cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
18694
Views
0
Helpful
11
Replies

ISE Airespace ACL WLC problem

Alexander Murin
Level 1
Level 1

Hello,

i've configured ISE and WLC to use guestportal with CWA but there is a problem with CoA -- it doesn't want to apply airespace alc after auth at guestportal.

1. At authC page i've configured a wireless MAB to continue if user not found and to use a Internal users as a identity store.

2. At authZ page i've configured a WEBAUTH as a default rule with the following:

Access Type = ACCESS_ACCEPT

cisco-av-pair = url-redirect-acl=ACL-WEBAUTH-REDIRECT

cisco-av-pair = url-redirect=https://ip:port/guestportal/gateway?sessionId=SessionIdValue&action=cwa

3. I've also configured this ACL at WLC to permit

permit dns and icmp any-any

permit any-to-ise-8443

permit ise-to-any

This part works fine because i able to redirect to guestportal and use my guest login&pw to authorize myself. The guest account was previously generated through sponsor portal and it's working too.

4. At authC page i've use a wireless dot1x to use Internal users

5. At authZ page i've use a "if internal users:Guest then GUEST permission" rule

6. GUEST rule looks like the following:

Access Type = ACCESS_ACCEPT

Airespace-ACL-Name = GUEST_INTERNET_ONLY

7. This ACL is configured on the WLC permitting any except private networks (ISE is also permitted)

After guest portal auth i see a success message and i able to ping internet but i have no web access to it. It looks like CoA and Airespace acl are don't working and i keep using my ACL-WEBAUTH-REDIRECT access-list and i see a strange error messages in the WLC logs:

*apfReceiveTask: Nov 12 17:32:27.317: %ACL-3-ENTRY_DONOT_EXIST: acl.c:369 Unable to find an ACL by name "".

I swear my ACL name spelling is correct and both ACL-WEBAUTH-REDIRECT and GUEST_INTERNET_ONLY are on the WLC with their counters growing!

I don't have a point what issue it could be...

Any ideas?

P.S. see attach for Live authentication log

1 Accepted Solution

Accepted Solutions

You could try 'debug client ' in the WLC CLI and try to connect with client. Her you see if the WLC applies your ACL.

Looks like this for my permit-all ACL

*apfReceiveTask: Oct 25 11:17:05.867: c8:bc:c8:13:4e:35 172.16.10.13 WEBAUTH_REQD (8) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'PERMIT-ALL' (ACL ID 1) --- (caller apf_policy.c:1762)

It should be close to the bottom. 

And then after debug disable-all.

An other question, you can ping internet but no web access, same as URL's?  Is DNS working after the last ACL is applied?

About this line in the log:

*apfReceiveTask: Nov 12 17:32:27.317: %ACL-3-ENTRY_DONOT_EXIST: acl.c:369 Unable to find an ACL by name "".

I get that with CWA working so I'm not sure that's related. (to my setup )


Regards
Mikael

Sent from Cisco Technical Support iPad App

Message was edited by: Mikael Gustafsson

View solution in original post

11 Replies 11

nspasov
Cisco Employee
Cisco Employee

Hell Alexander-

A few questions:

1. Is the WLAN H-REAP/FlexConnect?

2. Do you have "AAA override" checked under the advanced settings

3. Can you check the detail authentication in ISE for the entry right after you entered the guest username/password. In that window you should see the ACL that is being applied to that session/user

4. What version of code are you using for both ISE and your WLC?

5. Can you paste screen shots for each configuration tab for your WLAN

Thank you for rating helpful posts!

Hi Neno,

thank you for engaging into my problem!

About your questions:

1. The WLAN is not H-REAP or FlexConnect, it's MAC filtering without any L3 security.

2. The "AAA override" is checked and "Radius NAC" is used as "NAC State" option.

3. According to the authZ details (see screenshot) airespace acl is successfully applied.

4. WLC Software Version          7.2.110.0 and ISE Version: 1.1.1.268 with ADE-OS Version          2.0.4.018.

5. And here are my WLAN tabs

Hmm, I haven't yet deployed CWA the way you have (with MAC filter instead of Layer 3 web redirect). Though, I know this is the new/correct/true CWA so I am definitively not saying that what you have done is wrong. On the contrary, everything that you have done looks correct when comparing it to online documentation.

Can you also provide:

1. Screen shot of your ACLs including the actual ACEs

2. Out of the WLC log file from the time that you associate to the SSID to the time when you authenticate with the guest account. More specifically can you see anything in the log when you search for the name of the ALC "

GUEST_INTERNET_ONLY"

3. Do you have a pre-auth ACL assigned to the interface

I am also going to try to replicate this in my lab but it might a while as I am traveling at the moment.

Thank you for rating helpful posts!

1. These are my WLC ACLs

2. Currently i can't provide any additional info according WLC logs as i'm far away from customer site. But i think there is only one interesting message in the log --

*apfReceiveTask: Nov 12 17:32:27.317: %ACL-3-ENTRY_DONOT_EXIST: acl.c:369 Unable to find an ACL by name "".

3. I don't have any pre-auth ACL on the interface or "Override ACL" on the SSID

Hi,

Please use the troubleshoot section under operations and pull the packet capture just to make sure that the ACL is being sent properly. You can set the filter to 'ip host ipofwlc'

Check the av pairs and make sure that they line up with the ACL that you configured under the "SECURITY" section.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik,

i'll try to troubleshoot with packet capture as i come to customer site and let you know the results. But for now i've checked the logs and i see Airespace-ACL-Name=GUEST_INTERNET_ONLY under Authentication Result but i don't see it under Cisco-AVPairs, only audit-session-id there. I'll try to modify my authZ profile to look like this:

Access Type = ACCESS_ACCEPT

Airespace-ACL-Name = GUEST_INTERNET_ONLY

cisco-av-pair = Airespace:Airespace-ACL-Name

i hope it will make it work

Hi, guys.

Guest portal, you've used is for wired authentication on switches only IMHO. For WLC guest auth you should use https://ISE-ip:8443/guestportal/portal.jsp form at webauth page in WLC config.
You can consult with ise guest management document (WLC interaction for Local WebAuth) on cisco.com.

Sent from Cisco Technical Support iPhone App

Dmitry,

i'm trying to implement Centralized WebAuth because it gives some additional services to the guest users.

I also able to configure LWA as a "plan B" solution but it's not the best way to go

You could try 'debug client ' in the WLC CLI and try to connect with client. Her you see if the WLC applies your ACL.

Looks like this for my permit-all ACL

*apfReceiveTask: Oct 25 11:17:05.867: c8:bc:c8:13:4e:35 172.16.10.13 WEBAUTH_REQD (8) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'PERMIT-ALL' (ACL ID 1) --- (caller apf_policy.c:1762)

It should be close to the bottom. 

And then after debug disable-all.

An other question, you can ping internet but no web access, same as URL's?  Is DNS working after the last ACL is applied?

About this line in the log:

*apfReceiveTask: Nov 12 17:32:27.317: %ACL-3-ENTRY_DONOT_EXIST: acl.c:369 Unable to find an ACL by name "".

I get that with CWA working so I'm not sure that's related. (to my setup )


Regards
Mikael

Sent from Cisco Technical Support iPad App

Message was edited by: Mikael Gustafsson

Thank you guys for your responses, it's working now!

The first problem was there:

Changing IPv4 ACL 'none' (ACL ID 255) ===> 'GUEST_INTERNET_ONLY' (ACL ID 5)

There are only 3 ACLs on my WLC so ALC ID 5 is kinda suspicious -- after WLC reload it becames ACL ID 1 but the problem was unresolved.

After that i changed my authZ matching rule to use another authZ profile:

Access Type = ACCESS_ACCEPT

Airespace-ACL-Name = PERMIT_ALL_TRAFFIC

cisco-av-pair = Airespace:Airespace-ACL-Name


Then i created ACL PERMIT_ALL_TRAFFIC on my WLC with one ACE "permit any any". I also denied access to my private networks at ASA where guest vlan's gateway resides.

I think the problem was in WLC's GUEST_INTERNET_ONLY ACEs which denied traffic to my private networks.

Thanks for the help!