Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8116
Views
0
Helpful
15
Replies

Not Working-central web-authentication with a switch and Identity Service Engine

Nuno Moreira
Level 1
Level 1

‎03-28-2012 04:49 AM - edited ‎03-10-2019 06:57 PM

on the followup the document "Configuration example : central web-authentication with a switch and Identity Service Engine" by Nicolas Darchis, since the redirection on the switch is not working, i'm asking for your help...

I'm using ISE Version : 1.0.4.573 and WS-C2960-24PC-L w/software 12.2(55)SE1 and image C2960-LANBASEK9-M for the access.

The interface configuration looks like this:

interface FastEthernet0/24

switchport access vlan 6

switchport mode access

switchport voice vlan 20

ip access-group webauth in

authentication event fail action next-method

authentication event server dead action authorize

authentication event server alive action reinitialize

authentication order mab

authentication priority mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

authentication violation restrict

mab

spanning-tree portfast

end

The ACL's

Extended IP access list webauth

    10 permit ip any any

Extended IP access list redirect

    10 deny ip any host 172.22.2.38

    20 permit tcp any any eq www

    30 permit tcp any any eq 443

The ISE side configuration I follow it step by step...

When I conect the XP client, e see the following Autenthication session...

swlx0x0x#show authentication sessions interface fastEthernet 0/24

           Interface:  FastEthernet0/24

          MAC Address:  0015.c549.5c99

           IP Address:  172.22.3.184

            User-Name:  00-15-C5-49-5C-99

               Status:  Authz Success

               Domain:  DATA

       Oper host mode:  single-host

     Oper control dir:  both

        Authorized By:  Authentication Server

           Vlan Group:  N/A

     URL Redirect ACL:  redirect

         URL Redirect: https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa

      Session timeout:  N/A

         Idle timeout:  N/A

    Common Session ID:  AC16011F000000490AC1A9E2

      Acct Session ID:  0x00000077

               Handle:  0xB7000049

Runnable methods list:

       Method   State

       mab      Authc Success

But there is no redirection, and I get the the following message on switch console:

756005: Mar 28 11:40:30: epm-redirect:IP=172.22.3.184: No redirection policy for this host

756006: Mar 28 11:40:30: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_qualify ...

I have to mention I'm using an http proxy on port 8080...

Any Ideas on what is going wrong?

Regards

Nuno

Labels:
0 Helpful
15 Replies 15

jdclingan
Level 1
Level 1
In response to Martin Konov

‎11-19-2013 11:57 AM

I had the same issue and it turned out to be my captive portal acl. See below:

This ACL MUST be configured on the switch beforehand (some documentation eludes to using a downloadable ACL for this)

This ACL MUST contain DENY statements for traffic going to External Portal.

  • This prevents traffic getting redirected to portal from getting stuck in a redirect loop

This ACL MUST contain PERMIT statements for traffic that you want the switch to intercept and redirect to the external portal

Here is an working example for redirecting traffic to captive port (1.1.1.1 in this and following examples):

ip access-list extended captive_portal
 deny   tcp any host 1.1.1.1
 permit tcp any any
0 Helpful
Customers Also Viewed These Support Documents