cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7393
Views
0
Helpful
15
Replies

Not Working-central web-authentication with a switch and Identity Service Engine

Nuno Moreira
Level 1
Level 1

on the followup the document "Configuration example : central web-authentication with a switch and Identity Service Engine" by Nicolas Darchis, since the redirection on the switch is not working, i'm asking for your help...

I'm using ISE Version : 1.0.4.573 and WS-C2960-24PC-L w/software 12.2(55)SE1 and image C2960-LANBASEK9-M for the access.

The interface configuration looks like this:

interface FastEthernet0/24

switchport access vlan 6

switchport mode access

switchport voice vlan 20

ip access-group webauth in

authentication event fail action next-method

authentication event server dead action authorize

authentication event server alive action reinitialize

authentication order mab

authentication priority mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

authentication violation restrict

mab

spanning-tree portfast

end

The ACL's

Extended IP access list webauth

    10 permit ip any any

Extended IP access list redirect

    10 deny ip any host 172.22.2.38

    20 permit tcp any any eq www

    30 permit tcp any any eq 443

The ISE side configuration I follow it step by step...

When I conect the XP client, e see the following Autenthication session...

swlx0x0x#show authentication sessions interface fastEthernet 0/24

           Interface:  FastEthernet0/24

          MAC Address:  0015.c549.5c99

           IP Address:  172.22.3.184

            User-Name:  00-15-C5-49-5C-99

               Status:  Authz Success

               Domain:  DATA

       Oper host mode:  single-host

     Oper control dir:  both

        Authorized By:  Authentication Server

           Vlan Group:  N/A

     URL Redirect ACL:  redirect

         URL Redirect: https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa

      Session timeout:  N/A

         Idle timeout:  N/A

    Common Session ID:  AC16011F000000490AC1A9E2

      Acct Session ID:  0x00000077

               Handle:  0xB7000049

Runnable methods list:

       Method   State

       mab      Authc Success

But there is no redirection, and I get the the following message on switch console:

756005: Mar 28 11:40:30: epm-redirect:IP=172.22.3.184: No redirection policy for this host

756006: Mar 28 11:40:30: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_qualify ...

I have to mention I'm using an http proxy on port 8080...

Any Ideas on what is going wrong?

Regards

Nuno

15 Replies 15

Federico Ziliotto
Cisco Employee
Cisco Employee

Hi Nuno,

There are some chances you may be hitting something similar to the following bug CSCtk75751:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtk75751

Symptom:

epm-redirect:IP=N.N.N.N: No redirection policy for this host

above message is displayed if traffic matches redirect acl if only a single host is present on the interface

Conditions:

url-redirect configured as a policy and only a single host present on the interface.

Workaround:

NA

Just to exclude this assumption, would you be able to test with 12.2(55)SE3 for example?

Regards,

Fede

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

OK, so I upgraded the IOS to version

SW Version: 12.2(55)SE5, SW Image: C2960-LANBASEK9-M

I tweak with ACL's to the following:

Extended IP access list redirect

    10 permit ip any any (13 matches)

and created a DACL that is downloaded along with the authentication

Extended IP access list xACSACLx-IP-redirect-4f743d58 (per-user)

    10 permit ip any any

I can see the epm session

swlx0x0x#show epm session ip 172.22.3.74
     Admission feature:  DOT1X

     ACS ACL:  xACSACLx-IP-redirect-4f743d58

     URL Redirect ACL:  redirect

     URL Redirect:  https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa

And authentication

swlx0x0x#show authentication sessions interface fastEthernet 0/24
     Interface:  FastEthernet0/24
     MAC Address:  0015.c549.5c99

     IP Address:  172.22.3.74
     User-Name:  00-15-C5-49-5C-99
     Status:  Authz Success
     Domain:  DATA
     Oper host mode:  multi-auth
     Oper control dir:  both
     Authorized By:  Authentication Server
     Vlan Group:  N/A
     ACS ACL:  xACSACLx-IP-redirect-4f743d58
     URL Redirect ACL:  redirect
     URL Redirect:  https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa

     Session timeout:  N/A

     Idle timeout:  N/A
     Common Session ID:  AC16011F000000160042BD98

     Acct Session ID:  0x0000001B

     Handle:  0x90000016

     Runnable methods list:

     Method   State

     mab      Authc Success

on the logging, I get the following messages...

017857: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_qualify ...

017858: Mar 29 11:27:04: epm-redirect:epm_redirect_cache_gen_hash: IP=172.22.3.74 Hash=271

017859: Mar 29 11:27:04: epm-redirect:IP=172.22.3.74: CacheEntryGet Success

017860: Mar 29 11:27:04: epm-redirect:IP=172.22.3.74: Ingress packet on [idb= FastEthernet0/24] matched with [acl=redirect]

017861: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: Enqueue the packet with if_input=FastEthernet0/24

017862: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_process ...

017863: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: Not an HTTP(s) packet

What I'm I missing?

With a permit ip any any, your switch will try to redirect on all kinds of packets, so this log extract can be for a dns packet or whatsoever, so it could be legitimate.

Now if there's only this type of log then yes it's concerning. I haven't seen this yet.

To rule out (and I like to rule out things, it makes thinking simpler :-) ) the proxy, coudl you remove your proxy configuration ?

Your PC would then send traffic on port 80 and the setup would be simpler. If you then get the redirection, we know the issue is related with port 8080 or the proxy system.

Yes, I already tried that...

I also tried with a new ACL

    10 permit tcp any any eq www

    20 permit tcp any any eq 443 (6 matches)

    30 permit tcp any any eq 8080

    40 permit udp any eq bootpc any eq bootps (14 matches)

    50 permit udp any any eq domain (850 matches)

    60 permit icmp any any (8 matches)

But nothing seems to redirect the webAuthentication...

turn on "ip device tracking" on switch and it start redirecting the traffic.

I am having the same issue mentioned in this post and I've tried everything mentioned here, but still not able to get the switch to redirect to the portal.

Anyone got this working?

Nicolas Darchis
Cisco Employee
Cisco Employee

Federico's point is valid, but I'm also thinking that if you are using an http proxy on port 8080, it means that your client PC will only talk to this proxy on port 8080 and it's the proxy who will send the real HTTP/HTTPS requests. So you should be redirecting port 8080 as well on your switch ACL.

I've never did this setup with a proxy but I think it would be required in your case.

Nuno - give this a shot here is a note in the webauth guide:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/app_note_c27-577494.html

Note:

WebAuth can intercept nonstandard  ports using an IP port-to-application map (PAM) entry that maps a new  port to HTTP (or HTTPS). In addition, the Cisco IOS Software HTTP server  needs to be reconfigured to listen on the nonstandard port. However,  the Cisco IOS Software HTTP server can run only on a single port.  Therefore, support for port 80 and a nonstandard port are mutually  exclusive. If PAM is used to remap the port used for HTTP, then URLs  that reference the default port (80) will not trigger redirection. In  addition, if traffic to the default router is bridged through a stateful  firewall, that firewall will have to turn off stateful inspection for  the remapped port.

I found the command on my 3750 which is (ip port-map http....) however I dont know as of yet if that will work on the 2960, give this a try to see if it listens on 8080.

thanks,

Tarik Admani

proxy on port 8080 is only intended for Internet use, and even if the proxy could interfere with the web authentication, when I remove proxy settings it still isn't working...

for the ip port-map http... I did map http on port 8080, and changed the ACL

swlx0x0x#show ip port-map

Default mapping: https            port 443                 system defined

Default mapping: http             port 8080                user defined

Default mapping: http             port 80                  system defined

to be honest, the DACL is having hits

     permit tcp any any eq 443 (6 matches)

     permit tcp any any eq www (9 matches)

and the switch ACL is also having hits

Extended IP access list ACL-WEBAUTH-REDIRECT

    10 permit tcp any gt 1 any gt 1 (276 matches)

And I can see on the logger that packests are identified for redirection

997210: Apr  5 10:17:19: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_qualify ...

997211: Apr  5 10:17:19: epm-redirect:epm_redirect_cache_gen_hash: IP=172.22.3.159 Hash=356

997212: Apr  5 10:17:19: epm-redirect:IP=172.22.3.159: CacheEntryGet Success

997213: Apr  5 10:17:19: epm-redirect:IP=172.22.3.159: Ingress packet on [idb= FastEthernet0/24] matched with [acl=ACL-WEBAUTH-REDIRECT]

997214: Apr  5 10:17:19: epm-redirect:IDB=FastEthernet0/24: Enqueue the packet with if_input=FastEthernet0/24

997215: Apr  5 10:17:19: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_process ...

997216: Apr  5 10:17:19: epm-redirect:epm_redirect_cache_gen_hash: IP=172.22.3.159 Hash=356

997217: Apr  5 10:17:19: epm-redirect:IP=172.22.3.159: CacheEntryGet Success

997218: Apr  5 10:17:19: epm-redirect:IP=172.22.3.159: ingress traffic on [idb=FastEthernet0/24] matches url acl [ACL-WEBAUTH-REDIRECT]. ip_enqueue the packet

I'm running out of ideas...

do you have "ip http server" and 'ip http secure-server" configured on the switch ?

just a wild guess

yep

ip http server

ip http secure-server

Hello

do you have an ip on your 2960 switch in the user vlan ?

I think (i am pretty sure) the switch need an IP to send http redirect to client (spoofing the IP of public web site with its MAC-adress)

Can you update us on your problem and resolution ?

be careful that a 2960 possibly can't have multiple enabled IPs in different vlans working at the same time ....

regards,

Guillaume

jan.nielsen
Level 7
Level 7

Does your switch have routing from its mgmt IP to The guest network ?


Sent from Cisco Technical Support Android App

Martin Konov
Level 1
Level 1

Hi Nuno,

I have the same case as yours would you mind to share how you solved your issue ?

Thank you in advance !

Regards,

Martin