cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1056
Views
0
Helpful
3
Replies

catalyst 3750 authentication session not showing URL Redirect ACL for MAB with ISE

teatrodelsogno
Level 1
Level 1

Hi Guys,

I've strange problem on catalyst 3750 I don't know if connected to the IOS or some missing on the configuration.

I'd like to authenticate some users with MAB-wired, from ISE radius log everithings seems look good, but on the "show authentication sessions" are missing some parameters that usually should appear:

SW-3750#sh authentication sessions interface fa1/0/11
            Interface:  FastEthernet1/0/11
          MAC Address:  0021.ccd9.37be
           IP Address:  10.40.40.199
            User-Name:  00-21-CC-D9-37-BE
               Status:  Authz Success
               Domain:  DATA
       Oper host mode:  single-host
     Oper control dir:  both
        Authorized By:  Authentication Server
          Vlan Policy:  N/A
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  0A0A0AFC000000010017381D
      Acct Session ID:  0x00000002
               Handle:  0xFD000001

Runnable methods list:
       Method   State
       mab      Authc Success

As you can see, part from URL redirect and URL redirect ACL are not showing!?

I was thinking some radius and vsa part missing, but on the switch I've:

aaa authentication dot1x default group radius
aaa server radius dynamic-author
 client 10.20.20.200 server-key estremo
 auth-type all
radius-server host 10.20.20.200 auth-port 1645 acct-port 1646
radius-server key xxxxxx
radius-server vsa send accounting
radius-server vsa send authentication

interface FastEthernet1/0/11
 description GUEST
 switchport access vlan 40
 switchport mode access
 authentication order mab
 authentication priority mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 mab
 dot1x pae authenticator
 dot1x max-req 10
 dot1x max-reauth-req 10
 spanning-tree portfast

SW-3750#sh aaa servers

RADIUS: id 1, priority 1, host 10.20.20.200, auth-port 1645, acct-port 1646
     State: current UP, duration 3192s, previous duration 0s
     Dead: total time 0s, count 0
     Quarantined: No
     Authen: request 1, timeouts 0

dot1x system-auth-control
dot1x critical eapol

ip device tracking

ip http server
ip http secure-server


ip access-list extended ACL_WEBAUTH_REDIRECT
 deny   ip any host 10.20.20.200
 deny   udp any any eq domain
 permit tcp any any eq www
 permit tcp any any eq 443
 permit tcp any any eq 8443

On the ISE monitoring, auth seems send the correct AV parameters:

Result

User-Name 00-21-CC-D9-37-BE
State ReauthSession:0A0A0AFC000000010017381D
Class CACS:0A0A0AFC000000010017381D:ise1/280058218/272
cisco-av-pair url-redirect-acl=ACL_WEBAUTH_REDIRECT
cisco-av-pair url-redirect=https://ise1.estremo.local:8443/portal/gateway?sessionId=0A0A0AFC000000010017381D&portal=a692c530-2230-11e6-99ab-005056bf55e0&action=cwa&token=e5afe6a346055cbaca8dab304e3541af
cisco-av-pair ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-pre-webauth-ACL-58da9681
cisco-av-pair profile-name=Unknown
LicenseTypes Base license consumed

And Policy auth auth are configured in attachement

Do you have some ideas?

regards

3 Replies 3

teatrodelsogno
Level 1
Level 1

Anybody? :-)

trimmy
Level 1
Level 1

did you ever get this fixed? I have same issue on 2960S - the correct authorization policy is matched, but dACL and redirect URLs are not getting to user interface.

@trimmy post your configuration please. This is an old thread but from the output provided it looks like the "aaa authorization...." commands are missing.

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: