cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8394
Views
0
Helpful
7
Replies

ISE Wired Central Web Authentication no url redirect

joeharb
Level 5
Level 5

We are setting up ISE for wired guest accest but are having trouble with the client being redirected.  The switch gets the download from ISE and shows that it should use the URL redirect with the correct ACL.

ISEtest3560#show authentication sessions interface fastEthernet 0/2

            Interface:  FastEthernet0/2

          MAC Address:  001d.09cb.78bd

           IP Address:  Unknown

            User-Name:  00-1D-09-CB-78-BD

               Status:  Authz Success

               Domain:  DATA

      Security Policy:  Should Secure

      Security Status:  Unsecure

       Oper host mode:  multi-auth

     Oper control dir:  both

        Authorized By:  Authentication Server

           Vlan Group:  N/A

              ACS ACL:  xACSACLx-IP-ISE-Only-52434fbe

     URL Redirect ACL:  ACL-WEBAUTH-REDIRECT

         URL Redirect:  https://REMOVED.Domain.corp:8443/guestportal/gateway?sessionId=0A0003E600000039064485B1&action=cwa

      Session timeout:  N/A

         Idle timeout:  N/A

    Common Session ID:  0A0003E600000039064485B1

      Acct Session ID:  0x00000293

               Handle:  0x95000039

Runnable methods list:

       Method   State

       dot1x    Failed over

       mab      Authc Success

From the client pc I can get name resolution for anything I ping.  I also can ping the ise server by name.  The ACL that is downloaded it as follows:

Extended IP access list xACSACLx-IP-ISE-Only-52434fbe (per-user)

    10 permit udp any eq bootpc any eq bootps

    20 permit udp any any eq domain

    30 permit ip any host 10.4.37.91

    40 deny ip any any log

Extended IP access list ACL-WEBAUTH-REDIRECT

    10 deny udp any eq bootpc any eq bootps

    20 deny udp any any eq domain

    30 deny ip any host 10.4.37.91

    40 permit tcp any any eq www (13 matches)

    50 permit tcp any any eq 443

    51 permit tcp any any eq 8443

    60 deny ip any any

The machine passes the Authentication with MAB and hits the CWA Authorization profile, ISE shows the cient as "Pending" then the next entry above that is the log is the dACL getting pushed to the switch.  Could part of the issue be that the device shows Unknown for IP address?  The command ip device tracking is in the swtich:

ISEtest3560#show running-config | include tracking

ip device tracking

ISEtest3560#

We have 802.1x clients working and the IP address for those do show up..

Please advise,

Thanks,

Joe

7 Replies 7

chris_day
Level 1
Level 1

I have had this issue in the past but not the way you are having it.  The unknown IP address is a bit of a concern as that means the ACL can't properly be built.  You can do a show ip access-list interface fa0/2 and that shows dynamic acl's on the port, your ip address is required as the switch downloads the acl and replaces the word any, with the ip address of the session using that dACL.  Make sure you do not have port-security enabled on the port as this can cause issues.

When I ran into the problem the switch could not deliver the redirected URL to the connected device, we ended up finding out that the switch being a layer 2 switch had an IP assigned to the management VLAN, and that vlan was being blocked to the VLAN the client was on via an upstream firewall.  Layer 3 switch wouldn't have this issue, but the URL had to be delivered to the client somehow via layer 3, so opening up the management vlan to be allowed to deliver the web redirect to the guest vlan fixed that issue.

ISEtest3560#show ip access-lists interface fastEthernet 0/2       

ISEtest3560#

Doesn't appear the dacl is being applied. 

interface FastEthernet0/2

switchport access vlan 11

switchport mode access

ip access-group ACL-DEFAULT in

authentication event fail action next-method

authentication event server dead action reinitialize vlan 999

authentication event server alive action reinitialize

authentication host-mode multi-auth

authentication open

authentication order dot1x mab webauth

authentication priority dot1x mab webauth

authentication port-control auto

authentication violation restrict

mab

dot1x pae authenticator

dot1x timeout tx-period 10

spanning-tree portfast

spanning-tree guard root

Extended IP access list ACL-DEFAULT

    10 permit udp any eq bootpc any eq bootps

    20 permit udp any any eq domain

    30 permit icmp any any

    40 permit udp any any eq tftp

    41 permit ip any host 10.4.37.91

    50 deny ip any any log (1059 matches)

Could the dACL being causing the issue with the Unknown, or is the Unknow causing the issue with the dACL?

Thanks,

Joe

Joe, your using central web-auth so remove web-authentication from your authentication order, this is only requried for local web auth.  The unknown ip address is causing your dACL to not be applied as it can't be applied until an IP address is present.  Just make absolutely sure you don't have any firewalls or ACL's between your management VLAN and the layer 3 gateway or switch that terminates the subnet of your pre-authentication VLAN.  Something tells me that the switch needs to send an ARP request of the MAC to resolve the IP of the client.  If that switch doesn't have the SVI for that VLAN then it will need to arp request that from the SVI, so make sure there is nothing blocking that and if you are using DHCP snooping you are also allowing arp-inspection on your trunk uplinks, so make sure dynamic arp inspection is allowed on those trunks.  This won't work until you get the IP address to show up when issuing the show auth sess int fa0/2 command.

I changed the inital vlan on the machine to be what we will be using instead of test vlan.  The test vlan interface on the upstream switch has a secondary interface, I was using an ip address (static on the workstation) from the secondary range.  When I move it over to the vlan that uses dhcp and doesn't have a secondary everything is now working.

Thanks,

Joe

Is there anything restricting traffic between the address range that your edge switch will have (the one ding the dot1x auth) and the secondary address on your upstream switch?Any ACL's that block traffic between those two subnets?

When your client tried to web browse, the spoofed reply would come back from whatever interface your edge switch has, and if the secondary address range you talked about isn't also on that edge switch, it will have to route back to it via your upstream switch. Any ACL's on there could block the reply, stopping the redirect.

manjeets
Level 3
Level 3

                   Kindly review the attached doc:

arnert
Level 1
Level 1
I am having this problem also. We are looking for a combo of MAB , 802.1x and when 802.1x succeeds a redirection to the ISE web portal to use RSA. Redirection is not working.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: