09-14-2017 07:21 AM
Hello,
I am trying to setup a wired guest service in my lab and running in some issues. Hope you can point me to the right direction.
ISE 2.3.100
Cisco cat3650 with IOS 12.2(55) the switch config is attached. VLAN10 is the network with full access.
Client: Windows 10
I have configured following ACL:
Switch
ACL = webauth
ip access-list extended webauth
permit ip any any
ACL = redirect
ip access-list extended redirect
deny ip any host 192.168.1.210
permit TCP any any eq www
permit TCP any any eq 443
ISE
DACL= CWA-DACL
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq 8443
permit udp any any eq domain
deny ip any any
Authorization_Profile = ON-AP_GUEST
Access Type = ACCESS_ACCEPT
DACL = CWA-DACL
cisco-av-pair = url-redirect-acl=redirect
cisco-av-pair = url-redirect=https://192.168.1.210:port/portal/gateway?sessionId=SessionIdValue&portal=f0ae43f0-7159-11e7-a355-005056aba474&action=cwa
Authentication = MAB
Authorization = GUEST
Here is the debug I got from switch:
on-cat3650(config-if)#
.Sep 14 13:42:26.665: %AUTHMGR-5-START: Starting 'mab' for client (54ee.75cd.170c) on Interface Gi0/8 AuditSessionID C0A8020300000094F1F65D1A
.Sep 14 13:42:26.691: %MAB-5-FAIL: Authentication failed for client (54ee.75cd.170c) on Interface Gi0/8 AuditSessionID C0A8020300000094F1F65D1A
on-cat3650(config-if)#
.Sep 14 13:42:26.697: %AUTHMGR-5-FAIL: Authorization failed for client (54ee.75cd.170c) on Interface Gi0/8 AuditSessionID C0A8020300000094F1F65D1A
.Sep 14 13:42:28.055: %LINK-3-UPDOWN: Interface GigabitEthernet0/8, changed state to up
ISE shows authentication and authorization success but I am not getting an ipaddress. Therefore no redirect I guess.
on-cat3650#sh ip access-lists int gig 0/8 (is empty)
When I replace the "MAC not Known" authorization policy with "PERMIT ACCESS" then everything is working fine.
Looking forward for your tips.
Cengiz
Solved! Go to Solution.
09-14-2017 08:32 AM
You should be running 12.2.55SE5 or later to support all the features. Also your config is very stripped down and missing some pieces like device tracking. Consult the ISE guides on how to configure the switch.
Paul Haferman
Office- 920.996.3011
Cell- 920.284.9250
09-14-2017 08:23 AM
what version of 12.2.55?
09-14-2017 08:26 AM
Cisco IOS Software, C3560C Software (C3560c405ex-UNIVERSALK9-M), Version 12.2(55)EX2, RELEASE SOFTWARE (fc1)
09-14-2017 08:32 AM
You should be running 12.2.55SE5 or later to support all the features. Also your config is very stripped down and missing some pieces like device tracking. Consult the ISE guides on how to configure the switch.
Paul Haferman
Office- 920.996.3011
Cell- 920.284.9250
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide