Central Web Auth with Anchor Controller and ISE

Similar Messages

• Not Working-central web-authentication with a switch and Identity Service Engine

  on the followup the document "Configuration example : central web-authentication with a switch and Identity Service Engine" by Nicolas Darchis, since the redirection on the switch is not working, i'm asking for your help...
  I'm using ISE Version : 1.0.4.573 and WS-C2960-24PC-L w/software 12.2(55)SE1 and image C2960-LANBASEK9-M for the access.
  The interface configuration looks like this:
  interface FastEthernet0/24
  switchport access vlan 6
  switchport mode access
  switchport voice vlan 20
  ip access-group webauth in
  authentication event fail action next-method
  authentication event server dead action authorize
  authentication event server alive action reinitialize
  authentication order mab
  authentication priority mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  authentication violation restrict
  mab
  spanning-tree portfast
  end
  The ACL's
  Extended IP access list webauth
      10 permit ip any any
  Extended IP access list redirect
      10 deny ip any host 172.22.2.38
      20 permit tcp any any eq www
      30 permit tcp any any eq 443
  The ISE side configuration I follow it step by step...
  When I conect the XP client, e see the following Autenthication session...
  swlx0x0x#show authentication sessions interface fastEthernet 0/24
             Interface:  FastEthernet0/24
            MAC Address:  0015.c549.5c99
             IP Address:  172.22.3.184
              User-Name:  00-15-C5-49-5C-99
                 Status:  Authz Success
                 Domain:  DATA
         Oper host mode:  single-host
       Oper control dir:  both
          Authorized By:  Authentication Server
             Vlan Group:  N/A
       URL Redirect ACL:  redirect
           URL Redirect: https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  AC16011F000000490AC1A9E2
        Acct Session ID:  0x00000077
                 Handle:  0xB7000049
  Runnable methods list:
         Method   State
         mab      Authc Success
  But there is no redirection, and I get the the following message on switch console:
  756005: Mar 28 11:40:30: epm-redirect:IP=172.22.3.184: No redirection policy for this host
  756006: Mar 28 11:40:30: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_qualify ...
  I have to mention I'm using an http proxy on port 8080...
  Any Ideas on what is going wrong?
  Regards
  Nuno

  OK, so I upgraded the IOS to version
  SW Version: 12.2(55)SE5, SW Image: C2960-LANBASEK9-M
  I tweak with ACL's to the following:
  Extended IP access list redirect
      10 permit ip any any (13 matches)
  and created a DACL that is downloaded along with the authentication
  Extended IP access list xACSACLx-IP-redirect-4f743d58 (per-user)
      10 permit ip any any
  I can see the epm session
  swlx0x0x#show epm session ip 172.22.3.74
       Admission feature:  DOT1X
       ACS ACL:  xACSACLx-IP-redirect-4f743d58
       URL Redirect ACL:  redirect
       URL Redirect:  https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
  And authentication
  swlx0x0x#show authentication sessions interface fastEthernet 0/24
       Interface:  FastEthernet0/24
       MAC Address:  0015.c549.5c99
       IP Address:  172.22.3.74
       User-Name:  00-15-C5-49-5C-99
       Status:  Authz Success
       Domain:  DATA
       Oper host mode:  multi-auth
       Oper control dir:  both
       Authorized By:  Authentication Server
       Vlan Group:  N/A
       ACS ACL:  xACSACLx-IP-redirect-4f743d58
       URL Redirect ACL:  redirect
       URL Redirect:  https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
       Session timeout:  N/A
       Idle timeout:  N/A
       Common Session ID:  AC16011F000000160042BD98
       Acct Session ID:  0x0000001B
       Handle:  0x90000016
       Runnable methods list:
       Method   State
       mab      Authc Success
  on the logging, I get the following messages...
  017857: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_qualify ...
  017858: Mar 29 11:27:04: epm-redirect:epm_redirect_cache_gen_hash: IP=172.22.3.74 Hash=271
  017859: Mar 29 11:27:04: epm-redirect:IP=172.22.3.74: CacheEntryGet Success
  017860: Mar 29 11:27:04: epm-redirect:IP=172.22.3.74: Ingress packet on [idb= FastEthernet0/24] matched with [acl=redirect]
  017861: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: Enqueue the packet with if_input=FastEthernet0/24
  017862: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_process ...
  017863: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: Not an HTTP(s) packet
  What I'm I missing?

• 5760 Central Web Auth with ISE

  Hi,
  I am having problems with getting central web auth to work on the 5760, I cant seem to find any documentation for the 5760-Central Web Auth.
  The setup is with a Cisco 5760 and Cisco ISE, for guest users to be re-directed to ISE guest portal to authenticate. Has anyone configured this or have any advice, that would be great.
  Thanks

  Hi Roger,
  I have gotten CWA running on the 5760 with ISE, below is the config for the guest SSID:
  wlan Guest 1 TEST-guest
  aaa-override
  ip dhcp required
  mac-filtering cwa_macfilter
  mobility anchor 10.1.1.100
  nac
  no security wpa
  no security wpa akm dot1x
  no security wpa wpa2
  no security wpa wpa2 ciphers aes
  security dot1x authentication-list ISE_Auth_Group
  session-timeout 14400
  no shutdown
  ! ***You will need the following commands as well:
  ip http server
  ip http authentication local
  ip http secure-server
  aaa authentication login ISE_Auth_Group group ISE
  aaa authorization network cwa_macfilter group ISE
  Hope it helps =)

• Guest ssid with anchor controller and Web policy

  We have a WLC4404 and and anchor controller WLC4402 to provide guest access to the wifi net. We configured both in the same mobility group, and the guest ssid to attach to the mobility anchor 4402. All is working fine until we enable the web policy authentication on the 4402. In this case the client join the guest ssid but neither get an ip address from the dhcp server nor go anywhere. Is we disable the web authentication all works fine again. We are runnig 4.0.206.0 on both WLC. Anyone can help us?

  Two things you might check. (1) The 4404's mobility anchor should point to the 4402, and the 4402 should anchor to itself. (2) Make sure you are configuring the same security policy for the SSID on both the 4402 and 4404. So if the SSID is "guest" and you turn on web authentication on the 4402, make sure "guest" is on the 4404 with web authentication. We are using a similar setup for guest access at several sites.

• Web auth with , intenal web page of WLC and ISE as radius server

  Hi All ,
  We have created a SSID as web auth with internal web page for login . In advanced tab we configured AAA server.  AD is integrated with ISE .
  When the user tries to get connect , he is getting redirect URL . But during the authentication , we are getting error in ISE as
  "ise has problems communicating with active directory  using its machine credentials "  and authentication getting failed .
  When we have L2 security mechanism enabled with PEAP , ISE is able to read the AD and providing authentication .
  Only for L3 web auth it is not happening..
  Any clue on this ..???
  Thanks,
  Regards,
  Vijay.

  Machine credentials requires a lookup on the computer OU and that has to be defined on the client side.
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• Do Anchor controller and foreign controller have to run on the same code version?

  Hi All,
  I have a 4402 anchor controller and 8 4402/4404 foreign controllers all running on code 4.2.61.0 for 1 year without any problem. All guest users are connected to the foreign controllers and then tunneled back to the anchor controller. Right now I need to replace a 25-AP license 4402 foreign controller with a 50-AP license 4402 controller. The new controller is running on code 7.0.116.0. I am wondering if the new controller can join the mobility anchor group so that guest users won't lose connectivity after the swap.
  Please advise. Thank in advance.
  Robert

  Hi,
  The below link will answer ur question!! (Inter Release controller Mobility )
  http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn7_0_116_0.html#wp568458
  Lemme know if this answered ur question and please dont forget to rate the usefull posts!!
  Regards
  Surendra

• How to generate CSR on switches for web auth with NGS

  Hello
  I am doing a dot1x solution with web auth on cisco 3750 switches.
  Once the wired client get put into web auth state (after dot1x and mab) and goes to a website, he gets a certificate warning. This is because the certificate of the cisco switch is selfsigned.
  I want to use a verisign certificate to solve this error, but I cannot find a way to generate a CSR on a switch. I only found a guide how to request a certificate from a CA on the local network, but this is also not a solution, because the clients using the web auth, will not know the internal CA.
  Is there any way to solve this?
  Greetings
  Steven

  Hi Steven,
  The below document is actually for IOS SSLVPN, but the certificate portion should be the same:
  http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6657/white_paper_c07-372106_ps6657_Products_White_Paper.html
  Search for "Appendix B" and it goes into creating a trustpoint and then one section is for self-signed and another is for generating a certificate request to send to an external CA.
  Once a trustpoint is created the command to actually generate the CSR is "crypto pki enroll ".
  This document goes into a little more detail on all the indivual commands and what they do:
  http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_cert_enroll_pki.html
  Also you could use something external to the switch like OpenSSL to generate the CSR/private key and then use that to request a cert from your Verisign CA and then import the cert/keypair into the IOS device.
  Thanks,
  Nate

• How many connections supports a web interface with each camera and how many Adobe Encoder clients does AMS support? AMS Standart

  How many connections supports a web interface with each camera and how many Adobe Encoder clients does AMS support? AMS Standart. We need connect by  Adobe Encoder many people. what is differences between Adobe Media Server 5 Professional, Adobe Media Server 5 Standard and Adobe Media Server 5 Extended?

  For the detailed list of differences across editions refer this link
  http://www.adobe.com/in/products/adobe-media-server-family/buying-guide-comparison.html

• 3px framed picture on a Web page with Internet Explorer and Google Chrome appears normal, but Firefox is on the right side frame 9px. Why?

  3px framed picture on a Web page with Internet Explorer and Google Chrome appears normal, but Firefox is on the right side frame 9px. Why?

  I'm not seeing this.
  Reset the page zoom on pages that cause problems: <b>View > Zoom > Reset</b> (Ctrl+0 (zero); Cmd+0 on Mac)
  * http://kb.mozillazine.org/Zoom_text_of_web_pages
  Can you attach a screenshot?
  * http://en.wikipedia.org/wiki/Screenshot
  Use a compressed image type like PNG or JPG to save the screenshot and make sure that you do not exceed the maximum file size (1 MB).

• WLC 7.5 Sleeping clients with ISE and Central WEB Auth(CWA)

  Hi there,
  Is it possibe to use sleeping clients when using ISE and CWA?
  I was thinking of enabling layer3 auth with web auth on mac auth failure, but will that work with CWA?
  Or is the only solution to use LWA?

  Controller-> General-> User Idle Timeout (seconds) = 50 000 sec.
  And your users will be connected all this time even if they going in sleepmode
  be carefull with CPU loading

• Using ISE for guest access together with anchor controller WLC in DMZ

  Hi there,
  I setup a guest WLAN in our LAB environment. I have one internal WLC connection to an anchor controller in our DMZ. I'm using the WLC integrated web-auth portal which works fine.
  To gain more flexibility regarding guest account provisioning and reporting my idea is to use Cisco Identity Services Engine (ISE) for web-authentication. So the anchor controller in the DMZ would redirect the guest clients to the ISE portal.
  As the ISE is located on the internal network while the guest clients end up in the DMZ network this would mean that I have to open the web-auth portal port of ISE for all guest client IPs in order to be able to authenticate.
  Does anyone know of a better solution for this ? Where to place the ISE for this scenario, etc ?
  Thx
  Frank

  So i ran into a similar scenario on a recent deployment:
  We had the following:
  WLC-A on private network (Inside)
  ISE Servers ISE01 and ISE02 (Inside)
  WLC-B Anchor in DMZ for Guest traffic (DMZ)
  ISE Server 3 (DMZ)
  ISE01 and ISE02 are used for 802.1X for the private network WLAN.
  Customer does not allow guest traffic to move from a less secure network to a more secure network (Compliance reasons).
  The foreign controller (WLC-A) must handle all L2 authentication and it must use the same policy node that the clients will hit for web auth.  Since we want to do CWA, we use Mac Filtering with ISE as the radius server.  If you send this traffic RADIUS authentication for Mac Filtering to ISE01/ISE02, it will use https://ise01.mydomain.com/... to redirect the client to.  Since we don't allow traffic to traverse from the DMZ with the anchor in it back inside to the network where ISE01 and ISE02 are, client redirection fails.  (This was a limitation of ISE 1.1.  Not sure if this persists in 1.2 or not.
  So what now?  In our deployment we decided to use a 3rd ISE policy node (ISE03 in the DMZ) for guest authentiction from the Foreign controller so that the client will use a DNS of https://ise03.mydomain.com/... to redirect the client to.  Once the session is authenticated, ISE03 will send a CoA back to the foreign which will remove the redirect for the session.  Note, you do have to allow ISE03 to send a CoA.
  In summary, if you can't allow guest traffic to head back inside the network to hit the CWA portal, you must add a policy node in a DMZ to use for the CWA portal so they have a resolvable and reachable policy node.

