Re: ISE auth assgin vlan problem, wireless problem, user problem and lan control problem

billywaiclassmate · ‎11-21-2017

Assign Gest Vlan successful but too long, below have some information for this problem
Wireless auth successful but live log have a error
Wireless’s Guest can’t clean mac address record for schedule
Using web-auth for Lan control but it can't transfer to login portal

ISETEST#sh authentication sessions interface g1/0/5

Interface: GigabitEthernet1/0/5

MAC Address: f0de.f1eb.4142

IP Address: 192.168.3.54

User-Name: F0-DE-F1-EB-41-42

Status: Authz Success

Domain: DATA

Oper host mode: multi-auth

Oper control dir: both

Authorized By: Authentication Server

Vlan Policy: N/A

ACS ACL: xACSACLx-IP-Central_WEB_Auth-59f8469d

URL Redirect ACL: WEB-REDIRECT

URL Redirect: https://ciscoise.netcraft.com.mo:8443/portal/gateway?sessionId=C0A802F40000003C34CF384E&portal=4ba457d0-e371-11e6-92ce-005056873bd0&action=cwa&token=61c9177d0a2baa85346efd8057504f4c

Session timeout: N/A

Idle timeout: N/A

Common Session ID: C0A802F40000003C34CF384E

Acct Session ID: 0x0000009A

Handle: 0x2A00003D

Runnable methods list:

Method State

dot1x Failed over

mab Authc Success

anyone can me some suggest for these problem.

Arne Bier · ‎11-21-2017

The dynamic authorization failed when user logged into portal. When user successfully logs into portal, then the ISE PSN will send a CoA (Change of Authorization) Radius packet to the NAS (i.e. your switch). I suspect that your switch is not configured to

receive CoA on UDP/1700 (1700 is the Cisco default, but check your NAS to be sure)
shared secret has to match with what you have configured in ISE for that Radius device
Configure the switch to allow ISE IP address(es) to send CoA to it. CoA is always initiated by the AAA server, and the NAS is the receiver in this case.

billywaiclassmate · ‎11-22-2017

my aaa command :

aaa new-model

aaa authentication dot1x default group radius

aaa authorization network default group radius

aaa accounting dot1x default start-stop group radius

aaa server radius dynamic-author

client

192.168.2.205

server-key cisco

ip device tracking

dot1x system-auth-control

radius-server attribute 6 on-for-login-auth

radius-server attribute 8 include-in-access-req

radius-server attribute 25 access-request include

radius-server dead-criteria time 5 tries 3

radius-server host

192.168.2.205

auth-port 1812 acct-port 1813

radius-server key cisco

radius-server vsa send accounting

radius-server vsa send authentication

and I set below command, too

Device> enable

Device# configure terminal

aaa new-model

aaa server radius dynamic-author

client 192.168.2.205

server-key cisco

port 1700

auth-type all

ignore session-key

ignore server-key

end

but the result also is this error, cloud you give me some suggest?

Arne Bier · ‎11-22-2017

ok. I don't have wired switches in my deployment but I am able to get aaa debugs on my Cisco wireless controllers. I find this is an excellent place to see whether ISE is sending you a CoA, and to see how the NAS responds to it. If you have a deployment involving load balancers, firewalls and NAT/SNAT, then analysing the IP header of those CoA's can give you a clue. On Cisco WLC the commands are "debug aaa event enable" and "debug aaa packet enable". IOS will have some equivalent commands.

If you don't see the CoA in your switch debugs, then run a TCPdump on the ISE PSN that you suspect should be sending the CoA and see what's going on. Analyse the .pcap in Wireshark.

billywaiclassmate · ‎11-23-2017

I can't found any about radiusCoASupportTransportThread: this type message when I enter command "debug aaa all enable"in the WLC. and I can found just like radius auth or radius accounting these type message in WLC.