Hello,
I am having the redirection issue. The problem is that when I copy the URL redirect from the switch port and register as a guest from another PC the guest PC only then works. Worth to mention is that the guest PC can ping cisco (both domain and IP) before the guest registration from another PC. Anyone had/have this issue?
My goal is to achieve the following:
1. DOT1X for domain computers (which works fine and was pretty easy to setup)
2. MAB for printers, security cams, etc (doen't really matter if I use ISE or active directory for me)
3. Wire MAB for guest PC using CWA. (now this didn't work when I used active directory group for wired/wireless_mab or it might be that my authorization wasn't correctly configured)
My concerns or questions:
1. How many MAC addresses can ISE handle? (what if I have more than 1500 MAC addresses, can I import all into ISE)
My issue:
CWA doens't work for my guest PC using wired_mab. When I try to go to cisco.com from the guest PC it can't redirect me to the portal to guest account registration. Event hough I see that I have obtained an IP, but when I copy the redirect url from my switchport and and register an account from another PC the guest PC is able to connect to the Internet. Now I have to mention that the PC is able to ping cisco.com but it can't access cisco.com, I tried FF, Chrome and even IE, but same issue I even tried IP but it was the same.
I tried to debug ip http all but didn't see ANYTHING in the switch.
My aaa config:
aaa authentication dot1x default group ISE_GROUP
aaa authorization network default group ISE_GROUP
aaa authorization auth-proxy default group ISE_GROUP
aaa accounting system default start-stop group ISE_GROUP
aaa accounting dot1x default start-stop group ISE_GROUP
aaa accounting update newinfo periodic 2880
username RADIUS-TEST-USER password 7 REMOVED
!
aaa server radius dynamic-author
client 172.30.1.181
server-key 7 REMOVED
!
radius server KNETISE2001
address ipv4 172.30.1.181 auth-port 1812 acct-port 1813
automate-tester username RADIUS-TEST-USER probe-on
key 7 REMOVED
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 10 tries 3
!
aaa group server radius ISE_GROUP
server name KNETISE2001
deadtime 15
!
aaa new-model
aaa session-id common
ACL:
ip access-list extended ACL_DEFAULT (port ACL,but it seems if I apply this on the port nothing works, after I removed it the guest PC was able to connect to the Internet)
permit udp any any eq domain
permit udp any eq bootpc any eq bootps
deny ip any any
ip access-list extended ACL_REDIRECT_ISE_BLACKLISTED_DEVICES (this is not applied anywhere, don't know what this should exist)
permit tcp any any eq www
permit tcp any any eq 443
ip access-list extended ACL_WEBAUTH_REDIRECT (used for my CWA in ISE)
permit tcp any any eq www
permit tcp any any eq 443
IP http config:
ip http server
ip http secure-server
ip http secure-active-session-modules none
ip http max-connections 48
ip http active-session-modules none
Port config:
interface GigabitEthernet1/0/1
switchport access vlan 3180
switchport mode access
authentication event fail action next-method
authentication event server dead action reinitialize vlan 20
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server dynamic
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
se-sw01-018#sh authen se int g1/0/2 d
Interface: GigabitEthernet1/0/2
MAC Address: 54e1.ada3.2c1a
IPv6 Address: Unknown
IPv4 Address: 172.30.180.11
User-Name: 54-E1-AD-A3-2C-1A
Status: Authorized
Domain: DATA
Oper host mode: multi-domain
Oper control dir: both
Session timeout: N/A
Restart timeout: N/A
Session Uptime: 57s
Common Session ID: AC1E31AA00000014003FF110
Acct Session ID: 0x00000009
Handle: 0x7E000007
Current Policy: POLICY_Gi1/0/2
Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Server Policies:
URL Redirect: You are not allowed to view links.
Register or
Login URL Redirect ACL: ACL_WEBAUTH_REDIRECT
ACS ACL: xACSACLx-IP-SVKY_PREAUTH-5a5f0057
Method status list:
Method State
dot1x Stopped
mab Authc Success
This is after I copied the redirect url and registered from another PC:
se-sw01-018#sh authen se int g1/0/2 d
Interface: GigabitEthernet1/0/2
MAC Address: 54e1.ada3.2c1a
IPv6 Address: Unknown
IPv4 Address: 172.30.180.11
User-Name: llk2
Status: Authorized
Domain: DATA
Oper host mode: multi-domain
Oper control dir: both
Session timeout: N/A
Restart timeout: N/A
Session Uptime: 1802s
Common Session ID: AC1E31AA00000014003FF110
Acct Session ID: 0x0000000B
Handle: 0x7E000007
Current Policy: POLICY_Gi1/0/2
Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Server Policies:
Vlan Group: Vlan: 3180
Method status list:
Method State
dot1x Stopped
mab Authc Success
I have checked dACL and CWA in the central_webauth profile and VLAN in surf_vlan profile
My dACL is at the moment permit ip any any.
All inputs are welcome and thank you in advanced for stepping by.
Here are the authentication, authorization policy and profile.
You are not allowed to view links.
Register or
Login