01-27-2016 07:38 AM - edited 03-10-2019 11:25 PM
Hi,
Could you please take a look at my problem: I have confiured guest access for both: wired and wireless users. Authentication is done by Cisco ISE, users are connected by Cisco Switch C2960X and Ap3700. Wireless access works correctly: At first users is catched by CWA_phase_1 and redirected to guest Portal and after authentication is catched by CWA_phase_2 and all network access is working but on wired solution users is stuck in a loop - after succesfull authentication its redirected once again to portal.
here is redirect ACL configured on switch:
Extended IP access list REDIRECT_ACL
10 deny udp any eq bootpc any eq bootps
20 deny udp any any eq domain (29 matches)
30 deny ip any host <ISE_IP_ADDRESS> (40 matches)
60 permit tcp any any eq www (30 matches)
70 permit tcp any any eq 443 (116 matches)
In attachment Im sending how polices looks like.
#show authentication sessions interface gi1/0/5
Interface: GigabitEthernet1/0/5
MAC Address: <MAC-ADDR>
IP Address: 192.168.X.X
User-Name: <USER-MAC>
Status: Authz Success
Domain: DATA
Oper host mode: single-host
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
URL Redirect ACL: REDIRECT_ACL
URL Redirect: https://<ISE_HOSTNAME>:8443/portal/gateway?sessionId=C0A820BE0001680FC16F40A6&portal=bdeda6a2-a422-11e5-beee-005056820961&action=cwa&token=e8ae422e0187fb5e8b4e2fe087cd839d
Session timeout: N/A
Idle timeout: N/A
Common Session ID: C0A820BE0001680FC16F40A6
Acct Session ID: 0x000169CA
Handle: 0x52000BC4
Runnable methods list:
Method State
mab Authc Success
On forum I found similar issue but there problem was with radius-key. To be sure I changed key but I didnt help.
Could you please help me with that? I'm out of ideas...
01-27-2016 10:04 AM
Your CWA phase 2 autorization result, needs to include a DACL for the switch to remove the redirect url/acl from the port. Maybe thats whats missing. Your show auth sess on the swith should not show the redirect acl/url after the guest has successfully logged in to the guest portal.
02-03-2016 05:49 AM
Hi,
Thank you for responses. In fact reason why it was not working was different: there was CoA communication blocked (udp 1700) as switch and ISE are communicating through firewall.
Other strange thing is that in all tutorials in Authentication policy there are "Internal Endpoints" checked so as Jatin suggested I changed it but with it it's not working for me - that's why I set it to "internal users" and its working fine.
Problem solved, thank you!
Lukasz
02-03-2016 06:31 AM
Thanks for the update. Do you have MAC address added on ISE servers as users?
~ Jatin
02-03-2016 06:50 AM
No, I dont have users MAC added, as I understand it's added automaticly in CWA_PHASE_1 but as I said - strange thing is that it works with "internal users" and not with "internal endpoinds"
01-27-2016 03:05 PM
3 things:
1. In the authentication screen shot I see you have "internal users" selected. Please change it to Internal endpoints and set the action to continue as shown here:
http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html#anc8
2. What version of ISE are you running on? If you ISE 1.3 then you have to change the CWA_Phase2 policy set differently. Configure it as shown in step 4.
http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/118742-configure-ise-00.html#anc7
3. If you want to send Airspace-acl to give full access / internet access, you can do that as well. Make sure you create those ACL's on the wireless controller.
~ Jatin
01-31-2016 09:48 AM
Did my last suggestion help you to fix the issue? ~ Jatin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide