cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1061
Views
0
Helpful
4
Replies
Mike Masalla
Beginner

Wired Guest CWA on ISE 2.3 is failing authC

I am trying to lab Guest Wired CWA on ISE 2.3  I am not a new to ISE, I completed few succesful installation, but non had the wired guest access. The switch is C3560v2 on IOS rel 12.2.55.SE12

 

On connecting the Windows 10 endpoint to the switch, I do not get Guest Portal access. 

on reviewing the switch log, I can see the port has failed MAB authentication, as well as authorization.

On reviewing the ISE radius live log, I can see authentication had successed for user being unknown, and been granted the CWA permission.

 

Its quite confusing to me. I am attaching screenshots from ISE radius live log as well as the switch output for show port authentication.

 

Thanks

 

 

 

1 ACCEPTED SOLUTION

Accepted Solutions

Not sure if you got this fixed, but I believe this due to bug CSCvg70582
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg70582/?rfs=iqvred

View solution in original post

4 REPLIES 4
jan.nielsen
Rising star

did you follow the trustsec guide for wired guest? there is a few commands that are needed for cwa, which normally wouldnt be needed for dot1x/mab. Also make sure the redirect ACL you are referencing actually exists on the switch. Also, make sure you switch management ip and your guest client is in the same ip subnet, otherwise the switch will send the return packets to the client via the ip default-gateway configured in the switch, so if the mgmt network and the guest network cant reach eachother it won't work, or if you have a firewall between mgmt and guest network. A workaround is to configure multiple SVIs on the access switch, so it has an address in the guest network also, but it's kind of a pain to do CWA on wired, i always advice against it.
sandeep431
Beginner

I have the same exact issue. 

1) Wireless (MAB+CWA) Working great--> No issues: MAB: authc and authz successful and getting redirected

 

2) Wired (MAB+CWA)

      1- Authorization profile: Only permit access , No issues: MAB authc and authz successful 

      2- Authorization profile: Permit access + CWA redirect ACL:    MAB: Authc failed

 

So, were you able to resolve? Interesting to notice that ISE logs showing successful authc with mab however switch is showing authc failed (when i have redirect acl in authz profile). 

 

 

Not sure if you got this fixed, but I believe this due to bug CSCvg70582
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg70582/?rfs=iqvred

View solution in original post

Hi jalemanp!

Thanks for providing this useful info. I never got that working. I will give this a shot and provide an update! Thanks again!

Content for Community-Ad