11-12-2012 06:17 AM - edited 03-10-2019 07:46 PM
Hello,
i've configured ISE and WLC to use guestportal with CWA but there is a problem with CoA -- it doesn't want to apply airespace alc after auth at guestportal.
1. At authC page i've configured a wireless MAB to continue if user not found and to use a Internal users as a identity store.
2. At authZ page i've configured a WEBAUTH as a default rule with the following:
Access Type = ACCESS_ACCEPT
cisco-av-pair = url-redirect-acl=ACL-WEBAUTH-REDIRECT
cisco-av-pair = url-redirect=https://ip:port/guestportal/gateway?sessionId=SessionIdValue&action=cwa
3. I've also configured this ACL at WLC to permit
permit dns and icmp any-any
permit any-to-ise-8443
permit ise-to-any
This part works fine because i able to redirect to guestportal and use my guest login&pw to authorize myself. The guest account was previously generated through sponsor portal and it's working too.
4. At authC page i've use a wireless dot1x to use Internal users
5. At authZ page i've use a "if internal users:Guest then GUEST permission" rule
6. GUEST rule looks like the following:
Access Type = ACCESS_ACCEPT
Airespace-ACL-Name = GUEST_INTERNET_ONLY
7. This ACL is configured on the WLC permitting any except private networks (ISE is also permitted)
After guest portal auth i see a success message and i able to ping internet but i have no web access to it. It looks like CoA and Airespace acl are don't working and i keep using my ACL-WEBAUTH-REDIRECT access-list and i see a strange error messages in the WLC logs:
*apfReceiveTask: Nov 12 17:32:27.317: %ACL-3-ENTRY_DONOT_EXIST: acl.c:369 Unable to find an ACL by name "".
I swear my ACL name spelling is correct and both ACL-WEBAUTH-REDIRECT and GUEST_INTERNET_ONLY are on the WLC with their counters growing!
I don't have a point what issue it could be...
Any ideas?
P.S. see attach for Live authentication log
Solved! Go to Solution.
11-15-2012 10:23 AM
You could try 'debug client
Looks like this for my permit-all ACL
*apfReceiveTask: Oct 25 11:17:05.867: c8:bc:c8:13:4e:35 172.16.10.13 WEBAUTH_REQD (8) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'PERMIT-ALL' (ACL ID 1) --- (caller apf_policy.c:1762)
It should be close to the bottom.
And then after debug disable-all.
An other question, you can ping internet but no web access, same as URL's? Is DNS working after the last ACL is applied?
About this line in the log:
*apfReceiveTask: Nov 12 17:32:27.317: %ACL-3-ENTRY_DONOT_EXIST: acl.c:369 Unable to find an ACL by name "".
I get that with CWA working so I'm not sure that's related. (to my setup )
Regards
Mikael
Sent from Cisco Technical Support iPad App
Message was edited by: Mikael Gustafsson
11-12-2012 08:37 AM
Hell Alexander-
A few questions:
1. Is the WLAN H-REAP/FlexConnect?
2. Do you have "AAA override" checked under the advanced settings
3. Can you check the detail authentication in ISE for the entry right after you entered the guest username/password. In that window you should see the ACL that is being applied to that session/user
4. What version of code are you using for both ISE and your WLC?
5. Can you paste screen shots for each configuration tab for your WLAN
11-12-2012 10:36 PM
Hi Neno,
thank you for engaging into my problem!
About your questions:
1. The WLAN is not H-REAP or FlexConnect, it's MAC filtering without any L3 security.
2. The "AAA override" is checked and "Radius NAC" is used as "NAC State" option.
3. According to the authZ details (see screenshot) airespace acl is successfully applied.
4. WLC Software Version 7.2.110.0 and ISE Version: 1.1.1.268 with ADE-OS Version 2.0.4.018.
11-12-2012 10:38 PM
5. And here are my WLAN tabs
11-13-2012 07:34 PM
Hmm, I haven't yet deployed CWA the way you have (with MAC filter instead of Layer 3 web redirect). Though, I know this is the new/correct/true CWA so I am definitively not saying that what you have done is wrong. On the contrary, everything that you have done looks correct when comparing it to online documentation.
