This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
Could you please take a look at my problem: I have confiured guest access for both: wired and wireless users. Authentication is done by Cisco ISE, users are connected by Cisco Switch C2960X and Ap3700. Wireless access works correctly: At first users is catched by CWA_phase_1 and redirected to guest Portal and after authentication is catched by CWA_phase_2 and all network access is working but on wired solution users is stuck in a loop - after succesfull authentication its redirected once again to portal.
here is redirect ACL configured on switch:
Extended IP access list REDIRECT_ACL
10 deny udp any eq bootpc any eq bootps
20 deny udp any any eq domain (29 matches)
30 deny ip any host <ISE_IP_ADDRESS> (40 matches)
60 permit tcp any any eq www (30 matches)
70 permit tcp any any eq 443 (116 matches)
In attachment Im sending how polices looks like.
#show authentication sessions interface gi1/0/5
MAC Address: <MAC-ADDR>
IP Address: 192.168.X.X
Status: Authz Success
Oper host mode: single-host
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
URL Redirect ACL: REDIRECT_ACL
URL Redirect: https://<ISE_HOSTNAME>:8443/portal/gateway?sessionId=C0A820BE0001680FC16F40A6&portal=bdeda6a2-a422-11e5-beee-005056820961&action=cwa&token=e8ae422e0187fb5e8b4e2fe087cd839d
Session timeout: N/A
Idle timeout: N/A
Common Session ID: C0A820BE0001680FC16F40A6
Acct Session ID: 0x000169CA
Runnable methods list:
mab Authc Success
On forum I found similar issue but there problem was with radius-key. To be sure I changed key but I didnt help.
Could you please help me with that? I'm out of ideas...
Your CWA phase 2 autorization result, needs to include a DACL for the switch to remove the redirect url/acl from the port. Maybe thats whats missing. Your show auth sess on the swith should not show the redirect acl/url after the guest has successfully logged in to the guest portal.
Thank you for responses. In fact reason why it was not working was different: there was CoA communication blocked (udp 1700) as switch and ISE are communicating through firewall.
Other strange thing is that in all tutorials in Authentication policy there are "Internal Endpoints" checked so as Jatin suggested I changed it but with it it's not working for me - that's why I set it to "internal users" and its working fine.
Problem solved, thank you!
No, I dont have users MAC added, as I understand it's added automaticly in CWA_PHASE_1 but as I said - strange thing is that it works with "internal users" and not with "internal endpoinds"
1. In the authentication screen shot I see you have "internal users" selected. Please change it to Internal endpoints and set the action to continue as shown here:
2. What version of ISE are you running on? If you ISE 1.3 then you have to change the CWA_Phase2 policy set differently. Configure it as shown in step 4.
3. If you want to send Airspace-acl to give full access / internet access, you can do that as well. Make sure you create those ACL's on the wireless controller.