Solved: ISE Web auth not working - Page 2

raga.fusionet · ‎06-23-2012

Hey Guys,

I'm trying to configure Web Auth for users with no suplicant enabled.

I followed the steps mentioned on the ISE lab walkthough however when I open the browser on the client machine all I get is a "page cannot be displayed".

From the switch perspective I think everything looks fine however I can't really tell why the client never gets the login portal.

#sh authentication sessions int gi 1/0/36

Interface: GigabitEthernet1/0/36

MAC Address: c80a.a96e.367c

IP Address: 172.16.14.32

User-Name: C8-0A-A9-6E-36-7C

Status: Authz Success

Domain: DATA

Oper host mode: multi-auth

Oper control dir: both

Authorized By: Authentication Server

Vlan Group: N/A

ACS ACL: xACSACLx-IP-CENTRAL_WEB_AUTH-4fe67b28

URL Redirect ACL: ACL-WEBAUTH-REDIRECT-ISE

URL Redirect: https://ISE.demo.local:8443/guestportal/gateway?sessionId=AC101065000000989BC260D4&action=cwa

Session timeout: N/A

Idle timeout: N/A

Common Session ID: AC101065000000989BC260D4

Acct Session ID: 0x000000D8

Handle: 0x61000098

Runnable methods list:

Method State

mab Authc Success

dot1x Not run

#sh run int gi 1/0/36

Building configuration...

Current configuration : 490 bytes

!

interface GigabitEthernet1/0/36

switchport access vlan 214

switchport mode access

switchport nonegotiate

switchport voice vlan 221

ip access-group ACL-ALLOW-ISE in

authentication host-mode multi-auth

authentication open

authentication order mab dot1x

authentication priority dot1x mab

authentication port-control auto

mab

dot1x pae authenticator

storm-control broadcast level 30.00

storm-control multicast level 30.00

storm-control action trap

spanning-tree portfast

end

sh access-lists ACL-ALLOW-ISE

Extended IP access list ACL-ALLOW-ISE

10 permit ip any any (771 matches)

I can post screenshots from the ISE if needed.

Thanks in advance.

Raga

raga.fusionet · ‎06-24-2012

Maaaaaaaaaaaaaan you should have seen my face and my celebration haha ....

I got it ... thanks!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

So here's what I did, you asked me if I could ping the DNS server, and the answer was NO... then I remember that the only thing I could ping from the client was the ISE which made me check the ACLs on the Switch and noticed this :

Extended IP access list ACL-WEBAUTH-REDIRECT-ISE

10 deny ip any host 172.16.10.50 (3053 matches)

20 permit ip any any (59373 matches)

The only host not being redirected was the ISE itself, but what about the DNS?

So I added a deny for the DNS and Voila!!!!

Here how my ACL looks now:

show access-list ACL-WEBAUTH-REDIRECT-ISE

Extended IP access list ACL-WEBAUTH-REDIRECT-ISE

10 deny ip any host 172.16.10.50 (3653 matches)

15 deny ip any host 172.16.10.237 (441 matches)

20 permit ip any any (60050 matches)

It works now, I hope this is a valid solution (I dont see any other one btw) and that It would not conflict with my future configs.

Thanks again!!!!!!!!!!!!

Tarik Admani · ‎06-24-2012

Luis,

I dont think that is the right config, try removing the entry you added in the switch ACL and add the 'deny ip any any' in your dACL that is configured on the ISE.

Give that a try as I think that is the proper configuration.

Thanks,

Tarik Admani

raga.fusionet · ‎06-24-2012

Alright so, I removed the line and added the deny ip any any to the dACL and now it looks like this:

permit udp any any eq 53

permit icmp any any

permit tcp any any eq 80

permit tcp any any eq 443

permit tcp any host 172.16.10.50 eq 8443

deny ip any any

Even why the deny ip any any am still unable to resolve names.

Do you think adding that line to the switch ACL could create conflict? What is usually the recomended config?

Thanks again.

Tarik Admani · ‎06-24-2012

Luis,

here is the recommended config based on the troubleshooting notes -

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_troubleshooting.html#wp1044595

Thanks,

Tarik Admani

raga.fusionet · ‎06-24-2012

Tarik,

I checked the list and the only thing I was missing was a "permit udp any eq bootpc any eq bootps" on the dACL that I just added but it made no difference. I appears to me that the "permit udp any any eq domain" on the dACL is not taking place. I can ping the ISE but not resolve its name neither I can resolve google's, unless I modify the switch's ACL.

Everything else looks fine to me, if I do a show epm session I can see the ACS ACL and the redirect. Also the av-pairs are configured as the troubleshooting guide explains.

I guess that for now, I'll stick to my workaround and later on once I have this on production I'll open a case with Cisco.

Thanks so much for your help!

Luis Raga

Tarik Admani · ‎06-24-2012

Luis,

Can you post the results of debug radius authentication from your switch? I would like to see if the dACL is being parsed/being applied to the session.

Thanks,

Tarik admani

raga.fusionet · ‎06-24-2012

Here you go.

Thanks!

Tarik Admani · ‎06-24-2012

Louis,

Based on your configuration here:

it looks like you are missing the command reference in this section -

http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_sw_cnfg.html#wp1059636

aaa authorization auth-proxy default group radius

Add that command and see if it changes your luck, please use this document to double check your configuration, i have used this on my switches and seems to work just fine.

http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_sw_cnfg.html#wp1059724

Thanks,

Tarik Admani

raga.fusionet · ‎06-24-2012

Hey that seemed to fix it!

I removed the extra line from the ACL and my client is now getting the authentication page!

Thanks a bunch for your efforts to fix it.

I can now safely move on the finish the postures configuration