ISE 1.2 web authentication problem with wired clients
i am having problems with centralized web authentication using a Catalyst 3650X with IOS 15.0.2 SE01 and ISE 1.2.
Redirecting the client works fine, but as soon the client opens a web browser and ISE websites open to authenticate the client, the switch port resets, the authentication process restarts and the session ID changes. After the client enters the credentials a session expired messages appears on the client and i get an 86017 Session Missing message in ISE.
here the output form the debug aaa coa log.
thanks in advanced
! ! CLIENT CONNECT TO SWITCHPORT ! ISE-TEST-SWITCH#show authentication sessions interface gi0/3 Interface: GigabitEthernet0/3 MAC Address: 001f.297b.bd82 IP Address: 10.2.12.45 User-Name: 00-1F-29-7B-BD-82 Status: Authz Success Domain: DATA Security Policy: Should Secure Security Status: Unsecure Oper host mode: multi-auth Oper control dir: both Authorized By: Authentication Server Vlan Policy: N/A ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-537cb1d6 URL Redirect ACL: ACL-WEBAUTH-REDIRECT URL Redirect: https://nos-ch-wbn-ise1.nosergroup.lan:8443/guestportal/gateway?sessionId=AC1484640000026B28C02CDC&action=cwa Session timeout: N/A Idle timeout: N/A Common Session ID: AC1484640000026B28C02CDC Acct Session ID: 0x0000029C Handle: 0x8C00026C
This generally occurs when you place your phase 2 authorization policy below phase 1 authorization policy. As the authorization policies are matched just like ACl, your client after authorized to phase 1 policy( having redirect acl and all), when re-initiated a authentication and authorization, it is again matching phase 1 authorization policy instead of phase 2 authorization policy, and client is forced to re-authenticate to guest portal again.
I suggest you to move the phase 2 authorization policy above phase 1 policy.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...