Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5874
Views
5
Helpful
33
Replies

WiSM2 - ISE Central Web Authentication - Redirection ACL does not work for Guest Access

Joana Manzano
Level 1
Level 1

‎04-16-2014 08:51 AM - edited ‎03-10-2019 09:38 PM

Hi

I am using these devices to setup Central Web Authentication for Guest Wireless:

 

  1. WiSM2 - 7.6.110.0: Foreing Controller.
  2. WLC 5760 - 03.03.01SE: Anchor Controller.
  3. Cisco ISE 1.1.X


Mobility is UP between controllers. Clients can connect to GUEST SSID, get an IP address but they are never redirected to Cisco ISE Guest Portal for Authentication. Instead of going to ISE Web Portal, they can talk straight to the Internet bypassing any authentication.

I think the Pre-Auth ACL specified in the ISE Authorization Profile is not properly applied to the Clients so they are not restricted to talk to the Internet.
 

This is my configuration:

WiSM2:


1. Radius:


 

2. WLAN GUEST - WLAN ID 2:
 
 


 
3. ACLs:


3.1 Unknown - Pre-Auth ACL that permits traffic to ISE.


 
3.2 Compliant - User sucessfully authenticated: 


3.3 Non-compliant - User is not allowed. 


4. Controller:


 

 

WLC ANCHOR 5760:


aaa new-model
aaa group server radius ISE
 server name ise

aaa authentication dot1x ise_webauth group ISE
aaa authorization network cwa_macfilter group ISE
aaa authorization credential-download ise_webauth group ISE

aaa server radius dynamic-author
 client '10.X.X.X (ISE IP Address)' server-key 7 1363D3AC00070D3E773B27E70A
 auth-type any

ip access-list extended compliant
 permit ip any any
ip access-list extended non-compliant
 deny   ip any any
ip access-list extended unknown
 deny   udp any eq bootps any
 deny   udp any any eq bootpc
 deny   udp any eq bootpc any
 deny   udp any any eq domain
 deny   tcp any any eq domain
 deny   ip any host '10.X.X.X'(ISE IP address)
 deny   ip any host '10.X.X.X'(DHCP Server IP Address)
 permit tcp any any eq www
 permit tcp any any eq 443
!

radius-server attribute 6 on-for-login-auth
radius-server attribute 31 send nas-port-detail mac-only

radius server ise
 address ipv4 '10.X.X.X(ISE IP address)' auth-port 1812 acct-port 1813
 key 7 033771233103226B5B5A0A113C4112
!

wireless mobility controller
wireless mobility group member ip '10.X.X.X WiSM2 Ip Address' public-ip '10.X.X.X WiSM2 Ip Address' group GUEST
wireless mobility group name GUEST
wireless mobility dscp 46

wlan GUEST 2 GUEST
 aaa-override
 client vlan 230
 ip dhcp opt82 format add-ssid
 ip dhcp server 10.X.X.X 
 mac-filtering cwa_macfilter
 mobility anchor
 nac
 peer-blocking drop
 no security wpa
 no security wpa akm dot1x
 no security wpa wpa2
 no security wpa wpa2 ciphers aes
 security dot1x authentication-list ise_webauth
 session-timeout 1800
 no shutdown

 

CISCO ISE:


1. Authorization Profiles:


 


I also configured: Airspace ACL Name = unknown. I am not sure if this is needed?? I have tried with/without this option.


2. Authentication:
 


3. Authorization:
 


 
4. Operations Authentication:
 


 

I never get the point where the profile is Compliant. It is always UnknownProfile/Pending.


Client:


WiSM2:
 


 

ANCHOR 5760:
 
Even the Policy Manager State is "CENTRAL_WEB_AUTH", ACL "unknown" (pre-auth ACL) is applied and Redirect URL is pointing to ISE Guest Portal, clients bypass authentication and can talk straight to the Internet. They are not redirected to Cisco ISE for authentication at any time.


I would appreciate some help to understand why the redirection part of the process is not working and why any client traffic is allowed.
 

Thank you very much.


Joana.

1 person had this problem
Labels:
0 Helpful
33 Replies 33

Joana Manzano
Level 1
Level 1
In response to Poonam Garg

‎04-30-2014 07:02 AM

Hi,

Sorry, I missed your post.

This is my topology:

 

Clients join an Open Guest Wireless.

WiSM2 is the foreign WLC and this is its configuration:

 

 

This is the configuration for the 5760-Anchor WLC located in the DMZ:

I have also tried, with no success, deny instead of permit in the entries of the previous acl:

ip access-list extended pre-auth-acl
 1 deny tcp any host 10.9.1.2
 2 deny tcp host 10.9.1.2 any
 3 deny udp any any eq domain
 4 deny udp any eq domain any
 5 permit tcp any any eq 80
 6 permit tcp any any eq 443

I have the same scenario working fine with a 3850 as a foreign WLC. However, I cannot get it working when the Foreign WLC is a WiSM2... The redirection part never happens, it seems that WiSM2 is not doing any redirection to ISE when HTTP/HTTPS traffic is intercepted. I always get the same behaviour, it seems that it doesn't matter what I configure in the redirect acl... ISE policies are applied to clients, but they never reach the ISE Authentication Web Portal, instead they are allowed to talk to the Internet without any authentication.

WiSM2:

 

5760 - Anchor:

 

ISE:

 

Any ideas?

Thank you very much for your help.

 

Joana.

0 Helpful

Poonam Garg
Level 3
Level 3
In response to Joana Manzano

‎04-30-2014 09:33 PM

Hello Joana,

Check your configuration on ISE. Under your UnknownProfile you are allowing web authentication centralised, ACL unknown.This acl need not to refer here and even need not to create. Under ACL you have to refer your redirect acl (pre-auth-acl) you have defined on WLC which is permitting access to/from ISE and DNS server. ISE is giving direction to WLC to apply that redirect ACL. As you can see on WiSM2 security information that ISE is returning AAA override ACL name unknown that is not configured.

You have to configure exact same name on ISE that is configured on WiSM2 and WLC.

0 Helpful

Joana Manzano
Level 1
Level 1
In response to Poonam Garg

‎05-01-2014 02:29 AM

Hi,

Sorry I put the old screenshot in the previous post, my mistake.I changed the name of the ACLs on both controllers and ISE from unknown to pre-auth-acl to be more meaningful. So, I have the acl "pre-auth-acl" configured in both controllers and also in the ACL field of the authorization profile on ISE. 

These are the screenshots that show that "pre-auth-acl" is "applied" to clients:

wism2:

 

5760-anchor:

I also include a result of a debug in both controllers:

wism2:

(WiSM-slot8-1) >debug client 8c62.5a7f.41c1

*apfMsConnTask_5: May 01 09:42:28.819: 8c:70:5a:7f:43:c0 Association received from mobile on BSSID 00:23:eb:de:3b:a1
*apfMsConnTask_5: May 01 09:42:28.819: 8c:70:5a:7f:43:c0 Global 200 Clients are allowed to AP radio
*apfMsConnTask_5: May 01 09:42:28.819: 8c:70:5a:7f:43:c0 Max Client Trap Threshold: 0  cur: 1
*apfMsConnTask_5: May 01 09:42:28.819: 8c:70:5a:7f:43:c0 Rf profile 600 Clients are allowed to AP wlan
*apfMsConnTask_5: May 01 09:42:28.819: 8c:70:5a:7f:43:c0 apfApplyWlanPolicy: Retaining the ACL recieved in AAA attributes 5 on mobile
*apfMsConnTask_5: May 01 09:42:28.819: 8c:70:5a:7f:43:c0 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
*apfMsConnTask_5: May 01 09:42:28.819: 8c:70:5a:7f:43:c0 In processSsidIE:4795 setting Central switched to TRUE
*apfMsConnTask_5: May 01 09:42:28.819: 8c:70:5a:7f:43:c0 In processSsidIE:4798 apVapId = 3 and Split Acl Id = 65535
*apfMsConnTask_5: May 01 09:42:28.819: 8c:70:5a:7f:43:c0 Applying site-specific Local Bridging override for station 8c:70:5a:7f:43:c0 - vapId 2, site 'SITE', interface 'management'
*apfMsConnTask_5: May 01 09:42:28.819: 8c:70:5a:7f:43:c0 Applying Local Bridging Interface Policy for station 8c:70:5a:7f:43:c0 - vlan 0, interface id 0, interface 'management'
*apfMsConnTask_5: May 01 09:42:28.819: 8c:70:5a:7f:43:c0 Applying site-specific override for station 8c:70:5a:7f:43:c0 - vapId 2, site 'SITE', interface 'management'
*apfMsConnTask_5: May 01 09:42:28.819: 8c:70:5a:7f:43:c0 processSsidIE  statusCode is 0 and status is 0
*apfMsConnTask_5: May 01 09:42:28.819: 8c:70:5a:7f:43:c0 processSsidIE  ssid_done_flag is 0 finish_flag is 0
*apfMsConnTask_5: May 01 09:42:28.819: 8c:70:5a:7f:43:c0 STA - rates (8): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_5: May 01 09:42:28.819: 8c:70:5a:7f:43:c0 suppRates  statusCode is 0 and gotSuppRatesElement is 1
*apfMsConnTask_5: May 01 09:42:28.820: 8c:70:5a:7f:43:c0 STA - rates (12): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_5: May 01 09:42:28.820: 8c:70:5a:7f:43:c0 extSuppRates  statusCode is 0 and gotExtSuppRatesElement is 1
*apfMsConnTask_5: May 01 09:42:28.820: 8c:70:5a:7f:43:c0 apfMsAssoStateDec
*apfMsConnTask_5: May 01 09:42:28.820: 8c:70:5a:7f:43:c0 apfProcessAssocReq (apf_80211.c:8159) Changing state for mobile 8c:70:5a:7f:43:c0 on AP 00:23:eb:de:3b:a0 from Associated to AAA Pending
*apfMsConnTask_5: May 01 09:42:28.820: 8c:70:5a:7f:43:c0 Scheduling deletion of Mobile Station:  (callerId: 20) in 10 seconds
*apfReceiveTask: May 01 09:42:28.830: 8c:70:5a:7f:43:c0 Received SGT for this Client.
*apfReceiveTask: May 01 09:42:28.830: 8c:70:5a:7f:43:c0 Redirect URL received for client from RADIUS. Client will be moved to WebAuth_Reqd state to facilitate redirection. Skip web-auth Flag = 0
*apfReceiveTask: May 01 09:42:28.830: 8c:70:5a:7f:43:c0 Resetting web IPv4 acl from 5 to 255
*apfReceiveTask: May 01 09:42:28.830: 8c:70:5a:7f:43:c0 Resetting web IPv4 Flex acl from 65535 to 65535
*apfReceiveTask: May 01 09:42:28.830: 8c:70:5a:7f:43:c0 apfApplyWlanPolicy: Retaining the ACL recieved in AAA attributes 5 on mobile
*apfReceiveTask: May 01 09:42:28.830: 8c:70:5a:7f:43:c0 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
*apfReceiveTask: May 01 09:42:28.830: 8c:70:5a:7f:43:c0 Applying site-specific override for station 8c:70:5a:7f:43:c0 - vapId 2, site 'SITE', interface 'management'
*apfReceiveTask: May 01 09:42:28.830: 8c:70:5a:7f:43:c0 Inserting AAA Override struct for mobile MAC: 8c:70:5a:7f:43:c0, source 2
*apfReceiveTask: May 01 09:42:28.831: 8c:70:5a:7f:43:c0 apfMs1xStateDec
*apfReceiveTask: May 01 09:42:28.831: 8c:70:5a:7f:43:c0 0.0.0.0 DHCP_REQD (7) Change state to START (0) last state DHCP_REQD (7)
*apfReceiveTask: May 01 09:42:28.831: 8c:70:5a:7f:43:c0 pemApfAddMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.
*apfReceiveTask: May 01 09:42:28.831: 8c:70:5a:7f:43:c0 0.0.0.0 START (0) Initializing policy
*apfReceiveTask: May 01 09:42:28.831: 8c:70:5a:7f:43:c0 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state START (0)
*apfReceiveTask: May 01 09:42:28.831: 8c:70:5a:7f:43:c0 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state AUTHCHECK (2)
*pemReceiveTask: May 01 09:42:28.831: 8c:70:5a:7f:43:c0 0.0.0.0 Removed NPU entry.
*apfReceiveTask: May 01 09:42:28.831: 8c:70:5a:7f:43:c0 Central switch is TRUE
*apfReceiveTask: May 01 09:42:28.831: 8c:70:5a:7f:43:c0 Not Using WMM Compliance code qosCap 00
*apfReceiveTask: May 01 09:42:28.831: 8c:70:5a:7f:43:c0 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 00:23:eb:de:3b:a0 vapId 2 apVapId 3 flex-acl-name:
*apfReceiveTask: May 01 09:42:28.831: 8c:70:5a:7f:43:c0 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state L2AUTHCOMPLETE (4)
*apfReceiveTask: May 01 09:42:28.831: 8c:70:5a:7f:43:c0 0.0.0.0 DHCP_REQD (7) pemApfAddMobileStation2 3439, Adding TMP rule
*apfReceiveTask: May 01 09:42:28.831: 8c:70:5a:7f:43:c0 0.0.0.0 DHCP_REQD (7) Adding Fast Path rule type = Airespace AP - Learn IP address on AP 00:23:eb:de:3b:a0, slot 0, interface = 13, QOS = 3 IPv4 ACL ID = 255, IP
*apfReceiveTask: May 01 09:42:28.831: 8c:70:5a:7f:43:c0 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206  Local Bridging Vlan = 0, Local Bridging intf id = 0
*apfReceiveTask: May 01 09:42:28.831: 8c:70:5a:7f:43:c0 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
*apfReceiveTask: May 01 09:42:28.831: 8c:70:5a:7f:43:c0 0.0.0.0 DHCP_REQD (7) pemApfAddMobileStation2 3618, Adding TMP rule
*apfReceiveTask: May 01 09:42:28.831: 8c:70:5a:7f:43:c0 0.0.0.0 DHCP_REQD (7) Replacing Fast Path rule type = Airespace AP - Learn IP address on AP 00:23:eb:de:3b:a0, slot 0, interface = 13, QOS = 3 IPv4 ACL ID = 255,
*apfReceiveTask: May 01 09:42:28.831: 8c:70:5a:7f:43:c0 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206  Local Bridging Vlan = 0, Local Bridging intf id = 0
*apfReceiveTask: May 01 09:42:28.831: 8c:70:5a:7f:43:c0 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
*apfReceiveTask: May 01 09:42:28.831: 8c:70:5a:7f:43:c0 apfMsAssoStateInc
*apfReceiveTask: May 01 09:42:28.831: 8c:70:5a:7f:43:c0 apfPemAddUser2 (apf_policy.c:333) Changing state for mobile 8c:70:5a:7f:43:c0 on AP 00:23:eb:de:3b:a0 from AAA Pending to Associated
*apfReceiveTask: May 01 09:42:28.831: 8c:70:5a:7f:43:c0 apfPemAddUser2:session timeout forstation 8c:70:5a:7f:43:c0 - Session Tout 1800, apfMsTimeOut '1800' and sessionTimerRunning flag is  0
*apfReceiveTask: May 01 09:42:28.831: 8c:70:5a:7f:43:c0 Scheduling deletion of Mobile Station:  (callerId: 49) in 1800 seconds
*apfReceiveTask: May 01 09:42:28.832: 8c:70:5a:7f:43:c0 Func: apfPemAddUser2, Ms Timeout = 1800, Session Timeout = 1800
*apfReceiveTask: May 01 09:42:28.832: 8c:70:5a:7f:43:c0 Sending Assoc Response to station on BSSID 00:23:eb:de:3b:a2 (status 0) ApVapId 3 Slot 0
*apfReceiveTask: May 01 09:42:28.832: 8c:70:5a:7f:43:c0 apfProcessRadiusAssocResp (apf_80211.c:3212) Changing state for mobile 8c:70:5a:7f:43:c0 on AP 00:23:eb:de:3b:a0 from Associated to Associated
*pemReceiveTask: May 01 09:42:28.832: 8c:70:5a:7f:43:c0 Set bi-dir guest tunnel for 8c:70:5a:7f:43:c0 as in Export Foreign role
*pemReceiveTask: May 01 09:42:28.832: 8c:70:5a:7f:43:c0 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x4
*pemReceiveTask: May 01 09:42:28.832: 8c:70:5a:7f:43:c0 Set bi-dir guest tunnel for 8c:70:5a:7f:43:c0 as in Export Foreign role
*pemReceiveTask: May 01 09:42:28.832: 8c:70:5a:7f:43:c0 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x4
*DHCP Socket Task: May 01 09:42:31.988: 8c:70:5a:7f:43:c0 DHCP received op BOOTREQUEST (1) (len 308,vlan 0, port 13, encap 0xec03)
*DHCP Socket Task: May 01 09:42:31.988: 8c:70:5a:7f:43:c0 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff
*DHCP Socket Task: May 01 09:42:31.988: 8c:70:5a:7f:43:c0 DHCP processing DHCP DISCOVER (1)
*DHCP Socket Task: May 01 09:42:31.988: 8c:70:5a:7f:43:c0 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: May 01 09:42:31.988: 8c:70:5a:7f:43:c0 DHCP   xid: 0x62905efb (1653628667), secs: 0, flags: 0
*DHCP Socket Task: May 01 09:42:31.988: 8c:70:5a:7f:43:c0 DHCP   chaddr: 8c:70:5a:7f:43:c0
*DHCP Socket Task: May 01 09:42:31.988: 8c:70:5a:7f:43:c0 DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0
*DHCP Socket Task: May 01 09:42:31.988: 8c:70:5a:7f:43:c0 DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
*DHCP Socket Task: May 01 09:42:35.975: 8c:70:5a:7f:43:c0 DHCP received op BOOTREQUEST (1) (len 308,vlan 0, port 13, encap 0xec03)
*DHCP Socket Task: May 01 09:42:35.975: 8c:70:5a:7f:43:c0 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff
*DHCP Socket Task: May 01 09:42:35.975: 8c:70:5a:7f:43:c0 DHCP processing DHCP DISCOVER (1)
*DHCP Socket Task: May 01 09:42:35.975: 8c:70:5a:7f:43:c0 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: May 01 09:42:35.975: 8c:70:5a:7f:43:c0 DHCP   xid: 0x62905efb (1653628667), secs: 1024, flags: 0
*DHCP Socket Task: May 01 09:42:35.975: 8c:70:5a:7f:43:c0 DHCP   chaddr: 8c:70:5a:7f:43:c0
*DHCP Socket Task: May 01 09:42:35.975: 8c:70:5a:7f:43:c0 DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0
*DHCP Socket Task: May 01 09:42:35.975: 8c:70:5a:7f:43:c0 DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
*DHCP Socket Task: May 01 09:42:38.992: 8c:70:5a:7f:43:c0 DHCP received op BOOTREPLY (2) (len 344,vlan 0, port 13, encap 0xec07)
*DHCP Socket Task: May 01 09:42:38.992: 8c:70:5a:7f:43:c0 DHCP processing DHCP OFFER (2)
*DHCP Socket Task: May 01 09:42:38.992: 8c:70:5a:7f:43:c0 DHCP   op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: May 01 09:42:38.992: 8c:70:5a:7f:43:c0 DHCP   xid: 0x62905efb (1653628667), secs: 0, flags: 0
*DHCP Socket Task: May 01 09:42:38.992: 8c:70:5a:7f:43:c0 DHCP   chaddr: 8c:70:5a:7f:43:c0
*DHCP Socket Task: May 01 09:42:38.992: 8c:70:5a:7f:43:c0 DHCP   ciaddr: 0.0.0.0,  yiaddr: 10.8.3.10
*DHCP Socket Task: May 01 09:42:38.992: 8c:70:5a:7f:43:c0 DHCP   siaddr: 10.8.3.1,  giaddr: 0.0.0.0
*DHCP Socket Task: May 01 09:42:38.992: 8c:70:5a:7f:43:c0 DHCP   server id: 10.8.3.1  rcvd server id: 10.8.3.1
*DHCP Socket Task: May 01 09:42:38.992: 8c:70:5a:7f:43:c0 DHCP successfully bridged packet to STA
*DHCP Socket Task: May 01 09:42:38.992: 8c:70:5a:7f:43:c0 DHCP received op BOOTREPLY (2) (len 344,vlan 0, port 13, encap 0xec07)
*DHCP Socket Task: May 01 09:42:38.993: 8c:70:5a:7f:43:c0 DHCP processing DHCP OFFER (2)
*DHCP Socket Task: May 01 09:42:38.993: 8c:70:5a:7f:43:c0 DHCP   op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: May 01 09:42:38.993: 8c:70:5a:7f:43:c0 DHCP   xid: 0x62905efb (1653628667), secs: 0, flags: 0
*DHCP Socket Task: May 01 09:42:38.993: 8c:70:5a:7f:43:c0 DHCP   chaddr: 8c:70:5a:7f:43:c0
*DHCP Socket Task: May 01 09:42:38.993: 8c:70:5a:7f:43:c0 DHCP   ciaddr: 0.0.0.0,  yiaddr: 10.8.3.10
*DHCP Socket Task: May 01 09:42:38.993: 8c:70:5a:7f:43:c0 DHCP   siaddr: 10.8.3.1,  giaddr: 0.0.0.0
*DHCP Socket Task: May 01 09:42:38.993: 8c:70:5a:7f:43:c0 DHCP   server id: 10.8.3.1  rcvd server id: 10.8.3.1
*DHCP Socket Task: May 01 09:42:38.993: 8c:70:5a:7f:43:c0 DHCP successfully bridged packet to STA
*DHCP Socket Task: May 01 09:42:38.995: 8c:70:5a:7f:43:c0 DHCP received op BOOTREQUEST (1) (len 341,vlan 0, port 13, encap 0xec03)
*DHCP Socket Task: May 01 09:42:38.995: 8c:70:5a:7f:43:c0 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff
*DHCP Socket Task: May 01 09:42:38.995: 8c:70:5a:7f:43:c0 DHCP processing DHCP REQUEST (3)
*DHCP Socket Task: May 01 09:42:38.995: 8c:70:5a:7f:43:c0 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: May 01 09:42:38.995: 8c:70:5a:7f:43:c0 DHCP   xid: 0x62905efb (1653628667), secs: 1024, flags: 0
*DHCP Socket Task: May 01 09:42:38.995: 8c:70:5a:7f:43:c0 DHCP   chaddr: 8c:70:5a:7f:43:c0
*DHCP Socket Task: May 01 09:42:38.995: 8c:70:5a:7f:43:c0 DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0
*DHCP Socket Task: May 01 09:42:38.995: 8c:70:5a:7f:43:c0 DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
*DHCP Socket Task: May 01 09:42:38.995: 8c:70:5a:7f:43:c0 DHCP   requested ip: 10.8.3.10
*DHCP Socket Task: May 01 09:42:38.995: 8c:70:5a:7f:43:c0 DHCP   server id: 10.8.3.1  rcvd server id: 10.8.3.1
*DHCP Socket Task: May 01 09:42:38.999: 8c:70:5a:7f:43:c0 DHCP received op BOOTREPLY (2) (len 344,vlan 0, port 13, encap 0xec07)
*DHCP Socket Task: May 01 09:42:38.999: 8c:70:5a:7f:43:c0 DHCP processing DHCP ACK (5)
*DHCP Socket Task: May 01 09:42:38.999: 8c:70:5a:7f:43:c0 DHCP   op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: May 01 09:42:38.999: 8c:70:5a:7f:43:c0 DHCP   xid: 0x62905efb (1653628667), secs: 0, flags: 0
*DHCP Socket Task: May 01 09:42:38.999: 8c:70:5a:7f:43:c0 DHCP   chaddr: 8c:70:5a:7f:43:c0
*DHCP Socket Task: May 01 09:42:38.999: 8c:70:5a:7f:43:c0 DHCP   ciaddr: 0.0.0.0,  yiaddr: 10.8.3.10
*DHCP Socket Task: May 01 09:42:38.999: 8c:70:5a:7f:43:c0 DHCP   siaddr: 10.8.3.1,  giaddr: 0.0.0.0
*DHCP Socket Task: May 01 09:42:38.999: 8c:70:5a:7f:43:c0 DHCP   server id: 10.8.3.1  rcvd server id: 10.8.3.1
*DHCP Socket Task: May 01 09:42:39.000: 8c:70:5a:7f:43:c0 apfMsRunStateInc
*DHCP Socket Task: May 01 09:42:39.000: 8c:70:5a:7f:43:c0 10.8.3.10 DHCP_REQD (7) Change state to RUN (20) last state DHCP_REQD (7)

*DHCP Socket Task: May 01 09:42:39.000: 8c:70:5a:7f:43:c0 10.8.3.10 RUN (20) Reached PLUMBFASTPATH: from line 0
*DHCP Socket Task: May 01 09:42:39.000: 8c:70:5a:7f:43:c0 10.8.3.10 RUN (20) Replacing Fast Path rule
  type = Airespace AP Client
  on AP 00:23:eb:de:3b:a0, slot 0, interface = 13, QOS = 3
  IPv4 ACL ID = 255, IPv6 ACL ID =
*DHCP Socket Task: May 01 09:42:39.000: 8c:70:5a:7f:43:c0 10.8.3.10 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206  Local Bridging Vlan = 0, Local Bridging intf id = 0
*DHCP Socket Task: May 01 09:42:39.000: 8c:70:5a:7f:43:c0 10.8.3.10 RUN (20) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
*DHCP Socket Task: May 01 09:42:39.000: 8c:70:5a:7f:43:c0 Assigning Address 10.8.3.10 to mobile
*DHCP Socket Task: May 01 09:42:39.000: 8c:70:5a:7f:43:c0 DHCP success event for client. Clearing dhcp failure count for interface management.
*DHCP Socket Task: May 01 09:42:39.001: 8c:70:5a:7f:43:c0 DHCP success event for client. Clearing dhcp failure count for interface management.
*DHCP Socket Task: May 01 09:42:39.001: 8c:70:5a:7f:43:c0 DHCP successfully bridged packet to STA
*pemReceiveTask: May 01 09:42:39.001: 8c:70:5a:7f:43:c0 Set bi-dir guest tunnel for 8c:70:5a:7f:43:c0 as in Export Foreign role
*pemReceiveTask: May 01 09:42:39.001: 8c:70:5a:7f:43:c0 10.8.3.10 Added NPU entry of type 1, dtlFlags 0x4
*pemReceiveTask: May 01 09:42:39.001: 8c:70:5a:7f:43:c0 Skip Foreign / Export Foreign Client IP 10.8.3.10 plumbing in FP SCB

5760-anchor:

anchorwlc5760-primary#
*May  1 08:54:32.618: %IOSXE-7-PLATFORM: 1 process wcm: 8c62.5a7f.41c1 WCDB_IP_BIND: w/ IPv4 0.0.0.0 ip_learn_type 0 add_delete 0,options_length 0
*May  1 08:54:32.618: %IOSXE-7-PLATFORM: 1 process wcm: 8c62.5a7f.41c1 WCDB_IP_BIND: w/ IPv4 10.8.3.10 ip_learn_type DHCP add_delete 1,options_length 0
*May  1 08:54:32.618: %IOSXE-7-PLATFORM: 1 process wcm: 8c62.5a7f.41c1 WcdbClientUpdate: IP Binding from WCDB ip_learn_type 0, add_or_delete 0
*May  1 08:54:32.618: %IOSXE-7-PLATFORM: 1 process wcm: 8c62.5a7f.41c1 IPv4 Addr: 0:0:0:0
*May  1 08:54:32.618: %IOSXE-7-PLATFORM: 1 process wcm: 8c62.5a7f.41c1 Incrementing the Reassociation Count 1 for client (of interface GUEST)
*May  1 08:54:32.618: %IOSXE-7-PLATFORM: 1 process wcm: 8c62.5a7f.41c1 MS got the IP, resetting the Reassociation Count 0 for client
*May  1 08:54:32.618: %IOSXE-7-PLATFORM: 1 process wcm: 8c62.5a7f.41c1 Clearing Address 10.8.3.9 on mobile
*May  1 08:54:32.618: %IOSXE-7-PLATFORM: 1 process wcm:  8c62.5a7f.41c1  10.8.3.9 WEBAUTH_REQD (8) pemAdvanceState2 3504, Adding TMP rule
*May  1 08:54:32.618: %IOSXE-7-PLATFORM: 1 process wcm:  8c62.5a7f.41c1  10.8.3.9 WEBAUTH_REQD (8) Replacing Fast Path rule^M   on AP  0000.0000.0000 , slot 0 802.1P = 0^M
*May  1 08:54:32.618: %IOSXE-7-PLATFORM: 1 process wcm:  8c62.5a7f.41c1  10.8.3.9 WEBAUTH_REQD (8) Successfully plumbed mobile rule
*May  1 08:54:32.618: %IOSXE-7-PLATFORM: 1 process wcm: 8c62.5a7f.41c1 Change state to DHCP_REQD (7) last state WEBAUTH_REQD (8)
*May  1 08:54:32.618: %IOSXE-7-PLATFORM: 1 process wcm: 8c62.5a7f.41c1 WCDB_CHANGE: Client 1 m_vlan 11 Radio iif id 0x0 bssid iif id 0x0, bssid 0000.0000.0000
*May  1 08:54:32.618: %IOSXE-7-PLATFORM: 1 process wcm: 8c62.5a7f.41c1 WCDB_AUTH: Adding opt82 len 0
*May  1 08:54:32.619: %IOSXE-7-PLATFORM: 1 process wcm: 8c62.5a7f.41c1 WCDB_LLM: NoRun Prev Mob 2, Curr Mob 2 llmReq 3, return False
*May  1 08:54:32.619: %IOSXE-7-PLATFORM: 1 process wcm: 8c62.5a7f.41c1 auth state 2 mob state 2 setWme 0 wme 0 roam_sent 0
*May  1 08:54:32.619: %IOSXE-7-PLATFORM: 1 process wcm: 8c62.5a7f.41c1 WCDB_CHANGE: auth=LEARN_IP(2) vlan 11 radio 0 client_id 0x4d99c0000041c9 mobility=ExpAnchor(2) src_int 0x7bbcc000002fac dst_int 0x0 ackflag 2 reassoc_client 0 llm_notif 0 ip  10.8.3.9 ip_learn_type 0
*May  1 08:54:32.619: %IOSXE-7-PLATFORM: 1 process wcm: 8c62.5a7f.41c1 WcdbClientUpdate: IP Binding from WCDB ip_learn_type 1, add_or_delete 1
*May  1 08:54:32.619: %IOSXE-7-PLATFORM: 1 process wcm: 8c62.5a7f.41c1 IPv4 Addr: 10:9:65:39
*May  1 08:54:32.619: %IOSXE-7-PLATFORM: 1 process wcm: 8c62.5a7f.41c1 MS got the IP, resetting the Reassociation Count 0 for client
*May  1 08:54:32.619: %IOSXE-7-PLATFORM: 1 process wcm: 8c62.5a7f.41c1 Change state to WEBAUTH_REQD (8) last state DHCP_REQD (7)
*May  1 08:54:32.619: %IOSXE-7-PLATFORM: 1 process wcm: 8c62.5a7f.41c1 WCDB_CHANGE: Client 1 m_vlan 11 Radio iif id 0x0 bssid iif id 0x0, bssid 0000.0000.0000
*May  1 08:54:32.619: %IOSXE-7-PLATFORM: 1 process wcm: 8c62.5a7f.41c1 WCDB_AUTH: Adding opt82 len 0
*May  1 08:54:32.619: %IOSXE-7-PLATFORM: 1 process wcm: 8c62.5a7f.41c1 WCDB_LLM: NoRun Prev Mob 2, Curr Mob 2 llmReq 3, return False
*May  1 08:54:32.619: %IOSXE-7-PLATFORM: 1 process wcm: 8c62.5a7f.41c1 auth state 3 mob state 2 setWme 0 wme 0 roam_sent 0
*May  1 08:54:32.619: %IOSXE-7-PLATFORM: 1 process wcm: 8c62.5a7f.41c1 WCDB_CHANGE: auth=L3_AUTH(3) vlan 11 radio 0 client_id 0x4d99c0000041c9 mobility=ExpAnchor(2) src_int 0x7bbcc000002fac dst_int 0x0 ackflag 2 reassoc_client 0 llm_notif 0 ip  10.8.3.10 ip_learn_type DHCP
*May  1 08:54:32.619: %IOSXE-7-PLATFORM: 1 process wcm: 8c62.5a7f.41c1 Posture or Central Web Auth client, start session on IOS after client moves to RUN state
*May  1 08:54:32.619: %IOSXE-7-PLATFORM: 1 process wcm:  8c62.5a7f.41c1  10.8.3.10 WEBAUTH_REQD (8) pemAdvanceState2 4388, Adding TMP rule
*May  1 08:54:32.619: %IOSXE-7-PLATFORM: 1 process wcm:  8c62.5a7f.41c1  10.8.3.10 WEBAUTH_REQD (8) Replacing Fast Path rule^M   on AP  0000.0000.0000 , slot 0 802.1P = 0^M
*May  1 08:54:32.619: %IOSXE-7-PLATFORM: 1 process wcm:  8c62.5a7f.41c1  10.8.3.10 WEBAUTH_REQD (8) Successfully plumbed mobile rule
*May  1 08:54:32.620: %IOSXE-7-PLATFORM: 1 process wcm: 8c62.5a7f.41c1 Plumbing web-auth redirect rule due to user logout
*May  1 08:54:32.620: %IOSXE-7-PLATFORM: 1 process wcm: 8c62.5a7f.41c1   Sending IPv4 update to Controller 10.8.252.83
*May  1 08:54:32.620: %IOSXE-7-PLATFORM: 1 process wcm: 8c62.5a7f.41c1 Guest User()  assigned IP Address (10.8.3.10)
*May  1 08:54:32.620: %IOSXE-7-PLATFORM: 1 process wcm: 8c62.5a7f.41c1 Assigning Address 10.8.3.10 to mobile
*May  1 08:54:32.620: %IOSXE-7-PLATFORM: 1 process wcm: PEM recv processing msg Add SCB(3)
*May  1 08:54:32.620: %IOSXE-7-PLATFORM: 1 process wcm: 8c62.5a7f.41c1 10.8.3.9, auth_state 8 mmRole ExpAnchor !!!
*May  1 08:54:32.620: %IOSXE-7-PLATFORM: 1 process wcm: 8c62.5a7f.41c1 10.8.3.9, auth_state 8 mmRole ExpAnchor, updating wcdb not needed
*May  1 08:54:32.620: %IOSXE-7-PLATFORM: 1 process wcm: 8c62.5a7f.41c1 Tclas Plumb needed: 0
*May  1 08:54:32.620: %IOSXE-7-PLATFORM: 1 process wcm: PEM recv processing msg Add SCB(3)
*May  1 08:54:32.620: %IOSXE-7-PLATFORM: 1 process wcm: 8c62.5a7f.41c1 10.8.3.10, auth_state 8 mmRole ExpAnchor !!!
*May  1 08:54:32.620: %IOSXE-7-PLATFORM: 1 process wcm: 8c62.5a7f.41c1 10.8.3.10, auth_state 8 mmRole ExpAnchor, updating wcdb not needed
*May  1 08:54:32.620: %IOSXE-7-PLATFORM: 1 process wcm: 8c62.5a7f.41c1 Tclas Plumb needed: 0
*May  1 08:55:05.409: %IOSXE-7-PLATFORM: 1 process wcm: WCDB_IIF: Ack Message ID: 0x682740000041e1 code 1003

I find quite weird that there is no reference about changing from ACL "none" to "pre-auth-acl" or any other indication that ISE is pushing the Authorization profile (current name GUEST-CWA). I am quite sure I have seen that before as a result of debug command. However, according to the client information the profile is applied and the URL redirect is also specified...

Thanks Poonam Garg and sorry for the confusion.

Joana.

0 Helpful

Poonam Garg
Level 3
Level 3
In response to Joana Manzano

‎05-01-2014 07:07 AM

Please check if your guest anchor WLC is able to connect to ISE on port 8443 as once the redirect acl is applied on wlc, its the guest anchor WLC which will redirect the url request to ISE guest portal.

0 Helpful

Joana Manzano
Level 1
Level 1
In response to Poonam Garg

‎05-01-2014 07:25 AM

Yes, the anchor can talk to ISE:

anchorwlc5760-primary#telnet 10.9.1.2 8443
Trying 10.9.1.2, 8443 ... Open

It is quite frustrating... :( 

I have configured my pre-auth-acl with a deny entry in both foreign/anchor WLCs:

ip access-list extended pre-auth-acl
 1 deny ip any any

My laptop was not able to get an IP address when joined the GUEST SSID. This is what I would expect, so that's fine. Then, I allowed DHCP so clients would be able to get an IP:

ip access-list extended pre-auth-acl
 1 permit udp any eq bootpc any eq bootps
 2 permit udp any eq bootps any eq bootpc
 3 deny ip any any

I was able to get an IP but I also was able to do DNS requests (nslookup from cmd), access ISE and access the Internet. How is that possible if my ACLs configured on the foreign/anchor controllers only allow DHCP? I think the pre-auth-acl is not applied once you get an IP. I know it sounds weird... but it is what happens. I have DHCP Snooping configured on the anchor controller, could it affect to AAA override in some way?: (GUEST VLAN is 11)

ip dhcp snooping vlan 1,11-13
ip dhcp snooping wireless bootp-broadcast enable
ip dhcp snooping

interface TenGigabitEthernet1/0/2
 switchport trunk allowed vlan 1,11-13
 switchport mode trunk
 ip dhcp relay information trusted
 ip dhcp snooping trust
end

 

Thanks for your help!

Joana.

 

 

0 Helpful

Joana Manzano
Level 1
Level 1
In response to Joana Manzano

‎05-01-2014 08:32 AM

I have removed dhcp snooping configuration for testing purposes but clients are not able to get an IP, they are stuck in DHCP_REQD status.

Joana.

0 Helpful

Poonam Garg
Level 3
Level 3
In response to Joana Manzano

‎05-04-2014 11:34 AM

Hello joana,

where is your DHCP server ? inside or in DMZ and which controller is providing IP to your clients?

After association with WLAN and layer2 auth via ISE, everything else will be controlled by your anchor WLC even ip address is given by anchor. So just

1. Check the box dhcp address assignment required in advance properties on both WiSM2 and anchor wlc.

2. Remove tick from dhcp override and don't give dhcp server ip add on Wism2.

0 Helpful

Joana Manzano
Level 1
Level 1
In response to Poonam Garg

‎05-06-2014 03:00 AM

Hi,

no difference...

I think I mentioned before that we have the same scenario working completely fine with 3850 foreign controllers rather than wism2. I noticed a difference in the authentication details on ISE. If a client is connecting through wism2 there is no Tunnel Details, it is blank. However, if the client is coming through 3850 wlc the Tunnel Details specify the management VLAN (see below).

A client connecting through 3850 WLC:

A client connecting through wism2:

This is the only difference that I can see between the two connections. The management interface in wism2 is untagged, it doesn't have any vlan assigned, just a 0. I am wondering if the management interface in wism2 need to be assigned to a vlan in order to work or add some additional configuration on ISE?

f

 

Thank you very much.

Joana.

0 Helpful

Poonam Garg
Level 3
Level 3
In response to Joana Manzano

‎05-01-2014 08:48 AM

First of all, there is a difference in pre-auth acl and redirect acl.It seems that your preauth acl is applied under layer3 security of WLAN.

Check whether this pre-auth acl is applied on WLC guest SSID.Go to WLAN--Security--Layer3----Preauthentication ACL. If it is applied remove that because  when client 1st  authenticated via ISE and get RADIUS access_accept.
This instructs the WLAN of a successful authentication. As a result the WLC opens up the WLAN access and allows traffic through.Thats why when you configure deny any any client is not able to go anywhere and when you configure dhcp access only even then client can resolve dns as this acl will be removed after authentication and client get access_accept.

0 Helpful

Joana Manzano
Level 1
Level 1
In response to Poonam Garg

‎05-02-2014 02:24 AM

Hi,

Thanks for your quick response.