Can you also provide:
1. Screen shot of your ACLs including the actual ACEs
2. Out of the WLC log file from the time that you associate to the SSID to the time when you authenticate with the guest account. More specifically can you see anything in the log when you search for the name of the ALC "
GUEST_INTERNET_ONLY"
3. Do you have a pre-auth ACL assigned to the interface
I am also going to try to replicate this in my lab but it might a while as I am traveling at the moment.
11-13-2012 10:46 PM
1. These are my WLC ACLs
2. Currently i can't provide any additional info according WLC logs as i'm far away from customer site. But i think there is only one interesting message in the log --
*apfReceiveTask: Nov 12 17:32:27.317: %ACL-3-ENTRY_DONOT_EXIST: acl.c:369 Unable to find an ACL by name "".
3. I don't have any pre-auth ACL on the interface or "Override ACL" on the SSID
11-14-2012 06:07 PM
Hi,
Please use the troubleshoot section under operations and pull the packet capture just to make sure that the ACL is being sent properly. You can set the filter to 'ip host ipofwlc'
Check the av pairs and make sure that they line up with the ACL that you configured under the "SECURITY" section.
Thanks,
Tarik Admani
*Please rate helpful posts*
11-15-2012 01:03 AM
Tarik,
i'll try to troubleshoot with packet capture as i come to customer site and let you know the results. But for now i've checked the logs and i see Airespace-ACL-Name=GUEST_INTERNET_ONLY under Authentication Result but i don't see it under Cisco-AVPairs, only audit-session-id there. I'll try to modify my authZ profile to look like this:
Access Type = ACCESS_ACCEPT
Airespace-ACL-Name = GUEST_INTERNET_ONLY
cisco-av-pair = Airespace:Airespace-ACL-Name
i hope it will make it work
11-15-2012 12:38 AM
Hi, guys.
Guest portal, you've used is for wired authentication on switches only IMHO. For WLC guest auth you should use https://ISE-ip:8443/guestportal/portal.jsp form at webauth page in WLC config.
You can consult with ise guest management document (WLC interaction for Local WebAuth) on cisco.com.
Sent from Cisco Technical Support iPhone App
11-15-2012 01:11 AM
Dmitry,
i'm trying to implement Centralized WebAuth because it gives some additional services to the guest users.
I also able to configure LWA as a "plan B" solution but it's not the best way to go
11-15-2012 10:23 AM
You could try 'debug client
Looks like this for my permit-all ACL
*apfReceiveTask: Oct 25 11:17:05.867: c8:bc:c8:13:4e:35 172.16.10.13 WEBAUTH_REQD (8) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'PERMIT-ALL' (ACL ID 1) --- (caller apf_policy.c:1762)
It should be close to the bottom.
And then after debug disable-all.
An other question, you can ping internet but no web access, same as URL's? Is DNS working after the last ACL is applied?
About this line in the log:
*apfReceiveTask: Nov 12 17:32:27.317: %ACL-3-ENTRY_DONOT_EXIST: acl.c:369 Unable to find an ACL by name "".
I get that with CWA working so I'm not sure that's related. (to my setup )
Regards
Mikael
Sent from Cisco Technical Support iPad App
Message was edited by: Mikael Gustafsson
11-16-2012 01:00 AM
Thank you guys for your responses, it's working now!
The first problem was there:
Changing IPv4 ACL 'none' (ACL ID 255) ===> 'GUEST_INTERNET_ONLY' (ACL ID 5)
There are only 3 ACLs on my WLC so ALC ID 5 is kinda suspicious -- after WLC reload it becames ACL ID 1 but the problem was unresolved.
After that i changed my authZ matching rule to use another authZ profile:
Access Type = ACCESS_ACCEPT
Airespace-ACL-Name = PERMIT_ALL_TRAFFIC
cisco-av-pair = Airespace:Airespace-ACL-Name
Then i created ACL PERMIT_ALL_TRAFFIC on my WLC with one ACE "permit any any". I also denied access to my private networks at ASA where guest vlan's gateway resides.
I think the problem was in WLC's GUEST_INTERNET_ONLY ACEs which denied traffic to my private networks.
Thanks for the help!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide