Sorry, I missed to write the swtich/software details.. here it is:

WS-C2960S-48FPD-L  IOS version: 15.0(2)SE1

Try to

remove the last policy "Guest Wired Redirect"

change "Wired MAB" policy to be :

"NetworkAccess:UseCase=Hostlookup" and "Session:Posture Status=Unknown" conditions

without Wired_MAB condition

Remove the first two policices and add new one at the top "GUEST" policy:

GUEST if Network Access:UseCase EQUALS Guest Flow then PermitAccess

let me know if this works

Hi Mohannad,

I tried with the above changes, but now it seems it does not hit those policies as I see I'm getting default Deny Access authorization policy. Then I enabled previosuly created Wired_MAB and got the login portal and after giving the username/passwords it again redirecting the same login portal.

Attached is my Authorization policy and logging screen shots. We need to the reason for "Dynamic Authentication Failed" error we see after username/password accepted.

Screen shots are attached as stated.

Regards,

The changes should work. Can you past the interface configration of the switch, please make sure the MAB is enabled.

Also, make sure in the authentication in the ISE continue if the user was not found as shown in the bellow figure

http://www.cisco.com/image/gif/paws/113362/web-auth-ise-03.gif

Hi Mohannad,

Thanks for your response.

Actually the as per the configuration it should work, I'm still trying to find out what is what has gone wrong with this configuration. Infact I have tested with 3560 switch with the same config and it worked. only difference here is we used 2960S switch.

We need to find out why the next Auth policy is not hitting once user is authenticated.

Here is the port configuration and the authen status of the port.

ABQT-3FLR-ACC-01#sh running-config interface gig4/0/19

Building configuration...

Current configuration : 427 bytes

!

interface GigabitEthernet4/0/19

switchport access vlan 103

switchport mode access

switchport voice vlan 135

authentication event fail action next-method

authentication host-mode multi-auth

authentication order dot1x mab

authentication priority dot1x mab webauth

authentication port-control auto

authentication violation restrict

mab

dot1x pae authenticator

dot1x timeout tx-period 10

spanning-tree portfast

end

ABQT-3FLR-ACC-01#

Mar 31 12:32:14.127: %AAA-3-BADSERVERTYPEERROR: Cannot process accounting server type tacacs+ (UNKNOWN)

ABQT-3FLR-ACC-01#

ABQT-3FLR-ACC-01#sh atuh

ABQT-3FLR-ACC-01#sh atu

ABQT-3FLR-ACC-01#sh authe

ABQT-3FLR-ACC-01#sh authentication se

ABQT-3FLR-ACC-01#sh authentication sessions in

ABQT-3FLR-ACC-01#sh authentication sessions interface gi

ABQT-3FLR-ACC-01#sh authentication sessions interface gigabitEthernet 4/0/19

            Interface:  GigabitEthernet4/0/19

          MAC Address:  0015.c5b4.fd4a

           IP Address:  10.1.3.23

            User-Name:  00-15-C5-B4-FD-4A

               Status:  Authz Success

               Domain:  DATA

       Oper host mode:  multi-auth

     Oper control dir:  both

        Authorized By:  Authentication Server

          Vlan Policy:  N/A

     URL Redirect ACL:  ACL-WEBAUTH-REDIRECT

         URL Redirect:  https://ABQ-TW-ISE-2.abq.gov.qa:8443/guestportal/gateway?sessionId=AC14011F0000018A32B4D906&action=cwa

      Session timeout:  N/A

         Idle timeout:  N/A

    Common Session ID:  AC14011F0000018A32B4D906

      Acct Session ID:  0x00000394

               Handle:  0x3E00018B

Runnable methods list:

       Method   State

       dot1x    Failed over

       mab      Authc Success

Hi Mohannad,

I found the issue and fixed it and its working perfectly now.

The issue was on radius dynamic-author key, so I re-configured the key and started working

aaa server radius dynamic-author

client X.X.X.X server-key xxxxx

thanks a lot for all your responses.

Good News pemasirid