cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
406
Views
0
Helpful
6
Replies

ISE Guest Access wired

Leo TI
Level 1
Level 1

Hi friends
I have to configure wired guest access with ise, I don't know if anyone has any idea of ​​the errors I have in the live log, nothing appears, these are my configurations in the switch:

aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
!
aaa server radius dynamic-author
client 172.22.4.194 server-key 123456
radius-server vsa send accounting
radius-server vsa send authentication
!
radius server RADIUS
address ipv4 172.22.4.194 auth-port 1812 acct-port 1813
key 123456

ip device tracking probe delay 10
ip device tracking
dot1x system-auth-control

interface FastEthernet0/4
switchport access vlan 209
switchport mode access
switchport voice vlan 202
authentication open
authentication order mab webauth
authentication priority mab webauth
authentication port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
!
ip access-list extended ACL-WEBAUTH-REDIRECT
deny ip any host 172.22.4.194
permit tcp any any eq www
permit udp any any eq domain

LeoTI_0-1728066094847.pngLeoTI_1-1728066258994.png

LeoTI_2-1728066311069.pngLeoTI_3-1728066349924.png

LeoTI_4-1728066382760.png

LeoTI_5-1728066509421.pngLeoTI_6-1728066529568.png

 

 

1 Accepted Solution

Accepted Solutions

Leo TI
Level 1
Level 1

Hi friends
I just recently got it working. I'll leave you the configurations I applied to both the switch and the ISE.

aaa authentication dot1x default group radius

aaa authorization network default group radius

aaa accounting dot1x default start-stop group radius

 

radius server Grupo-ISE

 address ipv4 172.22.4.194 auth-port 1812 acct-port 1813

 key 123456

aaa server radius dynamic-author

 client 172.22.4.194 server-key 123456

 

ip device tracking probe delay 10

ip device tracking

 

dot1x system-auth-control

interface FastEthernet0/5

 switchport access vlan 209

 switchport mode access

 authentication event fail action next-method

 authentication open

 authentication order dot1x mab webauth

 authentication priority dot1x mab webauth

 authentication port-control auto

 mab

 dot1x pae authenticator

 dot1x timeout tx-period 10

 

ip http server

ip http secure-server

 

ip access-list extended ACL-WEBAUTH-REDIRECT

 deny   udp any any eq domain

 permit tcp any any eq www

 permit tcp any any eq 443

 permit icmp any any

LeoTI_0-1730836856784.pngLeoTI_1-1730836871998.pngLeoTI_2-1730836925167.pngLeoTI_3-1730836940644.png

 

 

 

 

View solution in original post

6 Replies 6

@Leo TI 

Check this. You are assigning the group "radius" to the aaa config but I dont see this group on the config. Rather I see the RADIUS in the radius server.

 The name radius on group is not a default name, I believe this is suppose to represent your radius group..

aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
!
aaa server radius dynamic-author
client 172.22.4.194 server-key 123456
radius-server vsa send accounting
radius-server vsa send authentication
!
radius server RADIUS
address ipv4 172.22.4.194 auth-port 1812 acct-port 1813
key 123456

Arne Bier
VIP
VIP

@Leo TI - the config looks like something out of a very old textbook - I would suggest to look at a more contemporary way of configuring this - and I would also suggest using a named aaa group, instead of the "group radius" - I have never used this style of config, because it seems like it's a lazy/default way to let IOS select any/all radius server definitions - instead, I always create a radius group, and then inside that group, refer to my named radius server definitions. 

If no RADIUS traffic is hitting ISE then also check things like source interface used for RADIUS - if your switch has multiple SVI's, then IOS will auto select the lowest numbered one for sending RADIUS - this might not match what you intended and ISE will ignore/drop those packets. Run a tcpdump on ISE to see if you get anything.

Useful commands

 

 

test aaa 

show aaa servers

 

 

Do you have any configuration guide that you can tell me?

It only accepts me with other policies, with the wired guest policy the tests do not work for me

LeoTI_0-1728487013475.png

 

 

Leo TI
Level 1
Level 1

It seems to me that it works in the ISE because it goes to the authorization to redirect, I also see that in the switch there are matches with the specific ACL, but in the host it does not redirect to the ISE web page to enter the credentials and if I force it in the browser it appears to me that no radius sessions have been found, in addition to the fact that the host has full access, the ACL is not working

LeoTI_0-1728496840907.png

LeoTI_1-1728496936154.pngLeoTI_2-1728497001171.png

LeoTI_3-1728497090019.png

 

 

 

Arne Bier
VIP
VIP

On the wired client, can you open a command prompt and see if the DNS resolution of the ISE portal FQDN resolves in the IP address of the ISE PSN?

Leo TI
Level 1
Level 1

Hi friends
I just recently got it working. I'll leave you the configurations I applied to both the switch and the ISE.

aaa authentication dot1x default group radius

aaa authorization network default group radius

aaa accounting dot1x default start-stop group radius

 

radius server Grupo-ISE

 address ipv4 172.22.4.194 auth-port 1812 acct-port 1813

 key 123456

aaa server radius dynamic-author

 client 172.22.4.194 server-key 123456

 

ip device tracking probe delay 10

ip device tracking

 

dot1x system-auth-control

interface FastEthernet0/5

 switchport access vlan 209

 switchport mode access

 authentication event fail action next-method

 authentication open

 authentication order dot1x mab webauth

 authentication priority dot1x mab webauth

 authentication port-control auto

 mab

 dot1x pae authenticator

 dot1x timeout tx-period 10

 

ip http server

ip http secure-server

 

ip access-list extended ACL-WEBAUTH-REDIRECT

 deny   udp any any eq domain

 permit tcp any any eq www

 permit tcp any any eq 443

 permit icmp any any

LeoTI_0-1730836856784.pngLeoTI_1-1730836871998.pngLeoTI_2-1730836925167.pngLeoTI_3-1730836940644.png