03-27-2013 03:42 AM - edited 03-10-2019 08:14 PM
Hi
I have configured both Wired and Wireless guest authentication via guest portal. Wireless is working fine, however the when trying with Wired, the redireciton page is keep getting even after user authenticated.
I'm not seen the redirection authorization policy in my logs however I can see only the user authentication logs (successful). Attached is my configuration and logging output.
Here is what I see on the interface
ABQT-3FLR-ACC-01#sh authentication sessions interface gigabitEthernet 4/0/19
Interface: GigabitEthernet4/0/19
MAC Address: a0b3.ccca.2ab1
IP Address: 10.1.3.16
User-Name: A0-B3-CC-CA-2A-B1
Status: Authz Success
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
URL Redirect ACL: ACL-WEBAUTH-REDIRECT
URL Redirect: https://xxxx-TW-ISE-2.xxx.xxx.qa:8443/guestportal/gateway?sessionId=AC14011F000001571E52779F&action=cwa
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC14011F000001571E52779F
Acct Session ID: 0x00000309
Handle: 0xE6000158
Runnable methods list:
Method State
dot1x Failed over
mab Authc Success
Here is the ACL
Extended IP access list ACL-WEBAUTH-REDIRECT
10 deny udp any any eq domain (1344 matches)
20 deny ip any host 172.20.5.12 (8122 matches)
30 deny ip any host 172.20.5.14
40 permit tcp any any eq www (3124 matches)
50 permit tcp any any eq 443 (202927 matches)
60 permit tcp any any eq 8080 (114 matches)
70 permit ip any any (8056 matches)
03-28-2013 12:40 AM
Can you please tell us what is your switch model, also the configratoin on the interface ...
Thanks
03-28-2013 05:47 AM
Sorry, I missed to write the swtich/software details.. here it is:
WS-C2960S-48FPD-L IOS version: 15.0(2)SE1
03-29-2013 05:45 AM
Try to
remove the last policy "Guest Wired Redirect"
change "Wired MAB" policy to be :
"NetworkAccess:UseCase=Hostlookup" and "Session:Posture Status=Unknown" conditions
without Wired_MAB condition
Remove the first two policices and add new one at the top "GUEST" policy:
GUEST if Network Access:UseCase EQUALS Guest Flow then PermitAccess
let me know if this works
03-31-2013 12:39 AM
Hi Mohannad,
I tried with the above changes, but now it seems it does not hit those policies as I see I'm getting default Deny Access authorization policy. Then I enabled previosuly created Wired_MAB and got the login portal and after giving the username/passwords it again redirecting the same login portal.
Attached is my Authorization policy and logging screen shots. We need to the reason for "Dynamic Authentication Failed" error we see after username/password accepted.
Screen shots are attached as stated.
Regards,
03-31-2013 02:31 AM
The changes should work. Can you past the interface configration of the switch, please make sure the MAB is enabled.
Also, make sure in the authentication in the ISE continue if the user was not found as shown in the bellow figure
http://www.cisco.com/image/gif/paws/113362/web-auth-ise-03.gif
03-31-2013 02:37 AM
Hi Mohannad,
Thanks for your response.
Actually the as per the configuration it should work, I'm still trying to find out what is what has gone wrong with this configuration. Infact I have tested with 3560 switch with the same config and it worked. only difference here is we used 2960S switch.
We need to find out why the next Auth policy is not hitting once user is authenticated.
Here is the port configuration and the authen status of the port.
ABQT-3FLR-ACC-01#sh running-config interface gig4/0/19
Building configuration...
Current configuration : 427 bytes
!
interface GigabitEthernet4/0/19
switchport access vlan 103
switchport mode access
switchport voice vlan 135
authentication event fail action next-method
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab webauth
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
end
ABQT-3FLR-ACC-01#
Mar 31 12:32:14.127: %AAA-3-BADSERVERTYPEERROR: Cannot process accounting server type tacacs+ (UNKNOWN)
ABQT-3FLR-ACC-01#
ABQT-3FLR-ACC-01#sh atuh
ABQT-3FLR-ACC-01#sh atu
ABQT-3FLR-ACC-01#sh authe
ABQT-3FLR-ACC-01#sh authentication se
ABQT-3FLR-ACC-01#sh authentication sessions in
ABQT-3FLR-ACC-01#sh authentication sessions interface gi
ABQT-3FLR-ACC-01#sh authentication sessions interface gigabitEthernet 4/0/19
Interface: GigabitEthernet4/0/19
MAC Address: 0015.c5b4.fd4a
IP Address: 10.1.3.23
User-Name: 00-15-C5-B4-FD-4A
Status: Authz Success
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
URL Redirect ACL: ACL-WEBAUTH-REDIRECT
URL Redirect: https://ABQ-TW-ISE-2.abq.gov.qa:8443/guestportal/gateway?sessionId=AC14011F0000018A32B4D906&action=cwa
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC14011F0000018A32B4D906
Acct Session ID: 0x00000394
Handle: 0x3E00018B
Runnable methods list:
Method State
dot1x Failed over
mab Authc Success
03-31-2013 02:52 AM
Hi Mohannad,
I found the issue and fixed it and its working perfectly now.
The issue was on radius dynamic-author key, so I re-configured the key and started working
aaa server radius dynamic-author
client X.X.X.X server-key xxxxx
thanks a lot for all your responses.
03-31-2013 11:28 PM
Good News pemasirid
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide