Cisco Auto Anchor Web Authentication - NAS IP Address

Hi,
I've setup auto anchor web authentication for my guest network. I want my Web Authentication requests to be authenticated by ISE however need the authenticating device to be the Anchor Controller.
I setup the WLAN to authenticate against ACS4.2 and it works correctly, the NAS IP address is the Anchor controller. When changing the WLAN to auth again my ISE 1.2 server, authentications are sourced from the foreign controller.
Has anyone come across this or know why ISE is seeing the NAS IP Address as the foreign wireless controller?
Thanks,

Similar Messages

Cisco 5508 external web authentication

Hi all,
Firstly, I do apologise as this question has been posted in another forum, I believe it is the wrong one though hence me posting here.
I am running with a pair of Cisco 5508 controllers with 7.4.121.0 installed. We offer a guest Internet service to our user base and guests. To access the guest service a user must first authenticate via an externally hosted server, I won't go into the specifics but it is a secure service will a valid, signed cert for the login page. The issue I am hitting is that when a user logs into the portal the controller cert is then displayed (2.2.2.2) which returns a cert error. It kind of makes the service look insecure when it isn't. I've read numerous articles about creating CSRs, etc and loading certificates on the controller, but the issue we have is that we use externally hosted DNS servers for the service and they are refusing to create a DNS record. We can't use internally hosted DNS servers as this breaks our security policy. Is there any other way around this or do I just have to have the user accept the cert error?
Thanks

I hear you and I was under the same impression. If I go through the steps I followed maybe it can be explained..
Upgraded the primary controller from 6.0.x to 7.0.x a, APs upgraded. Upgraded FUS to 1.9. Upgraded controller to 7.4.121.0, upgraded APs. APs joined the controller. Disabled WebAuth Secure Web. Followed same steps for secondary controller. Shutdown primary controller to test failover to secondary. APs did not failover. Waited 15 mins, debugged CAPWAP and saw nothing coming in. Brought primary back online, waited 15 mins, debugged CAPWAP and saw nothing coming in. Waited a further 15 mins. Still no APs joining. Enabled WebAuth Secure on the primary, and boom, all the APs joined the primary. Not sure if this was just a coincidence, but this was the behaviour I witnessed. I'm running a pair of 5508's.
I've not witnessed this before, but this is the first time I've disabled this setting. Understand it has nothing to do with APs joining and may just be a coincidence, but this is what I experienced. I ran out of time during the change window so couldn't test this further and try to simulate again, will try again when the next window becomes available.

Cisco Ise Central Web authentication not working

Hello Guys,
CWA is not working. It says that authentication suceeded but posture status is pending. No error in my Monitor--authentication. Checking it in my Windows 7, it does not shows the CWA portal.
What might be the possible problem of this.?
thanks

Kindly review the below links:
http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080ba6514.shtml
http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml

Cisco ISE Local Web Authentication via Switch

Hello,
I have Cisco ISE 1.2 and I need local webauthentication for clients.
I want to send webauthentication link via switch.
I made a research for it but I meet ACS documents :
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/WebAuth/WebAuth_Dep_Guide.html#wp393321
and ISE central webauthentication documents for it.
Is there local webauth in ISE via switch?
Thanks,
Alparslan

Hello Alparslan,
Please check the following link,
http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/113362-config-web-auth-ise-00.html

Is local EAP + Web Authentication possible in Auto Anchor Configuration

Hi,
I have a wireless network setup in an auto-anchor configuration with the foreign and anchor controllers. Due to the foreign controller being owned and managed by another company, I have an interesting authentication scenerio I would like to acheive. We can't implement full EAP-TLS as we would have to allow authentications from the foreign controller which is owned and managed by another company.
Currently Web Authentication is working correctly for the Wireless Network. As another layer of security, I want to know if its possible for the wireless clients to trust a certificate installed on the foreign controller? If so, are you able to point me in the direction of a user guide to implement.
I found the following document which describes local EAP configuration . Would this work with Web Authentication?
Thanks

so, kinda but no. EAP is a layer 2 authentication that uses encryption as well.
WebAuth is a layer3 authentication only.
Now the kinda....you can create guest/network users on the WLC local database, and if someone logins to the webauth portal with those credentials they will be able to get on.
I'm not really sure what you are looking to do based on your post.
Personally, if I had users that were going to roam to this controller, I'd work with that companies IT and get it linked to my AAA server and keep the EAP-TLS that I had working already going. Just because that WLC would be able to communicate to your AAA doesn't mean their users would be able to get on, as they wouldn't have the machine or client certificate nor the Root CA cert on their machines.
HTH,
Steve

Cisco Wireless AP 2602 - Web Authentication/Pass NOT working?

Product/Model                                       Number:
AIR-CAP2602E-A-K9
Top                                       Assembly Serial Number:
System                                       Software Filename:
ap3g2-k9w7-xx.152-4.JB3a
System                                       Software Version:
15.2(4)JB3a
Bootloader                                       Version:
BOOTLDR: C2600 Boot Loader (AP3G2-BOOT-M) LoaderVersion 12.4(25e)JA1, RELEASE SOFTWARE (fc1)
When "Web Authentication/Pass" option checked, it is totally unaccessible to internal or external network, any clue/advice?
Thanks in advance.

Thanks, seems I missed the RADIUS part; after I done that it's still no luck, here are some tech support info, are you able to help?
------------------ show version ------------------
Cisco IOS Software, C2600 Software (AP3G2-K9W7-M), Version 15.2(4)JB3a, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Mon 23-Dec-13 08:11 by prod_rel_team
ROM: Bootstrap program is C2600 boot loader
BOOTLDR: C2600 Boot Loader (AP3G2-BOOT-M) LoaderVersion 12.4(25e)JA1, RELEASE SOFTWARE (fc1)
WuGa-CiscoAP uptime is 3 days, 19 minutes
System returned to ROM by power-on
System restarted at 23:18:39 +0800 Mon Feb 10 2014
System image file is "flash:/ap3g2-k9w7-mx.152-4.JB3a/ap3g2-k9w7-xx.152-4.JB3a"
Last reload reason:
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
cisco AIR-SAP2602E-A-K9 (PowerPC) processor (revision A0) with 204790K/57344K bytes of memory.
Processor board ID FGL1650Z5X3
PowerPC CPU at 800Mhz, revision number 0x2151
Last reset from power-on
1 Gigabit Ethernet interface
2 802.11 Radios
32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: E0:2F:6D:A3:4D:0B
Part Number                          : 73-14511-02
PCA Assembly Number                  : 800-37898-01
PCA Revision Number                  : A0
PCB Serial Number                    : FOC164889AN
Top Assembly Part Number             : 800-38357-01
Top Assembly Serial Number           : FGL1650Z5X3
Top Revision Number                  : A0
Product/Model Number                 : AIR-CAP2602E-A-K9
Configuration register is 0xF
------------------ show running-config ------------------
Building configuration...
Current configuration : 5276 bytes
! Last configuration change at 23:36:14 +0800 Thu Feb 13 2014
! NVRAM config last updated at 23:36:14 +0800 Thu Feb 13 2014
! NVRAM config last updated at 23:36:14 +0800 Thu Feb 13 2014
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone
service password-encryption
hostname WuGa-CiscoAP
logging rate-limit console 9
enable secret 5
aaa new-model
aaa group server tacacs+ tac_admin
aaa group server radius rad_eap
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login webauth group radius
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login web_list group radius
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
clock timezone +0800 8 0
no ip cef
ip admission name webpass consent
ip admission name webauth proxy http
ip admission name webauth method-list authentication web_list
ip admission name web_auth proxy http
ip admission name web_auth method-list authentication web_list
ip admission name web-auth proxy http
ip admission name web-auth method-list authentication web_list
ip name-server 8.8.8.8
dot11 syslog
dot11 vlan-name GuestVLAN vlan 2
dot11 vlan-name InternalVLAN vlan 1
dot11 ssid Guest
   vlan 2
   web-auth
   authentication open
   mbssid guest-mode
dot11 ssid WuGa-6
   vlan 1
   authentication open
   authentication key-management wpa
   mbssid guest-mode
   wpa-psk ascii 7 0211115C0A555C721F1D5A4A5644
dot11 ssid WuGa-60
   vlan 1
   authentication open
   authentication key-management wpa
   guest-mode
   wpa-psk ascii 7 03084C070900721F1D5A4A56444158
dot11 guest
username wuga lifetime 360 password 7 030D5704100A36594908
username Cisco privilege 15 password 7
bridge irb
interface Dot11Radio0
no ip address
encryption mode ciphers aes-ccm
encryption vlan 1 mode ciphers aes-ccm
ssid Guest
ssid WuGa-6
antenna gain 2
stbc
mbssid
speed basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15. m16. m17. m18. m19. m20. m21. m22. m23.
channel 2452
station-role root
dot11 dot11r pre-authentication over-air
dot11 dot11r reassociation-time value 500
ip admission web-auth
interface Dot11Radio0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio0.2
encapsulation dot1Q 2
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 spanning-disabled
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
ip admission webauth
interface Dot11Radio1
no ip address
encryption mode ciphers aes-ccm
encryption vlan 1 mode ciphers aes-ccm
ssid WuGa-60
antenna gain 4
peakdetect
no dfs band block
stbc
speed basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15. m16. m17. m18. m19. m20. m21. m22. m23.
power local 5
channel width 40-above
channel dfs
station-role root
dot11 dot11r pre-authentication over-air
dot11 dot11r reassociation-time value 500
interface Dot11Radio1.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface GigabitEthernet0
no ip address
duplex auto
speed 1000
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
interface GigabitEthernet0.2
encapsulation dot1Q 2
bridge-group 2
bridge-group 2 spanning-disabled
no bridge-group 2 source-learning
interface BVI1
ip address 192.168.133.213 255.255.255.0
ip default-gateway 192.168.133.200
ip forward-protocol nd
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip route 0.0.0.0 0.0.0.0 192.168.133.200
ip radius source-interface BVI1
ip access-list extended ALL
permit ip any host 0.0.0.0
permit ip any any
permit ip 0.0.0.0 255.255.255.0 any
ip access-list extended All
permit tcp any any established
permit tcp any any eq www
permit ip any any
radius-server local
nas 192.168.133.213 key 7 070C285F4D06
radius-server attribute 32 include-in-access-req format %h
radius-server vsa send accounting
radius server 192.168.10.2
address ipv4 192.168.10.2 auth-port 1812 acct-port 1646
radius server local
address ipv4 192.168.133.213 auth-port 1812 acct-port 1813
key 7
bridge 1 route ip
line con 0
terminal-type teletype
line vty 0 4
terminal-type teletype
transport input all
sntp server 128.138.141.172
sntp broadcast client
end

Firefox 10 and IE 9 is not displaying Cisco ASA Web Authentication

Hi All,
We are having issue on AAA authentication page display for our ASA.
1. There 2 issue reported here.
2. First is customer cannot access the website using IE 9. But this is because there is security patch on customer PC.
3. After customer uninstall KB2585542, the website load fine.
4. Second issue is, today morning, there is auto update on FireFox which automatically upgrade users firefox to Firefox 10.
5. After these upgrade, users cannot load the website anymore.
6. Error message is Server Does Not Support RFC 5746/ CVE-2009-3555
7. Customer using Firefox as default Internet Browsing.
8. As workaround, customer have downgrade their Firefox to version 3.6.22 and it's working fine.
9. Java Version 6 update 23.
10. An Cisco case have been raise the check the compatibility of Cisco Web Authentication with the FF10
11. SR 620756799.
Firewall Version : ASA 5520 7.2(5)
Does anyone also experiencing the same issue? Any idea does this is a cisco bug or AAA issue.

Hi,
Please share the URL of the web site.
Regards,
Abhishek Maurya

OSX 10.10.1 with Cisco ISE guest portal using (CWA) central web authentication issue

We have Cisco Wireless with ISE (Identity Service Engine) to provide guest access with CWA (central web authentication). The idea is to provide guest access with open authentication, so anyone can connect. Then when the guest trying to browse the internet it will be redirected to guest protal for authentication. So only corporate guest with valid password can pass the portal authentication. This is been working fine for windows machine, android, and apple devices with earlier OS version (working on OSX 10.8.5). For clients that's been upgraded to OSX 10.10.1 or IOS 8 they can no longer load the CWA redirection page.
Please let us know if there's any setting under the OSX to solve the issue, or plan from apple to fix the issue on the next OSX/IOS release ?
thanks - ciscosx

Robert,
Manual assignment has been made available in ISE 1.2 release.
M.

Redirect to web authentication not working on Cisco 5508 Wireless Controller

Hi,
I have a wlan with web authentication:
http://i55.tinypic.com/w145zk.png
and
http://i51.tinypic.com/344sfm0.png
When I connect to the SSID (I get correct IP from the Cisco 5508 Controller) and try to surf, I do not get redirected to the web authentication page (https://1.1.1.1/login.html), when I manually insert the URL I get "cannot display the webpage". Any idea?
The virtual interface is 1.1.1.1.
Here is a screenshot of interface and internal dhcp:
http://i52.tinypic.com/2vkm1d2.png
Any idea why clients are not redirecting?
Thanks!

Thanks for the reply dmantil!
When I changed the Virtual DNS name to 1.1.1.1 (the same as the IP) I get redirected if I use http://198.133.219.25, but not with http://cisco.com, I get redirected only if I use IP.
I forgot to mention that the controller is in a lab with no access to DNS server. Does the controller check if the domain is valid before redirecting users? I cant find any documentation on how the controller redirect users.

Anchor Guest 3.2.171.6 Web Authentication page issue

Hi folks,
I'm having issues with our Anchor controller here running 3.2.171.6. Using a chain certificate for our Web authentication re-direct Page to a WEB-server. sometimes the Guest Clients are not re-directed to the WEb authentication page. After I reboot the Anchor this resolves the issue. I need to use this code to support the ipsec vpn module. any ideas would be appreciated.

you need to try to find a non-chained certificate. I know that most CA do not use these anymore, but need to find one. WLC does not support chained-certificate until 5.2. It may work, but it is not supported.
HTH,
Steve

Tablets and Cisco WLC Web Authentication

Hi my name is Ivan
I have a question:
I would like to know which are the tablets that support Web Authentication in Cisco WLC?.
Android, Samsung, others?
And wich are the requeriments of the tablet to use this way to authentication?
Regards
Ivan

Any device that has a browser which can generate HTTP(s) traffic utilizing a browser can use WLC Web Auth. If you're question is regarding being presented "automatically" with the captive portal I have seen this can be dependent on OS. From my reading about Droids (not hands on experience) the Android devices don't provide a captive portal query that would "automatically" bring up the WebAuth page when connected to an open network using L3 WebAuth security, but you then open your browser and try to hit any web page and you're fine. Apple IOS can handle this automatically (in most cases)
As long as the device can connect to the WLAN in question, open a browser, then try to navigate to some URL, it should work fine.

