10-16-2020 02:28 AM
Hello,
I am not able to use the user name and password created by a sponsor in Cisco ISE.
Also before i log in i can still access the internet but i cant access ISE.
Please help.
10-16-2020 02:48 AM
If your 802.1x configured correctly on the switch, if the device not belong to any Group, and you redirecting them to guest access, it should work as expected.
we are not clear "Also before i log in i can still access the internet but i cant access ISE." Can you share more information, how the switch configured ?
10-16-2020 03:00 AM
I have a normal user that i created through ise and it works because under user groups i have selected guest. But if i use a user that i created through Sponsor portal i can not log in.
So what i meant was that before entering username and password to access the internet. i can already access google and everything else apart from ISE
This is my switch ACL config
Extended IP access list ACL-ALLOW
10 permit ip any any
Extended IP access list ACL-WEB-REDIRECT ------ This is what redirects me to log in when i try to access cisco ise.
10 permit tcp any any eq www
20 permit tcp any any eq 443
30 deny ip any any
Extended IP access list Auth-Default-ACL-OPEN
10 permit ip any any
Extended IP access list CISCO-CWA-URL-REDIRECT-ACL
100 deny udp any any eq domain
101 deny tcp any any eq domain
102 deny udp any eq bootps any
103 deny udp any any eq bootpc
104 deny udp any eq bootpc any
105 permit tcp any any eq www
Extended IP access list preauth_ipv4_acl (per-user)
10 permit udp any any eq domain
20 permit tcp any any eq domain
30 permit udp any eq bootps any
40 permit udp any any eq bootpc
50 permit udp any eq bootpc any
60 deny ip any any
10-16-2020 04:09 AM
Without seeing your policies it would be tricky to find out the root cause. Regarding accesses prior to authentication, if you don't have a dACL applied to the authz rule that redirects the users, that would allow full access during that time. You might need to create a limited-accesses dACL and apply it to the redirect authz profile.
10-17-2020 11:22 AM
Hello Aref,
These are my policies for Guest access and DACL for web authentication and Guest
DACL for web authentication profile
permit ip any host 10.100.200.82
permit udp any any eq bootps
permit udp any eq bootpc any
permit icmp any any
Guest DACL
permit ip any any
10-18-2020 10:04 AM
I don't see the dACL applied to the Web Portal Profile authz profile, did you apply it in there? if not, you need to apply it along with the redirections ACL as shown on the screenshot.
10-18-2020 11:00 AM
Yes i have applied dacl to the web auth profile.
permit ip any host 10.100.200.82
permit udp any any eq bootps
permit udp any eq bootpc any
permit icmp any any
10-18-2020 11:33 AM
Did you check if the dACL is actually being applied to the session?, you can check that with the command sh auth sess int x/x/x det. Also, did you make sure IP device tracking is enabled on the switch? if not, dACL won't work since the switch would not be able to replace the any keyword with the actual IP address of the client.
10-19-2020 03:13 AM - edited 10-19-2020 03:13 AM
Hello Aref,
This is the ip device tracking configured on the switch,
ip device tracking probe auto-source override
And this s the auth sess on the switch
sh auth ses int gig1/0/10 det
Interface: GigabitEthernet1/0/10
MAC Address: 705a.0f2a.47de
IPv6 Address: Unknown
IPv4 Address: 10.100.105.39
User-Name: 70-5A-0F-2A-47-DE
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Restart timeout: N/A
Session Uptime: 38s
Common Session ID: 0AC8D064000000130016B6D8
Acct Session ID: 0x0000000A
Handle: 0x93000009
Current Policy: POLICY_Gi1/0/10
Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Server Policies:
URL Redirect: https://-ISE-PAN.go.tz:8443/portal/gateway?sess ionId=0AC8D064000000130016B6D8&portal=50fbc805-6bde-4e28-8a3e-17750f938538&actio n=cwa&token=9001b7aa3cef3be1632ca7c15df03a7b
URL Redirect ACL: ACL-WEB-REDIRECT
ACS ACL: xACSACLx-IP-Web_Authentication_Policy-5f8975ae
Method status list:
Method State
dot1x Stopped
mab Authc Success
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide