03-28-2012 04:49 AM - edited 03-10-2019 06:57 PM
on the followup the document "Configuration example : central web-authentication with a switch and Identity Service Engine" by Nicolas Darchis, since the redirection on the switch is not working, i'm asking for your help...
I'm using ISE Version : 1.0.4.573 and WS-C2960-24PC-L w/software 12.2(55)SE1 and image C2960-LANBASEK9-M for the access.
The interface configuration looks like this:
interface FastEthernet0/24
switchport access vlan 6
switchport mode access
switchport voice vlan 20
ip access-group webauth in
authentication event fail action next-method
authentication event server dead action authorize
authentication event server alive action reinitialize
authentication order mab
authentication priority mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
spanning-tree portfast
end
The ACL's
Extended IP access list webauth
10 permit ip any any
Extended IP access list redirect
10 deny ip any host 172.22.2.38
20 permit tcp any any eq www
30 permit tcp any any eq 443
The ISE side configuration I follow it step by step...
When I conect the XP client, e see the following Autenthication session...
swlx0x0x#show authentication sessions interface fastEthernet 0/24
Interface: FastEthernet0/24
MAC Address: 0015.c549.5c99
IP Address: 172.22.3.184
User-Name: 00-15-C5-49-5C-99
Status: Authz Success
Domain: DATA
Oper host mode: single-host
Oper control dir: both
Authorized By: Authentication Server
Vlan Group: N/A
URL Redirect ACL: redirect
URL Redirect: https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC16011F000000490AC1A9E2
Acct Session ID: 0x00000077
Handle: 0xB7000049
Runnable methods list:
Method State
mab Authc Success
But there is no redirection, and I get the the following message on switch console:
756005: Mar 28 11:40:30: epm-redirect:IP=172.22.3.184: No redirection policy for this host
756006: Mar 28 11:40:30: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_qualify ...
I have to mention I'm using an http proxy on port 8080...
Any Ideas on what is going wrong?
Regards
Nuno
03-28-2012 09:04 AM
Hi Nuno,
There are some chances you may be hitting something similar to the following bug CSCtk75751:
Symptom:
epm-redirect:IP=N.N.N.N: No redirection policy for this host
above message is displayed if traffic matches redirect acl if only a single host is present on the interface
Conditions:
url-redirect configured as a policy and only a single host present on the interface.
Workaround:
NA
Just to exclude this assumption, would you be able to test with 12.2(55)SE3 for example?
Regards,
Fede
--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
03-29-2012 04:45 AM
OK, so I upgraded the IOS to version
SW Version: 12.2(55)SE5, SW Image: C2960-LANBASEK9-M
I tweak with ACL's to the following:
Extended IP access list redirect
10 permit ip any any (13 matches)
and created a DACL that is downloaded along with the authentication
Extended IP access list xACSACLx-IP-redirect-4f743d58 (per-user)
10 permit ip any any
I can see the epm session
swlx0x0x#show epm session ip 172.22.3.74
Admission feature: DOT1X
ACS ACL: xACSACLx-IP-redirect-4f743d58
URL Redirect ACL: redirect
URL Redirect: https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
And authentication
swlx0x0x#show authentication sessions interface fastEthernet 0/24
Interface: FastEthernet0/24
MAC Address: 0015.c549.5c99
IP Address: 172.22.3.74
User-Name: 00-15-C5-49-5C-99
Status: Authz Success
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Group: N/A
ACS ACL: xACSACLx-IP-redirect-4f743d58
URL Redirect ACL: redirect
URL Redirect: https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC16011F000000160042BD98
Acct Session ID: 0x0000001B
Handle: 0x90000016
Runnable methods list:
Method State
mab Authc Success
on the logging, I get the following messages...
017857: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_qualify ...
017858: Mar 29 11:27:04: epm-redirect:epm_redirect_cache_gen_hash: IP=172.22.3.74 Hash=271
017859: Mar 29 11:27:04: epm-redirect:IP=172.22.3.74: CacheEntryGet Success
017860: Mar 29 11:27:04: epm-redirect:IP=172.22.3.74: Ingress packet on [idb= FastEthernet0/24] matched with [acl=redirect]
017861: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: Enqueue the packet with if_input=FastEthernet0/24
017862: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_process ...
017863: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: Not an HTTP(s) packet
What I'm I missing?
03-29-2012 04:56 AM
With a permit ip any any, your switch will try to redirect on all kinds of packets, so this log extract can be for a dns packet or whatsoever, so it could be legitimate.
Now if there's only this type of log then yes it's concerning. I haven't seen this yet.
To rule out (and I like to rule out things, it makes thinking simpler :-) ) the proxy, coudl you remove your proxy configuration ?
Your PC would then send traffic on port 80 and the setup would be simpler. If you then get the redirection, we know the issue is related with port 8080 or the proxy system.
03-29-2012 08:18 AM
Yes, I already tried that...
I also tried with a new ACL
10 permit tcp any any eq www
20 permit tcp any any eq 443 (6 matches)
30 permit tcp any any eq 8080
40 permit udp any eq bootpc any eq bootps (14 matches)
50 permit udp any any eq domain (850 matches)
60 permit icmp any any (8 matches)
But nothing seems to redirect the webAuthentication...
09-11-2015 05:54 AM
turn on "ip device tracking" on switch and it start redirecting the traffic.
04-19-2017 05:10 PM
I am having the same issue mentioned in this post and I've tried everything mentioned here, but still not able to get the switch to redirect to the portal.
Anyone got this working?
03-28-2012 10:56 PM
Federico's point is valid, but I'm also thinking that if you are using an http proxy on port 8080, it means that your client PC will only talk to this proxy on port 8080 and it's the proxy who will send the real HTTP/HTTPS requests. So you should be redirecting port 8080 as well on your switch ACL.
I've never did this setup with a proxy but I think it would be required in your case.
03-29-2012 01:03 PM
Nuno - give this a shot here is a note in the webauth guide:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/app_note_c27-577494.html
Note:
WebAuth can intercept nonstandard ports using an IP port-to-application map (PAM) entry that maps a new port to HTTP (or HTTPS). In addition, the Cisco IOS Software HTTP server needs to be reconfigured to listen on the nonstandard port. However, the Cisco IOS Software HTTP server can run only on a single port. Therefore, support for port 80 and a nonstandard port are mutually exclusive. If PAM is used to remap the port used for HTTP, then URLs that reference the default port (80) will not trigger redirection. In addition, if traffic to the default router is bridged through a stateful firewall, that firewall will have to turn off stateful inspection for the remapped port.
I found the command on my 3750 which is (ip port-map http....) however I dont know as of yet if that will work on the 2960, give this a try to see if it listens on 8080.
thanks,
Tarik Admani
04-05-2012 03:24 AM
proxy on port 8080 is only intended for Internet use, and even if the proxy could interfere with the web authentication, when I remove proxy settings it still isn't working...
for the ip port-map http... I did map http on port 8080, and changed the ACL
swlx0x0x#show ip port-map
Default mapping: https port 443 system defined
Default mapping: http port 8080 user defined
Default mapping: http port 80 system defined
to be honest, the DACL is having hits
permit tcp any any eq 443 (6 matches)
permit tcp any any eq www (9 matches)
and the switch ACL is also having hits
Extended IP access list ACL-WEBAUTH-REDIRECT
10 permit tcp any gt 1 any gt 1 (276 matches)
And I can see on the logger that packests are identified for redirection
997210: Apr 5 10:17:19: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_qualify ...
997211: Apr 5 10:17:19: epm-redirect:epm_redirect_cache_gen_hash: IP=172.22.3.159 Hash=356
997212: Apr 5 10:17:19: epm-redirect:IP=172.22.3.159: CacheEntryGet Success
997213: Apr 5 10:17:19: epm-redirect:IP=172.22.3.159: Ingress packet on [idb= FastEthernet0/24] matched with [acl=ACL-WEBAUTH-REDIRECT]
997214: Apr 5 10:17:19: epm-redirect:IDB=FastEthernet0/24: Enqueue the packet with if_input=FastEthernet0/24
997215: Apr 5 10:17:19: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_process ...
997216: Apr 5 10:17:19: epm-redirect:epm_redirect_cache_gen_hash: IP=172.22.3.159 Hash=356
997217: Apr 5 10:17:19: epm-redirect:IP=172.22.3.159: CacheEntryGet Success
997218: Apr 5 10:17:19: epm-redirect:IP=172.22.3.159: ingress traffic on [idb=FastEthernet0/24] matches url acl [ACL-WEBAUTH-REDIRECT]. ip_enqueue the packet
I'm running out of ideas...
04-05-2012 03:28 AM
do you have "ip http server" and 'ip http secure-server" configured on the switch ?
just a wild guess
04-05-2012 03:30 AM
yep
ip http server
ip http secure-server
03-25-2013 05:40 AM
Hello
do you have an ip on your 2960 switch in the user vlan ?
I think (i am pretty sure) the switch need an IP to send http redirect to client (spoofing the IP of public web site with its MAC-adress)
Can you update us on your problem and resolution ?
be careful that a 2960 possibly can't have multiple enabled IPs in different vlans working at the same time ....
regards,
Guillaume
03-25-2013 06:07 PM
Does your switch have routing from its mgmt IP to The guest network ?
Sent from Cisco Technical Support Android App
05-09-2013 05:54 AM
Hi Nuno,
I have the same case as yours would you mind to share how you solved your issue ?
Thank you in advance !
Regards,
Martin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide