Did my last suggestion help

lukaszkacprzynski · ‎01-27-2016

Hi,

Could you please take a look at my problem: I have confiured guest access for both: wired and wireless users. Authentication is done by Cisco ISE, users are connected by Cisco Switch C2960X and Ap3700. Wireless access works correctly: At first users is catched by CWA_phase_1 and redirected to guest Portal and after authentication is catched by CWA_phase_2 and all network access is working but on wired solution users is stuck in a loop - after succesfull authentication its redirected once again to portal.

here is redirect ACL configured on switch:

Extended IP access list REDIRECT_ACL
    10 deny udp any eq bootpc any eq bootps
    20 deny udp any any eq domain (29 matches)
    30 deny ip any host <ISE_IP_ADDRESS> (40 matches)
    60 permit tcp any any eq www (30 matches)
    70 permit tcp any any eq 443 (116 matches)

In attachment Im sending how polices looks like.

#show authentication sessions interface gi1/0/5
            Interface: GigabitEthernet1/0/5
          MAC Address: <MAC-ADDR>
           IP Address: 192.168.X.X
            User-Name: <USER-MAC>
               Status: Authz Success
               Domain: DATA
       Oper host mode: single-host
     Oper control dir: both
        Authorized By: Authentication Server
          Vlan Policy: N/A
     URL Redirect ACL: REDIRECT_ACL
         URL Redirect: https://<ISE_HOSTNAME>:8443/portal/gateway?sessionId=C0A820BE0001680FC16F40A6&portal=bdeda6a2-a422-11e5-beee-005056820961&action=cwa&token=e8ae422e0187fb5e8b4e2fe087cd839d
      Session timeout: N/A
         Idle timeout: N/A
    Common Session ID: C0A820BE0001680FC16F40A6
      Acct Session ID: 0x000169CA
               Handle: 0x52000BC4

Runnable methods list:
       Method   State
       mab      Authc Success

On forum I found similar issue but there problem was with radius-key. To be sure I changed key but I didnt help.

Could you please help me with that? I'm out of ideas...

jan.nielsen · ‎01-27-2016

Your CWA phase 2 autorization result, needs to include a DACL for the switch to remove the redirect url/acl from the port. Maybe thats whats missing. Your show auth sess on the swith should not show the redirect acl/url after the guest has successfully logged in to the guest portal.

lukaszkacprzynski · ‎02-03-2016

Hi,

Thank you for responses. In fact reason why it was not working was different: there was CoA communication blocked (udp 1700) as switch and ISE are communicating through firewall.

Other strange thing is that in all tutorials in Authentication policy there are "Internal Endpoints" checked so as Jatin suggested I changed it but with it it's not working for me - that's why I set it to "internal users" and its working fine.

Problem solved, thank you!

Lukasz

Jatin Katyal · ‎02-03-2016

Thanks for the update. Do you have MAC address added on ISE servers as users?

~ Jatin

~Jatin

lukaszkacprzynski · ‎02-03-2016

No, I dont have users MAC added, as I understand it's added automaticly in CWA_PHASE_1 but as I said - strange thing is that it works with "internal users" and not with "internal endpoinds"

Jatin Katyal · ‎01-27-2016

3 things:

1. In the authentication screen shot I see you have "internal users" selected. Please change it to Internal endpoints and set the action to continue as shown here:

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html#anc8

2. What version of ISE are you running on? If you ISE 1.3 then you have to change the CWA_Phase2 policy set differently. Configure it as shown in step 4.

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/118742-configure-ise-00.html#anc7

3. If you want to send Airspace-acl to give full access / internet access, you can do that as well. Make sure you create those ACL's on the wireless controller.

~ Jatin

~Jatin

Jatin Katyal · ‎01-31-2016

Did my last suggestion help you to fix the issue? ~ Jatin

~Jatin

ISE CWA wired guest portal loop