Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1567
Views
0
Helpful
3
Replies

ISE 2.3 wired guest service

Go to solution
csavas
Cisco Employee
Cisco Employee

‎09-14-2017 07:21 AM

Hello,

I am trying to setup a wired guest service in my lab and running in some issues. Hope you can point me to the right direction.

ISE 2.3.100

Cisco cat3650 with IOS 12.2(55) the switch config is attached. VLAN10 is the network with full access.

Client: Windows 10

I have configured following ACL:

Switch

ACL = webauth

ip access-list extended webauth

permit ip any any

ACL = redirect

ip access-list extended redirect

deny ip any host 192.168.1.210

permit TCP any any eq www

permit TCP any any eq 443

ISE

DACL= CWA-DACL

permit tcp any any eq www

permit tcp any any eq 443

permit tcp any any eq 8443

permit udp any any eq domain

deny ip any any

Authorization_Profile = ON-AP_GUEST

Access Type = ACCESS_ACCEPT

DACL = CWA-DACL

cisco-av-pair = url-redirect-acl=redirect

cisco-av-pair = url-redirect=https://192.168.1.210:port/portal/gateway?sessionId=SessionIdValue&portal=f0ae43f0-7159-11e7-a355-005056aba474&action=cwa


Authentication = MAB

    imageFile.png

Authorization = GUEST

imageFile.png

Here is the debug I got from switch:

on-cat3650(config-if)#

.Sep 14 13:42:26.665: %AUTHMGR-5-START: Starting 'mab' for client (54ee.75cd.170c) on Interface Gi0/8 AuditSessionID C0A8020300000094F1F65D1A

.Sep 14 13:42:26.691: %MAB-5-FAIL: Authentication failed for client (54ee.75cd.170c) on Interface Gi0/8 AuditSessionID C0A8020300000094F1F65D1A

on-cat3650(config-if)#

.Sep 14 13:42:26.697: %AUTHMGR-5-FAIL: Authorization failed for client (54ee.75cd.170c) on Interface Gi0/8 AuditSessionID C0A8020300000094F1F65D1A

.Sep 14 13:42:28.055: %LINK-3-UPDOWN: Interface GigabitEthernet0/8, changed state to up

 

ISE shows authentication and authorization success but I am not getting an ipaddress. Therefore no redirect I guess.

on-cat3650#sh ip access-lists int gig 0/8 (is empty)

ISE-session.png

 

When I replace the "MAC not Known" authorization policy with "PERMIT ACCESS" then everything is working fine.

Looking forward for your tips.

Cengiz

config.txt.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul
Level 10
Level 10
In response to csavas

‎09-14-2017 08:32 AM

You should be running 12.2.55SE5 or later to support all the features. Also your config is very stripped down and missing some pieces like device tracking. Consult the ISE guides on how to configure the switch.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

View solution in original post

0 Helpful
3 Replies 3

Go to solution
paul
Level 10
Level 10

‎09-14-2017 08:23 AM

what version of 12.2.55?

0 Helpful

Go to solution
csavas
Cisco Employee
Cisco Employee
In response to paul

‎09-14-2017 08:26 AM

Cisco IOS Software, C3560C Software (C3560c405ex-UNIVERSALK9-M), Version 12.2(55)EX2, RELEASE SOFTWARE (fc1)

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to csavas

‎09-14-2017 08:32 AM

You should be running 12.2.55SE5 or later to support all the features. Also your config is very stripped down and missing some pieces like device tracking. Consult the ISE guides on how to configure the switch.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

0 Helpful
Customers Also Viewed These Support Documents