09-26-2013 06:06 AM - edited 03-10-2019 08:56 PM
We are setting up ISE for wired guest accest but are having trouble with the client being redirected. The switch gets the download from ISE and shows that it should use the URL redirect with the correct ACL.
ISEtest3560#show authentication sessions interface fastEthernet 0/2
Interface: FastEthernet0/2
MAC Address: 001d.09cb.78bd
IP Address: Unknown
User-Name: 00-1D-09-CB-78-BD
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Group: N/A
ACS ACL: xACSACLx-IP-ISE-Only-52434fbe
URL Redirect ACL: ACL-WEBAUTH-REDIRECT
URL Redirect: https://REMOVED.Domain.corp:8443/guestportal/gateway?sessionId=0A0003E600000039064485B1&action=cwa
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A0003E600000039064485B1
Acct Session ID: 0x00000293
Handle: 0x95000039
Runnable methods list:
Method State
dot1x Failed over
mab Authc Success
From the client pc I can get name resolution for anything I ping. I also can ping the ise server by name. The ACL that is downloaded it as follows:
Extended IP access list xACSACLx-IP-ISE-Only-52434fbe (per-user)
10 permit udp any eq bootpc any eq bootps
20 permit udp any any eq domain
30 permit ip any host 10.4.37.91
40 deny ip any any log
Extended IP access list ACL-WEBAUTH-REDIRECT
10 deny udp any eq bootpc any eq bootps
20 deny udp any any eq domain
30 deny ip any host 10.4.37.91
40 permit tcp any any eq www (13 matches)
50 permit tcp any any eq 443
51 permit tcp any any eq 8443
60 deny ip any any
The machine passes the Authentication with MAB and hits the CWA Authorization profile, ISE shows the cient as "Pending" then the next entry above that is the log is the dACL getting pushed to the switch. Could part of the issue be that the device shows Unknown for IP address? The command ip device tracking is in the swtich:
ISEtest3560#show running-config | include tracking
ip device tracking
ISEtest3560#
We have 802.1x clients working and the IP address for those do show up..
Please advise,
Thanks,
Joe
09-26-2013 06:27 AM
I have had this issue in the past but not the way you are having it. The unknown IP address is a bit of a concern as that means the ACL can't properly be built. You can do a show ip access-list interface fa0/2 and that shows dynamic acl's on the port, your ip address is required as the switch downloads the acl and replaces the word any, with the ip address of the session using that dACL. Make sure you do not have port-security enabled on the port as this can cause issues.
When I ran into the problem the switch could not deliver the redirected URL to the connected device, we ended up finding out that the switch being a layer 2 switch had an IP assigned to the management VLAN, and that vlan was being blocked to the VLAN the client was on via an upstream firewall. Layer 3 switch wouldn't have this issue, but the URL had to be delivered to the client somehow via layer 3, so opening up the management vlan to be allowed to deliver the web redirect to the guest vlan fixed that issue.
09-26-2013 06:35 AM
ISEtest3560#show ip access-lists interface fastEthernet 0/2
ISEtest3560#
Doesn't appear the dacl is being applied.
interface FastEthernet0/2
switchport access vlan 11
switchport mode access
ip access-group ACL-DEFAULT in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 999
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab webauth
authentication priority dot1x mab webauth
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree guard root
Extended IP access list ACL-DEFAULT
10 permit udp any eq bootpc any eq bootps
20 permit udp any any eq domain
30 permit icmp any any
40 permit udp any any eq tftp
41 permit ip any host 10.4.37.91
50 deny ip any any log (1059 matches)
Could the dACL being causing the issue with the Unknown, or is the Unknow causing the issue with the dACL?
Thanks,
Joe
09-26-2013 07:06 AM
Joe, your using central web-auth so remove web-authentication from your authentication order, this is only requried for local web auth. The unknown ip address is causing your dACL to not be applied as it can't be applied until an IP address is present. Just make absolutely sure you don't have any firewalls or ACL's between your management VLAN and the layer 3 gateway or switch that terminates the subnet of your pre-authentication VLAN. Something tells me that the switch needs to send an ARP request of the MAC to resolve the IP of the client. If that switch doesn't have the SVI for that VLAN then it will need to arp request that from the SVI, so make sure there is nothing blocking that and if you are using DHCP snooping you are also allowing arp-inspection on your trunk uplinks, so make sure dynamic arp inspection is allowed on those trunks. This won't work until you get the IP address to show up when issuing the show auth sess int fa0/2 command.
09-26-2013 07:30 AM
I changed the inital vlan on the machine to be what we will be using instead of test vlan. The test vlan interface on the upstream switch has a secondary interface, I was using an ip address (static on the workstation) from the secondary range. When I move it over to the vlan that uses dhcp and doesn't have a secondary everything is now working.
Thanks,
Joe
09-30-2013 04:10 PM
Is there anything restricting traffic between the address range that your edge switch will have (the one ding the dot1x auth) and the secondary address on your upstream switch?Any ACL's that block traffic between those two subnets?
When your client tried to web browse, the spoofed reply would come back from whatever interface your edge switch has, and if the secondary address range you talked about isn't also on that edge switch, it will have to route back to it via your upstream switch. Any ACL's on there could block the reply, stopping the redirect.
09-26-2013 08:08 AM
11-20-2017 09:04 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide