Lab Minutes Forum

Technical Discussion => Security => Topic started by: walwar on January 17, 2018, 03:25:03 AM

Title: ISE 2.3 CWA redirection issue
Post by: walwar on January 17, 2018, 03:25:03 AM
Hello,

I am having the redirection issue. The problem is that when I copy the URL redirect from the switch port and register as a guest from another PC the guest PC only then works. Worth to mention is that the guest PC can ping cisco (both domain and IP) before the guest registration from another PC. Anyone had/have this issue?

My goal is to achieve the following:
1. DOT1X for domain computers (which works fine and was pretty easy to setup)
2. MAB for printers, security cams, etc (doen't really matter if I use ISE or active directory for me)
3. Wire MAB for guest PC using CWA. (now this didn't work when I used active directory group for wired/wireless_mab or it might be that my authorization wasn't correctly configured)

My concerns or questions:
1. How many MAC addresses can ISE handle? (what if I have more than 1500 MAC addresses, can I import all into ISE)

My issue:
CWA doens't work for my guest PC using wired_mab. When I try to go to cisco.com from the guest PC it can't redirect me to the portal to guest account registration. Event hough I see that I have obtained an IP, but when I copy the redirect url from my switchport and and register an account from another PC the guest PC is able to connect to the Internet. Now I have to mention that the PC is able to ping cisco.com but it can't access cisco.com, I tried FF, Chrome and even IE, but same issue I even tried IP but it was the same.

I tried to debug ip http all but didn't see ANYTHING in the switch.

My aaa config:
aaa authentication dot1x default group ISE_GROUP
aaa authorization network default group ISE_GROUP
aaa authorization auth-proxy default group ISE_GROUP
aaa accounting system default start-stop group ISE_GROUP
aaa accounting dot1x default start-stop group ISE_GROUP
aaa accounting update newinfo periodic 2880
username RADIUS-TEST-USER password 7 REMOVED
!
aaa server radius dynamic-author
client 172.30.1.181
server-key 7 REMOVED
!
radius server KNETISE2001
address ipv4 172.30.1.181 auth-port 1812 acct-port 1813
automate-tester username RADIUS-TEST-USER probe-on
key 7 REMOVED
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 10 tries 3
!
aaa group server radius ISE_GROUP
server name KNETISE2001
deadtime 15
!
aaa new-model
aaa session-id common

ACL:
ip access-list extended ACL_DEFAULT (port ACL,but it seems if I apply this on the port nothing works, after I removed it the guest PC was able to connect to the Internet)
permit udp any any eq domain
permit udp any eq bootpc any eq bootps
deny   ip any any

ip access-list extended ACL_REDIRECT_ISE_BLACKLISTED_DEVICES (this is not applied anywhere, don't know what this should exist)
permit tcp any any eq www
permit tcp any any eq 443

ip access-list extended ACL_WEBAUTH_REDIRECT (used for my CWA in ISE)
permit tcp any any eq www
permit tcp any any eq 443

IP http config:
ip http server
ip http secure-server
ip http secure-active-session-modules none
ip http max-connections 48
ip http active-session-modules none
 
Port config:
interface GigabitEthernet1/0/1
switchport access vlan 3180
switchport mode access
authentication event fail action next-method
authentication event server dead action reinitialize vlan 20
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server dynamic
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast


se-sw01-018#sh authen se int g1/0/2 d

            Interface:  GigabitEthernet1/0/2

          MAC Address:  54e1.ada3.2c1a

         IPv6 Address:  Unknown

         IPv4 Address:  172.30.180.11

            User-Name:  54-E1-AD-A3-2C-1A

               Status:  Authorized

               Domain:  DATA

       Oper host mode:  multi-domain

     Oper control dir:  both

      Session timeout:  N/A

      Restart timeout:  N/A

       Session Uptime:  57s

    Common Session ID:  AC1E31AA00000014003FF110

      Acct Session ID:  0x00000009

               Handle:  0x7E000007

       Current Policy:  POLICY_Gi1/0/2

 

Local Policies:

        Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

 

Server Policies:

         URL Redirect:  https://FQDN-REMOVED:8443/portal/gateway?sessionId=AC1E31AA00000014003FF110&portal=f0ae43f0-7159-11e7-a355-005056aba474&action=cwa&token=1b9a2c0511a704712fa4106f8ff70ec1

     URL Redirect ACL:  ACL_WEBAUTH_REDIRECT

              ACS ACL:  xACSACLx-IP-SVKY_PREAUTH-5a5f0057

 

Method status list:

       Method           State

 

       dot1x            Stopped

       mab              Authc Success

 

This is after I copied the redirect url and registered from another PC:

se-sw01-018#sh authen se int g1/0/2 d

            Interface:  GigabitEthernet1/0/2

          MAC Address:  54e1.ada3.2c1a

         IPv6 Address:  Unknown

         IPv4 Address:  172.30.180.11

            User-Name:  llk2

               Status:  Authorized

               Domain:  DATA

       Oper host mode:  multi-domain

     Oper control dir:  both

      Session timeout:  N/A

      Restart timeout:  N/A

       Session Uptime:  1802s

    Common Session ID:  AC1E31AA00000014003FF110

      Acct Session ID:  0x0000000B

               Handle:  0x7E000007

       Current Policy:  POLICY_Gi1/0/2

 

Local Policies:

        Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

 

Server Policies:

           Vlan Group:  Vlan: 3180

 

Method status list:

       Method           State

 

       dot1x            Stopped

       mab              Authc Success

I have checked dACL and CWA in the central_webauth profile and VLAN in surf_vlan profile
My dACL is at the moment permit ip any any.

All inputs are welcome and thank you in advanced for stepping by.

Here are the authentication, authorization policy and profile.
https://imgur.com/a/39xMS
Title: Re: ISE 2.3 CWA redirection issue
Post by: MC on January 29, 2018, 07:07:33 PM
What do you mean by "register an account from another PC "? When the endpoint hits a MAB auth policy rule, the following1 should happen
   1. ISE pushes DACL to switch that only allows traffic to ISE (so guest can see login portal). This overrides the port default ACL
   2. ISE pushes redirect URL to switch
   3. ISE tells switch to enforce redirect ACL that is configured on switch which should only permit www/https
   Seems like you have most if not all of these in place.
   You mentioned guest got an IP. Guest should only have access to ISE so you shouldn't be able to ping cisco.com.  If you manually copy redirect URL shown on switch to guest browser, do you see login page?
Title: Re: ISE 2.3 CWA redirection issue
Post by: MC on February 01, 2018, 08:36:28 PM
I just ran into an issue with failed URL redirect on a 3850/9300 switch running  16.3 and 16.6.1. Apparently there is a bug for this (see below). The symptom is very similar to what you described which is switch gets redirect URL from ISE but endpoint is not getting there even though it can get there by copy/paste URL to browser.

What switch model/version are you using? If you are running one of the version mentioned above, try to upgrade to 16.6.2

https://quickview.cloudapps.cisco.com/quickview/bug/CSCvc28540
Title: Re: ISE 2.3 CWA redirection issue
Post by: crismonilla on April 29, 2019, 11:30:14 PM
I also have the same problem for wired posture redirection. My ISE version is 2.1 patch 5 and c9300 version everest 16.6.4a. below my set up

pc-->switch-->firewall(transparent)-->core-->switch-->ISE
SimplePortal 2.3.7 © 2008-2024, SimplePortal