRECT]
*Mar 1 00:47:37.352: epm-redirect:IDB=FastEthernet1/0/4: Enqueue the packet with if_input=FastEthernet1/0/4
*Mar 1 00:47:37.352: epm-redirect:IDB=FastEthernet1/0/4: In epm_host_ingress_traffic_process ...
*Mar 1 00:47:37.361: epm-redirect:epm_redirect_cache_gen_hash: IP=136.1.91.10 Hash=238
*Mar 1 00:47:37.361: epm-redirect:IP=136.1.91.10: CacheEntryGet Success
*Mar 1 00:47:37.361: epm-redirect:IP=136.1.91.10: ingress traffic on [idb=FastEthernet1/0/4] matches url acl [CWA-REDIRECT]. ip_enqueue the packet
*Mar 1 00:47:38.678: epm-redirect:IDB=FastEthernet1/0/4: In epm_host_ingress_traffic_qualify ...
*Mar 1 00:47:38.678: epm-redirect:epm_redirect_cache_gen_hash: IP=136.1.91.10 Hash=238
*Mar 1 00:47:38.678: epm-redirect:IP=136.1.91.10: CacheEntryGet Success
*Mar 1 00:47:38.678: epm-redirect:IP=136.1.91.10: Ingress packet on [idb= FastEthernet1/0/4] matched with [acl=CWA-REDIRECT]
*Mar 1 00:47:38.678: epm-redirect:IDB=FastEthernet1/0/4: Enqueue the packet with if_input=FastEthernet1/0/4
*Mar 1 00:47:38.678: epm-redirect:IDB=FastEthernet1/0/4: In epm_host_ingress_traffic_process ...
*Mar 1 00:47:38.678: epm-redirect:epm_redirect_cache_gen_hash: IP=136.1.91.10 Hash=238
*Mar 1 00:47:38.678: epm-redirect:IP=136.1.91.10: CacheEntryGet Success
*Mar 1 00:47:38.678: epm-redirect:IP=136.1.91.10: ingress traffic on [idb=FastEthernet1/0/4] matches url acl [CWA-REDIRECT]. ip_enqueue the packet
*Mar 1 00:47:38.803: epm-redirect:IDB=FastEthernet1/0/4: In epm_host_ingress_traffic_qualify ...
*Mar 1 00:47:38.803: epm-redirect:epm_redirect_cache_gen_hash: IP=136.1.91.10 Hash=238
*Mar 1 00:47:38.803: epm-redirect:IP=136.1.91.10: CacheEntryGet Success
*Mar 1 00:47:38.803: epm-redirect:IP=136.1.91.10: Ingress packet on [idb= FastEthernet1/0/4] matched with [acl=CWA-REDIRECT]
*Mar 1 00:47:38.803: epm-redirect:IDB=FastEthernet1/0/4: Enqueue the packet with if_input=FastEthernet1/0/4
*Mar 1 00:47:38.812: epm-redirect:IDB=FastEthernet1/0/4: In epm_host_ingress_traffic_process ...
*Mar 1 00:47:38.812: epm-redirect:epm_redirect_cache_gen_hash: IP=136.1.91.10 Hash=238
*Mar 1 00:47:38.812: epm-redirect:IP=136.1.91.10: CacheEntryGet Success
*Mar 1 00:47:38.812: epm-redirect:IP=136.1.91.10: ingress traffic on [idb=FastEthernet1/0/4] matches url acl [CWA-REDIRECT]. ip_enqueue the packet
*Mar 1 00:47:39.760: epm-redirect:IDB=FastEthernet1/0/4: In epm_host_ingress_traffic_qualify
10-16-2017 02:38 AM
Following is the topology diagram
10-21-2017 04:19 AM
To update this thread I changed the CWA PHASE 1 ACL as below and now I can access the GUEST PORTAL only via direct link copying from the switch. The redirection is not happening when I type something like www.yahoo.com. My Client PC when on CWA Phase 1 is able to resolve dns to ip mapping for lets say www.yahoo.com. Following are the ACLs I am using
REDIRECT ACL:
=============
ip access-list extended CWA-REDIRECT
deny ip any host 172.16.3.100 (ISE IP also where Portal is enabled)
deny udp any any eq domain
deny icmp any any
permit tcp any any eq www
permit tcp any any eq 443
CWA-PHASE1 ACL:
===============
permit udp any eq bootpc any eq bootps
permit udp any any eq domain
permit ip any host 172.16.3.100
permit ip any host 150.1.100.10 (this is only to ssh access SW to copy URL not required )
deny ip any any log
Is there any reason why redirection not working without direct URL because this is not practical in a production network.
Thanks
Khiz
10-23-2017 09:19 AM
11-11-2017 02:01 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide