Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2731
Views
0
Helpful
8
Replies

Wired Guest Access Cisco ISE

Tutu
Level 1
Level 1

‎10-16-2020 02:28 AM

Hello,

 

I am not able to use the user name and password created by a sponsor in Cisco ISE.

Also before i log in i can still access the internet but i cant access ISE.

 

 

Please help.

Labels:
0 Helpful
8 Replies 8

balaji.bandi
Hall of Fame
Hall of Fame

‎10-16-2020 02:48 AM

If your 802.1x configured correctly on the switch, if the device not belong to any Group, and you redirecting them to guest access, it should work as expected.

 

https://community.cisco.com/t5/security-documents/ise-guest-access-prescriptive-deployment-guide/ta-p/3640475#toc-hId-58047160

 

we are not clear "Also before i log in i can still access the internet but i cant access ISE." Can you share more information, how the switch configured ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Tutu
Level 1
Level 1
In response to balaji.bandi

‎10-16-2020 03:00 AM

I have a normal user that i created through ise and it works because under user groups i have selected guest. But if i use a user that i created through Sponsor portal i can not log in.

 

So what i meant was that before entering username and password to access the internet. i can already access google and everything else apart from ISE

This is my switch ACL config

 

Extended IP access list ACL-ALLOW
10 permit ip any any
Extended IP access list ACL-WEB-REDIRECT ------ This is what redirects me to log in when i try to access cisco ise.
10 permit tcp any any eq www
20 permit tcp any any eq 443
30 deny ip any any
Extended IP access list Auth-Default-ACL-OPEN
10 permit ip any any
Extended IP access list CISCO-CWA-URL-REDIRECT-ACL
100 deny udp any any eq domain
101 deny tcp any any eq domain
102 deny udp any eq bootps any
103 deny udp any any eq bootpc
104 deny udp any eq bootpc any
105 permit tcp any any eq www
Extended IP access list preauth_ipv4_acl (per-user)
10 permit udp any any eq domain
20 permit tcp any any eq domain
30 permit udp any eq bootps any
40 permit udp any any eq bootpc
50 permit udp any eq bootpc any
60 deny ip any any

 

0 Helpful

Aref Alsouqi
VIP
VIP

‎10-16-2020 04:09 AM

Without seeing your policies it would be tricky to find out the root cause. Regarding accesses prior to authentication, if you don't have a dACL applied to the authz rule that redirects the users, that would allow full access during that time. You might need to create a limited-accesses dACL and apply it to the redirect authz profile.

0 Helpful

Tutu
Level 1
Level 1
In response to Aref Alsouqi

‎10-17-2020 11:22 AM

Hello Aref,

These are my policies for Guest access and DACL for web authentication and Guest

DACL for web authentication profile

permit ip any host 10.100.200.82

permit udp any any eq bootps

permit udp any eq bootpc any

permit icmp any any

Guest DACL

permit ip any any

 

 

guestaccess1policy.pngguestportal.pngguestprofile.pngwebauthpolicyguest2.png

0 Helpful

Aref Alsouqi
VIP
VIP

‎10-18-2020 10:04 AM

I don't see the dACL applied to the Web Portal Profile authz profile, did you apply it in there? if not, you need to apply it along with the redirections ACL as shown on the screenshot.

0 Helpful

Tutu
Level 1
Level 1
In response to Aref Alsouqi

‎10-18-2020 11:00 AM

Yes i have applied dacl to the web auth profile.

permit ip any host 10.100.200.82

permit udp any any eq bootps

permit udp any eq bootpc any

permit icmp any any

 

0 Helpful

Aref Alsouqi
VIP
VIP

‎10-18-2020 11:33 AM

Did you check if the dACL is actually being applied to the session?, you can check that with the command sh auth sess int x/x/x det. Also, did you make sure IP device tracking is enabled on the switch? if not, dACL won't work since the switch would not be able to replace the any keyword with the actual IP address of the client.

0 Helpful

Tutu
Level 1
Level 1
In response to Aref Alsouqi

‎10-19-2020 03:13 AM - edited ‎10-19-2020 03:13 AM

Hello Aref,

This is the ip device tracking configured on the switch,

ip device tracking probe auto-source override

 

And this s the auth sess on the switch

 

sh auth ses int gig1/0/10 det
Interface: GigabitEthernet1/0/10
MAC Address: 705a.0f2a.47de
IPv6 Address: Unknown
IPv4 Address: 10.100.105.39
User-Name: 70-5A-0F-2A-47-DE
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Restart timeout: N/A
Session Uptime: 38s
Common Session ID: 0AC8D064000000130016B6D8
Acct Session ID: 0x0000000A
Handle: 0x93000009
Current Policy: POLICY_Gi1/0/10

Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

Server Policies:
URL Redirect: https://-ISE-PAN.go.tz:8443/portal/gateway?sess ionId=0AC8D064000000130016B6D8&portal=50fbc805-6bde-4e28-8a3e-17750f938538&actio n=cwa&token=9001b7aa3cef3be1632ca7c15df03a7b

URL Redirect ACL: ACL-WEB-REDIRECT
ACS ACL: xACSACLx-IP-Web_Authentication_Policy-5f8975ae

Method status list:
Method State

dot1x Stopped
mab Authc Success

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card