• Web-Auth with 802.1x

  Environment is WLC 2106 with 4 LWAPP access points. Currently running 2 WLANs: 1 using 802.1x authentication with a Windows IAS (RADIUS) server for Active Directory authentication; 1 using basic WEP for guest access that drops the user in it's own secure VLAN.
  I am trying create a 3rd WLAN that uses Web-Authentication using 802.1x RADIUS that passes the username/password to the Windows IAS server. I can see the request being passed to the IAS server, but it is being logged on the IAS server as:
  An Access-Request message was received from RADIUS client WLAN Controller without a message authenticator attribute when a messages authenticator attribute is required. Verify the configuration of the RADIUS client in the Internet Authentication Service snap-in (the "Client must always send the message authenticator attribute in the request" checkbox) and the configuration of the network access server.
  I already have the one WLAN using 802.1x where the RADIUS client on the IAS server has the "Request must contain the Message Authenticator attribute" checkbox checked and it works jsut fine. It is just the Web-Auth using 802.1x where it seem the authentication isn't being passed properly to the RADIUS server. I cannot figure out what I am doing wrong or missing.

  Hi,
  I don't know if you have resolved the problem or not, But I will propose my solution anyway,
  There are two ways to solve this problem, either to make the controller send the radius request with md5 or make the windows reply to the radius requests that does not contain a md5 hash
  Microsoft Solution:
  When you add the Radius Client using the wizard there are certain options that don't show; for instance the md5 attribute that is causing the IAS to drop the web auth requests. So what you need to do is after you use the wizard, you right click on the client that you added (in our case the WLC) and uncheck the box that says "Access-Request message must contain the Message-Authenticator attribute" (attached is a screenshot).
  That should make the IAS respond to the web auth requests.
  WLC Solution:
  I haven't tested this solution, but I think it will work. if you did test it, please let me know how it turned out.
  By default, the Web Radius Authentication is set to "PAP" (can be found in the Controller Tab @ the WLC GUI), you need to set it to MD5-CHAP. (attached is another screenshot).
  Hope that solves your problem, and please let me know how the problem was solved.

• Web Auth with AAA (RAIDUS) Failure

  Hi Guys,
  We are having an issue with out Web Auth Using AAA Servers. We get the following error: AAA Authentication Failure for UserName:14t.park User Type: WLAN USER, This error is from the Web Interface, I have been looking at the debug settings to see if there is anything that might give me more detail of what is going on but I can see anything under the Web-Auth Debug for AAA Authentication.
  I have checked on our RAIDUS Servers and I can't find any errors relating to Authentication with the NPS.
  Does anyone have any suggestions?

  Machine credentials requires a lookup on the computer OU and that has to be defined on the client side.
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• Web auth with proxy

  I want the automatic redirection to the login page work when a proxy is configured in the IE parameters.
  I used the command "config network web-auth-port 8080", but when I open IE, I'm not redirected to the login page (the DNS request works).
  When I do a "telnet www.google.com 8080" and then "get http", I get the page.
  Any idee?

  In my experience it does not work with a proxy. If you disable the proxy you will get the login and then get redirected, which will then fail until you enable the proxy settings. WLC will try to resolve the homepage of that user, which of course will fail since it doesn't know of the proxy. You will have to either use a term and condition on a custom WebAuth page or implement a content filter application like WebSense.

• Web Auth with Mac Filtering

  I am trying to setup a scenario where a user logs in via Web Auth and witha  successfull connection the Mac Address is remembered for 7 days. That way if the user connects again during the course of 7 days they aren't required to authenticate via web auth again they just get access. After 7 days they will need to login again through the web auth. Similar scenario to what you see at a Hotel wireless network. Anyone know how I would go about setting up the dyanmic mac filtering and set the timer for 7 days? With that said I want it to be for a single SSID.

  well, it's not possible with just the WLC.
  You can do it, but you need to have a way to pull the MAC address from the webauth page, and insert that into a LDAP db, which you control the age out process in.
  Then on a subsequent visits they get mac-authed instead of having to re-accept the page.
  in the webauth config you would check the On MAC filter failure box.
  HTH,
  Steve
  Please remember to rate useful posts, and mark questions as answered