No, I don't have any pre-auth acl under Layer 3 security. Maybe I have chosen the wrong name again for my redirect acl ('pre-auth-acl') ;)

wism2:

5760:

 

Thanks,

Joana.

0 Helpful

Ryan Coombs
Level 1
Level 1

‎04-30-2014 07:20 AM

Joana,

Lets say your ISE server is at 10.10.10.10, The client is connecting to the guest network he gets and IP of 192.168.1.100.  Does the DNS Server address your providing the guest have an entry and access to ISE at 10.10.10.10.  Also allow ICMP on your ACL and once you connect as a guest, try to ping the fqdn of ISE.  Verify its resolved.  Also when you type a URL do you see your web browser showing its redirected but it never reaches ISE?  Or does it go straight to the website?  I'm thinking it may be a DNS issue now.  Also instead of trying to search for eg. google.com type in an IP 1.1.1.1 - If your local DNS is working it wont trigger the ACL.

 

Let me know the results please.  I'm curious and would like to help while its still fresh in my head!

0 Helpful

Joana Manzano
Level 1
Level 1
In response to Ryan Coombs

‎04-30-2014 07:38 AM

Hi,

Clients get an IP address and a IP address of one of our internal DNS servers. Once I am connected to Guest SSID, I can talk straight to the website. The browser doesn't show any kind of redirection to ISE at any point. However, if I manually write the redirection-url got from ISE (say: https://ise.domain.com:8443/guestportal/gateway?sessionId=0a0933f10d0022775360f02&action=cwa) on my web browser I get the ISE Authentication Web Portal and I can login. My authentication/authorization status is updated on ISE (Guest User logged successfully). The thing is it doesn't happen automatically and access to the Internet is never restricted... It is like any other Open SSID with no security.

I don't know what you exactly mean with "Does the DNS Server address your providing the guest have an entry and access to ISE at 10.10.10.10"? 

Thanks again!

Joana.

0 Helpful

emgalanme
Level 1
Level 1

‎05-08-2014 10:38 AM

Hi Joanna,

I was able to test my configs and ISE with 5760 and CWA is working for me. I have almost the same configs as you have...

Do you have the "ip device tracking" enabled on your 5760? I know u dont need it in a WLC but this 5760 is a hybrid so... i decided to insert it (havent made tests without it though...)

 

Also, make sure to have the "ip http server enable" and "ip http secure-server".

 

HTH!

Emilio

 

 

0 Helpful

Joana Manzano
Level 1
Level 1
In response to emgalanme

‎05-09-2014 04:26 AM

Hi,

Yeah, I already have configured the "ip device tracking" command on my 5760.

I am also have enable "ip http server" and "ip http secure-server" in both controllers.

I don't know what it can be missed or wrong-configured....

Thanks,

 

Joana.

0 Helpful

Joana Manzano
Level 1
Level 1

‎05-09-2014 04:39 AM

Hi,

This is the result of a "debug client mac-address" command for a connection coming from foreign controller 3850 that works fine and another coming from wism2 that fails. As you can see, the "redirection" part coming from a client connected through wism2 is missed or bypassed (red part). The 5760 anchor controller is the same for all clients connecting to the GUEST Wireless.

3850:

*May  8 15:00:26.889: %IOSXE-7-PLATFORM: 1 process wcm: 50b4.c80d.5225 Applying WLAN ACL policies to client
*May  8 15:00:26.889: %IOSXE-7-PLATFORM: 1 process wcm: 50b4.c80d.5225 No Interface ACL used for Wireless client in WCM(NGWC)
*May  8 15:00:26.889: %IOSXE-7-PLATFORM: 1 process wcm: 50b4.c80d.5225 apfApplyWlanPolicy: Retaining the ACL recieved in AAA attributes 255 on mobile
*May  8 15:00:26.889: %IOSXE-7-PLATFORM: 1 process wcm: 50b4.c80d.5225  Setting ACL name passed from aaa : pre-auth-acl
*May  8 15:00:26.889: %IOSXE-7-PLATFORM: 1 process wcm:  50b4.c80d.5225  0.0.0.0 START (0) Changing ACL 'none'  ===> 'pre-auth-acl'  --- (caller acl_shim.c:175)
*May  8 15:00:26.889: %IOSXE-7-PLATFORM: 1 process wcm: 50b4.c80d.5225 Setting AAA Override Url-Redirect-Acl 'pre-auth-acl'
*May  8 15:00:26.889: %IOSXE-7-PLATFORM: 1 process wcm: 50b4.c80d.5225 AAA Override Url-Redirect-Acl 'pre-auth-acl'
*May  8 15:00:26.889: %IOSXE-7-PLATFORM: 1 process wcm:  50b4.c80d.5225  0.0.0.0 START (0) Initializing policy
*May  8 15:00:26.889: %IOSXE-7-PLATFORM: 1 process wcm: 50b4.c80d.5225 Change state to AUTHCHECK (2) last state START (0)
*May  8 15:00:26.889: %IOSXE-7-PLATFORM: 1 process wcm: 50b4.c80d.5225 Change state to L2AUTHCOMPLETE (4) last state AUTHCHECK (2)
*May  8 15:00:26.889: %IOSXE-7-PLATFORM: 1 process wcm: 50b4.c80d.5225 Change state to DHCP_REQD (7) last state L2AUTHCOMPLETE (4)
......
*May  8 15:00:26.891: %IOSXE-7-PLATFORM: 1 process wcm: 50b4.c80d.5225 Splash Page redirect client or posture client
*May  8 15:00:26.891: %IOSXE-7-PLATFORM: 1 process wcm: 50b4.c80d.5225 REDIRECT ACL present in the attribute list
*May  8 15:00:26.891: %IOSXE-7-PLATFORM: 1 process wcm: 50b4.c80d.5225 Setting AAA Override Url-Redirect-Acl 'pre-auth-acl'
*May  8 15:00:26.891: %IOSXE-7-PLATFORM: 1 process wcm: 50b4.c80d.5225 AAA Override Url-Redirect-Acl 'pre-auth-acl'
*May  8 15:00:26.891: %IOSXE-7-PLATFORM: 1 process wcm: 50b4.c80d.5225 AAA_AT_BSN_ACL_NAME ACL present in the attribute list
*May  8 15:00:26.891: %IOSXE-7-PLATFORM: 1 process wcm: 50b4.c80d.5225 Send request to EPM
.....

wism2:

*May  8 15:10:29.373: %IOSXE-7-PLATFORM: 1 process wcm: 8c61.5a7f.43c2 Applying WLAN ACL policies to client
*May  8 15:10:29.373: %IOSXE-7-PLATFORM: 1 process wcm: 8c61.5a7f.43c2 No Interface ACL used for Wireless client in WCM(NGWC)
*May  8 15:10:29.373: %IOSXE-7-PLATFORM: 1 process wcm: 8c61.5a7f.43c2 apfApplyWlanPolicy: Retaining the ACL recieved in AAA attributes 255 on mobile
*May  8 15:10:29.373: %IOSXE-7-PLATFORM: 1 process wcm: 8c61.5a7f.43c2 Inserting AAA Override struct for mobile^M ^IMAC:  8c61.5a7f.43c2 , source 16^M
*May  8 15:10:29.373: %IOSXE-7-PLATFORM: 1 process wcm: 8c61.5a7f.43c2  Setting ACL name passed from aaa : pre-auth-acl
*May  8 15:10:29.373: %IOSXE-7-PLATFORM: 1 process wcm:  8c61.5a7f.43c2  0.0.0.0 START (0) Changing ACL 'none'  ===> 'pre-auth-acl'  --- (caller acl_shim.c:175)
*May  8 15:10:29.373: %IOSXE-7-PLATFORM: 1 process wcm: 8c61.5a7f.43c2 Setting AAA Override Url-Redirect-Acl 'pre-auth-acl'
*May  8 15:10:29.373: %IOSXE-7-PLATFORM: 1 process wcm: 8c61.5a7f.43c2 AAA Override Url-Redirect-Acl 'pre-auth-acl'
*May  8 15:10:29.373: %IOSXE-7-PLATFORM: 1 process wcm: 8c61.5a7f.43c2 WCDB_ADD: Radio IIF Id is Invalid.
*May  8 15:10:29.373: %IOSXE-7-PLATFORM: 1 process wcm: 8c61.5a7f.43c2 WCDB_ADD: BSSID IIF Id is Invalid.
*May  8 15:10:29.373: %IOSXE-7-PLATFORM: 1 process wcm: 8c61.5a7f.43c2 WCDB_ADD: Radio IIFID 0x0, BSSID IIF Id 0x0, COS 4
*May  8 15:10:29.373: %IOSXE-7-PLATFORM: 1 process wcm: Load Balancer: Success, Resource allocated are: Active Switch number: 1, Active Asic number : 2, Reserve Switch number 2 Reserve Asic number 2. AP Asic num 0
*May  8 15:10:29.373: %IOSXE-7-PLATFORM: 1 process wcm: 8c61.5a7f.43c2 WCDB_ADD: Anchor Sw  1, Doppler 2
*May  8 15:10:29.373: %IOSXE-7-PLATFORM: 1 process wcm: 8c61.5a7f.43c2 WCDB_ALLOCATE: Client IIF Id alloc SUCCESS w/ client 58b08000000ad1 (state 0).
*May  8 15:10:29.373: %IOSXE-7-PLATFORM: 1 process wcm: 8c61.5a7f.43c2 iifid Clearing Ack flag
*May  8 15:10:29.373: %IOSXE-7-PLATFORM: 1 process wcm: 8c61.5a7f.43c2 WCDB_ADD: Platform ID allocated successfully ID:788
*May  8 15:10:29.373: %IOSXE-7-PLATFORM: 1 process wcm: 8c61.5a7f.43c2 WCDB_ADD: Adding opt82 len 0
*May  8 15:10:29.373: %IOSXE-7-PLATFORM: 1 process wcm: 8c61.5a7f.43c2 WCDB_ADD: Cleaering Ack flag
*May  8 15:10:29.374: %IOSXE-7-PLATFORM: 1 process wcm: 8c61.5a7f.43c2 WCDB_ADD: ssid GUEST bssid 0000.0000.0000 vlan 11 auth=ASSOCIATION(0) wlan(ap-group/global) 0/2 client 0 assoc 0 mob=ExpAnchor(2) radio 0 m_vlan 11 ip 0.0.0.0 src 0x4e470000000002 dst 0x0 cid 0x58b08000000ad1 glob rsc id 788dhcpsrv  10.9.65
*May  8 15:10:29.374: %IOSXE-7-PLATFORM: 1 process wcm: 8c61.5a7f.43c2 WCDB_ADD: mscb iifid 0x58b08000000ad1 msinfo iifid 0x0
*May  8 15:10:29.374: %IOSXE-7-PLATFORM: 1 process wcm:  8c61.5a7f.43c2  0.0.0.0 START (0) Initializing policy
*May  8 15:10:29.374: %IOSXE-7-PLATFORM: 1 process wcm: 8c61.5a7f.43c2 Change state to AUTHCHECK (2) last state START (0)
*May  8 15:10:29.374: %IOSXE-7-PLATFORM: 1 process wcm: 8c61.5a7f.43c2 Change state to L2AUTHCOMPLETE (4) last state AUTHCHECK (2)
*May  8 15:10:29.374: %IOSXE-7-PLATFORM: 1 process wcm: 8c61.5a7f.43c2 WCDB_CHANGE: Client 1 m_vlan 11 Radio iif id 0x0 bssid iif id 0x0, bssid 0000.0000.0000
*May  8 15:10:29.374: %IOSXE-7-PLATFORM: 1 process wcm: 8c61.5a7f.43c2 WCDB_AUTH: Adding opt82 len 0
*May  8 15:10:29.374: %IOSXE-7-PLATFORM: 1 process wcm: 8c61.5a7f.43c2 WCDB_LLM: NoRun Prev Mob 2, Curr Mob 2 llmReq 3, return False
*May  8 15:10:29.374: %IOSXE-7-PLATFORM: 1 process wcm: 8c61.5a7f.43c2 auth state 1 mob state 2 setWme 0 wme 0 roam_sent 0
*May  8 15:10:29.374: %IOSXE-7-PLATFORM: 1 process wcm: 8c61.5a7f.43c2 WCDB_CHANGE: auth=L2_AUTH(1) vlan 11 radio 0 client_id 0x58b08000000ad1 mobility=ExpAnchor(2) src_int 0x4e470000000002 dst_int 0x0 ackflag 0 reassoc_client 0 llm_notif 0 ip  0.0.0.0 ip_learn_type 0
*May  8 15:10:29.374: %IOSXE-7-PLATFORM: 1 process wcm: 8c61.5a7f.43c2 WCDB_CHANGE: In L2 auth but l2ack waiting lfag not set,so set
*May  8 15:10:29.374: %IOSXE-7-PLATFORM: 1 process wcm: 8c61.5a7f.43c2 Change state to DHCP_REQD (7) last state L2AUTHCOMPLETE (4)
.....
*May  8 15:10:29.376: %IOSXE-7-PLATFORM: 1 process wcm: 8c61.5a7f.43c2 Splash Page redirect client or posture client
*May  8 15:10:29.376: %IOSXE-7-PLATFORM: 1 process wcm: 8c61.5a7f.43c2 Send request to EPM

 

I don't know why ISE does not specify to use the redirection ACL when it is configured on the authorization profile:

Any ideas?

Many thanks!

 

Joana.

0 Helpful
Customers Also Viewed These Support Documents