08-22-2012 09:08 AM - edited 03-10-2019 07:27 PM
We have an ISE problem, in that the URL redirect sent to the access switch for guest auth is not removed even after successful authentication.
Debug shows RADIUS activity as normal, 802.1X failover to MAB, then rediect to webauth;
003064: Aug 22 17:48:08.340: %AUTHMGR-5-START: Starting 'mab' for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000007201857889
003065: Aug 22 17:48:08.365: %MAB-5-SUCCESS: Authentication successful for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000007201857889
003066: Aug 22 17:48:08.365: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000007201857889
003067: Aug 22 17:48:08.382: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007201857889| AUTHTYPE DOT1X| EVENT APPLY
003068: Aug 22 17:48:08.390: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.60.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007201857889| AUTHTYPE DOT1X| POLICY_TYPE URL Redirect| POLICY_NAME
| RESULT SUCCESS
NWS-TSL-HATB3F3-DistSW1#
003069: Aug 22 17:48:08.390: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.60.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007201857889| AUTHTYPE DOT1X| POLICY_TYPE URL Match ACL| POLICY_NAME web_guest_redirect| RESULT SUCCESS
003138: Aug 22 18:01:18.718: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000007401914245
000054: Aug 22 18:01:18.345: %AUTHMGR-5-VLANASSIGN: VLAN 1040 assigned to Interface Gi1/0/4 AuditSessionID C0A8D60D0000007401914245 (NWS-TSL-HATB3F3-DistSW1-2)
003139: Aug 22 18:01:19.490: %EPM-6-IPEVENT: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007401914245| AUTHTYPE DOT1X| EVENT IP-ASSIGNMENT
003140: Aug 22 18:01:19.490: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007401914245| AUTHTYPE DOT1X| POLICY_TYPE Named ACL| POLICY_NAME xACSACLx-IP-PERMIT_ALL_TRAFFIC-4f57e406| RESULT SUCCESS
NWS-TSL-HATB3F3-DistSW1#
003141: Aug 22 18:01:19.515: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007401914245| AUTHTYPE DOT1X| POLICY_TYPE URL Redirect| POLICY_NAME
| RESULT SUCCESS
003142: Aug 22 18:01:19.515: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007401914245| AUTHTYPE DOT1X| POLICY_TYPE URL Match ACL| POLICY_NAME web_guest_redirect| RESULT SUCCESS
003064: Aug 22 17:48:08.340: %AUTHMGR-5-START: Starting 'mab' for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000007201857889
003065: Aug 22 17:48:08.365: %MAB-5-SUCCESS: Authentication successful for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000007201857889
003066: Aug 22 17:48:08.365: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000007201857889
003067: Aug 22 17:48:08.382: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007201857889| AUTHTYPE DOT1X| EVENT APPLY
003068: Aug 22 17:48:08.390: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.60.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007201857889| AUTHTYPE DOT1X| POLICY_TYPE URL Redirect| POLICY_NAME https://ukhatfnac0001.dtukad.local:8443/guestportal/gateway?sessionId=C0A8D60D0000007201857889&action=cwa
| RESULT SUCCESS
NWS-TSL-HATB3F3-DistSW1#
003069: Aug 22 17:48:08.390: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.60.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007201857889| AUTHTYPE DOT1X| POLICY_TYPE URL Match ACL| POLICY_NAME web_guest_redirect| RESULT SUCCESS
Then after successful authentication, VLAN is moved and xACSACLx-IP-PERMIT_ALL_TRAFFIC is sent, but rediect is sent again from ISE. We've been over configs several times, but can't get to the bottom of this. Can anyone shed any light ?
003138: Aug 22 18:01:18.718: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000007401914245
000054: Aug 22 18:01:18.345: %AUTHMGR-5-VLANASSIGN: VLAN 1040 assigned to Interface Gi1/0/4 AuditSessionID C0A8D60D0000007401914245 (NWS-TSL-HATB3F3-DistSW1-2)
003139: Aug 22 18:01:19.490: %EPM-6-IPEVENT: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007401914245| AUTHTYPE DOT1X| EVENT IP-ASSIGNMENT
003140: Aug 22 18:01:19.490: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007401914245| AUTHTYPE DOT1X| POLICY_TYPE Named ACL| POLICY_NAME xACSACLx-IP-PERMIT_ALL_TRAFFIC-4f57e406| RESULT SUCCESS
NWS-TSL-HATB3F3-DistSW1#
003141: Aug 22 18:01:19.515: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007401914245| AUTHTYPE DOT1X| POLICY_TYPE URL Redirect| POLICY_NAME https://ukhatfnac0001.dtukad.local:8443/guestportal/gateway?sessionId=C0A8D60D0000007401914245&action=cwa| RESULT SUCCESS
003142: Aug 22 18:01:19.515: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007401914245| AUTHTYPE DOT1X| POLICY_TYPE URL Match ACL| POLICY_NAME web_guest_redirect| RESULT SUCCESS
Solved! Go to Solution.