Aironet 2702i Autonomous - Web-Authentication with Radius Window 2008

Hi Guys,
I have a problems with case, i have diagrams sample like then : AD(Win2008) - Radius(Win2008) - Aironet 2702i => Use methods Web-Auth for EndUser
This is my Configure file on Aironet 2702i
Aironet2702i#show run
Building configuration...
Current configuration : 8547 bytes
! Last configuration change at 05:08:25 +0700 Fri Oct 31 2014 by admin
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname Aironet2702i
logging rate-limit console 9
aaa new-model
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login default local
aaa authentication login DTSGROUP group radius
aaa authentication login webauth group radius
aaa authentication login weblist group radius
aaa authentication dot1x default group radius
aaa authorization exec default local
aaa session-id common
clock timezone +0700 7 0
no ip source-route
no ip cef
ip admission name webauth proxy http
ip admission name webauth method-list authentication weblist
no ip domain lookup
ip domain name dts.com.vn
dot11 syslog
dot11 activity-timeout unknown default 1000
dot11 activity-timeout client default 1000
dot11 activity-timeout repeater default 1000
dot11 activity-timeout workgroup-bridge default 1000
dot11 activity-timeout bridge default 1000
dot11 vlan-name DTSGroup vlan 46
dot11 vlan-name L6-Webauthen-test vlan 45
dot11 vlan-name NetworkL7 vlan 43
dot11 vlan-name SGCTT vlan 44
dot11 ssid DTS-Group
vlan 46
authentication open eap DTSGROUP
authentication key-management wpa version 2
mbssid guest-mode
dot11 ssid DTS-Group-Floor7
vlan 43
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 013D03104C0414040D4D5B5E392559
dot11 ssid L6-Webauthen-test
vlan 45
web-auth
authentication open
dot1x eap profile DTSGROUP
mbssid guest-mode
dot11 ssid SaigonCTT-Public
vlan 44
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 04480A0F082E424D1D0D4B141D06421224
dot11 arp-cache optional
dot11 adjacent-ap age-timeout 3
eap profile DTSGROUP
description testwebauth-radius
method peap
method mschapv2
method leap
username TRIHM privilege 15 secret 5 $1$y1J9$3CeHRHUzbO.b6EPBmNlFZ/
username ADMIN privilege 15 secret 5 $1$IvtF$EP6/9zsYgqthWqTyr.1FB0
ip ssh version 2
bridge irb
interface Dot11Radio0
no ip address
encryption vlan 44 mode ciphers aes-ccm
encryption vlan 46 mode ciphers aes-ccm
encryption mode ciphers aes-ccm
encryption vlan 43 mode ciphers aes-ccm
encryption vlan 1 mode ciphers aes-ccm
ssid DTS-Group
ssid DTS-Group-Floor7
ssid L6-Webauthen-test
ssid SaigonCTT-Public
countermeasure tkip hold-time 0
antenna gain 0
stbc
mbssid
packet retries 128 drop-packet
channel 2412
station-role root
rts threshold 2340
rts retries 128
ip admission webauth
interface Dot11Radio0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio0.43
encapsulation dot1Q 43
bridge-group 43
bridge-group 43 subscriber-loop-control
bridge-group 43 spanning-disabled
bridge-group 43 block-unknown-source
no bridge-group 43 source-learning
no bridge-group 43 unicast-flooding
interface Dot11Radio0.44
encapsulation dot1Q 44
bridge-group 44
bridge-group 44 subscriber-loop-control
bridge-group 44 spanning-disabled
bridge-group 44 block-unknown-source
no bridge-group 44 source-learning
no bridge-group 44 unicast-flooding
ip admission webauth
interface Dot11Radio0.45
encapsulation dot1Q 45
bridge-group 45
bridge-group 45 subscriber-loop-control
bridge-group 45 spanning-disabled
bridge-group 45 block-unknown-source
no bridge-group 45 source-learning
no bridge-group 45 unicast-flooding
ip admission webauth
interface Dot11Radio0.46
encapsulation dot1Q 46
bridge-group 46
bridge-group 46 subscriber-loop-control
bridge-group 46 spanning-disabled
bridge-group 46 block-unknown-source
no bridge-group 46 source-learning
no bridge-group 46 unicast-flooding
interface Dot11Radio1
no ip address
shutdown
encryption vlan 46 mode ciphers aes-ccm
encryption vlan 44 mode ciphers aes-ccm
encryption vlan 1 mode ciphers aes-ccm
encryption vlan 43 mode ciphers aes-ccm
encryption vlan 45 mode ciphers ckip-cmic
ssid DTS-Group
ssid DTS-Group-Floor7
ssid SaigonCTT-Public
countermeasure tkip hold-time 0
antenna gain 0
peakdetect
dfs band 3 block
stbc
mbssid
packet retries 128 drop-packet
channel 5745
station-role root
rts threshold 2340
rts retries 128
interface Dot11Radio1.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio1.43
encapsulation dot1Q 43
bridge-group 43
bridge-group 43 subscriber-loop-control
bridge-group 43 spanning-disabled
bridge-group 43 block-unknown-source
no bridge-group 43 source-learning
no bridge-group 43 unicast-flooding
interface Dot11Radio1.44
encapsulation dot1Q 44
bridge-group 44
bridge-group 44 subscriber-loop-control
bridge-group 44 spanning-disabled
bridge-group 44 block-unknown-source
no bridge-group 44 source-learning
no bridge-group 44 unicast-flooding
ip admission webauth
interface Dot11Radio1.45
encapsulation dot1Q 45
bridge-group 45
bridge-group 45 subscriber-loop-control
bridge-group 45 spanning-disabled
bridge-group 45 block-unknown-source
no bridge-group 45 source-learning
no bridge-group 45 unicast-flooding
ip admission webauth
interface Dot11Radio1.46
encapsulation dot1Q 46
bridge-group 46
bridge-group 46 subscriber-loop-control
bridge-group 46 spanning-disabled
bridge-group 46 block-unknown-source
no bridge-group 46 source-learning
no bridge-group 46 unicast-flooding
interface GigabitEthernet0
no ip address
duplex auto
speed auto
dot1x pae authenticator
dot1x authenticator eap profile DTSGROUP
dot1x supplicant eap profile DTSGROUP
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
interface GigabitEthernet0.43
encapsulation dot1Q 43
bridge-group 43
bridge-group 43 spanning-disabled
no bridge-group 43 source-learning
interface GigabitEthernet0.44
encapsulation dot1Q 44
bridge-group 44
bridge-group 44 spanning-disabled
no bridge-group 44 source-learning
interface GigabitEthernet0.45
encapsulation dot1Q 45
bridge-group 45
bridge-group 45 spanning-disabled
no bridge-group 45 source-learning
interface GigabitEthernet0.46
encapsulation dot1Q 46
bridge-group 46
bridge-group 46 spanning-disabled
no bridge-group 46 source-learning
interface GigabitEthernet1
no ip address
shutdown
duplex auto
speed auto
interface GigabitEthernet1.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
interface GigabitEthernet1.43
encapsulation dot1Q 43
bridge-group 43
bridge-group 43 spanning-disabled
no bridge-group 43 source-learning
interface GigabitEthernet1.44
encapsulation dot1Q 44
bridge-group 44
bridge-group 44 spanning-disabled
no bridge-group 44 source-learning
interface GigabitEthernet1.45
encapsulation dot1Q 45
bridge-group 45
bridge-group 45 spanning-disabled
no bridge-group 45 source-learning
interface GigabitEthernet1.46
encapsulation dot1Q 46
bridge-group 46
bridge-group 46 spanning-disabled
no bridge-group 46 source-learning
interface BVI1
mac-address 58f3.9ce0.8038
ip address 172.16.1.62 255.255.255.0
ipv6 address dhcp
ipv6 address autoconfig
ipv6 enable
ip forward-protocol nd
ip http server
ip http authentication aaa
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
radius-server attribute 32 include-in-access-req format %h
radius server 172.16.50.99
address ipv4 172.16.50.99 auth-port 1645 acct-port 1646
key 7 104A1D0A4B141D06421224
bridge 1 route ip
line con 0
logging synchronous
line vty 0 4
exec-timeout 0 0
privilege level 15
logging synchronous
transport input ssh
line vty 5 15
exec-timeout 0 0
privilege level 15
logging synchronous
transport input ssh
end
This is My Logfile on Radius Win 2008 :
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: S-1-5-21-858235673-3059293199-2272579369-1162
Account Name: xxxxxxxxxxxxxxxx
Account Domain: xxxxxxxxxxx
Fully Qualified Account Name: xxxxxxxxxxxxxxxxxxx
Client Machine:
Security ID: S-1-0-0
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: -
Calling Station Identifier: -
NAS:
NAS IPv4 Address: 172.16.1.62
NAS IPv6 Address: -
NAS Identifier: Aironet2702i
NAS Port-Type: Async
NAS Port: -
RADIUS Client:
Client Friendly Name: Aironet2702i
Client IP Address: 172.16.1.62
Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: DTSWIRELESS
Authentication Provider: Windows
Authentication Server: xxxxxxxxxxxxxx
Authentication Type: PAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 66
Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.
So i will explain problems what i have seen:
SSID: DTS-Group using authentication EAP with RADIUS and it working great (Authentication Type from Aironet to RADIUS is PEAP)
SSID:L6-Webauthen-test using web-auth and i had try to compare with RADIUS but ROOT CAUSE is AUTHENTICATION TYPE from Aironet to RADIUS default is PAP. (Reason Code : 66)
=> I had trying to find how to change Authentication Type of Web-Auth on Cisco Aironet from PAP to PEAP or sometime like that for combine with RADIUS.
Any idea or recommend for me ?
Thanks for see my case

Hi Dhiresh Yadav,
Many thanks for your reply me,
I will explain again for clear my problems.
At this case, i had setup complete SSID DTS-Group use authentication with security as PEAP combine Radius Server running on Window 2008.
I had login SSID by Account create in AD =>  It's work okay with me. Done
Problems occurs when i try to use Web-authentication on Vlan45 With SSID :
dot11 ssid L6-Webauthen-test
vlan 45
web-auth
authentication open
dot1x eap profile DTSGROUP
mbssid guest-mode
After configured on Aironet and Window Radius , i had try to login with Account create in AD by WebBrowser but it Fail ( i have see mini popup said: Authentication Fail" . So i go to Radius Server and search log on EventViewer.
This is My Logfile on Radius Win 2008 :
Network Policy Server denied access to a user.
NAS:
NAS IPv4 Address: 172.16.1.62
NAS IPv6 Address: -
NAS Identifier: Aironet2702i
NAS Port-Type: Async
NAS Port: -
RADIUS Client:
Client Friendly Name: Aironet2702i
Client IP Address: 172.16.1.62
Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: DTSWIRELESS
Authentication Provider: Windows
Authentication Server: xxxxxxxxxxxxxx
Authentication Type: PAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 66
Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.
Im think ROOT CAUSE is :
PAP is the default authentication type for web-auth users on Aironet 2702i, so it can't combine with Radius Window 2008 because they just support PEAP (CHAPv1,CHAPv2....) => Please give me a tip how to change Authentication Type from PAP to PEAP for Web Authentication on Aironet

ISE 1.2 web authentication problem with wired clients

Hello,
i am having problems with centralized web authentication using a Catalyst 3650X with IOS 15.0.2 SE01 and ISE 1.2.
Redirecting the client works fine, but as soon the client opens a web browser and ISE websites open to authenticate the client, the switch port resets, the authentication process restarts and the session ID changes. After the client enters the credentials a session expired messages appears on the client and i get an 86017 Session Missing message in ISE.
here the output form the debug aaa coa log.
Any ideas
thanks in advanced
Alex
! CLIENT CONNECT TO SWITCHPORT
ISE-TEST-SWITCH#show authentication sessions interface gi0/3
Interface: GigabitEthernet0/3
MAC Address: 001f.297b.bd82
IP Address: 10.2.12.45
User-Name: 00-1F-29-7B-BD-82
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-537cb1d6
URL Redirect ACL: ACL-WEBAUTH-REDIRECT
URL Redirect: https://nos-ch-wbn-ise1.nosergroup.lan:8443/guestportal/gateway?sessionId=AC1484640000026B28C02CDC&action=cwa
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC1484640000026B28C02CDC
Acct Session ID: 0x0000029C
Handle: 0x8C00026C
Runnable methods list:
Method State
dot1x Failed over
mab Authc Success
! CLIENT OPENS INTERNETEXPLORER -> REDIRECTS TO ISE
! SWITCHPORT GOES IN ADMINISTRATIVE DOWN STARTS AUTHENTICATION AGAIN
ISE-TEST-SWITCH#
191526: .Jun 24 10:42:24.340 UTC: COA: 10.0.128.38 request queued
191527: .Jun 24 10:42:24.340 UTC: RADIUS: authenticator 7F A9 85 AB F6 4A D0 F3 - B4 E6 F2 56 74 C6 2D 33
191528: .Jun 24 10:42:24.340 UTC: RADIUS: NAS-IP-Address [4] 6 172.20.132.100
191529: .Jun 24 10:42:24.340 UTC: RADIUS: Calling-Station-Id [31] 19 "00:1F:29:7B:BD:82"
191530: .Jun 24 10:42:24.340 UTC: RADIUS: Acct-Terminate-Cause[49] 6 admin-reset [6]
191531: .Jun 24 10:42:24.340 UTC: RADIUS: Event-Timestamp [55] 6 1403606529
191532: .Jun 24 10:42:24.340 UTC: RADIUS: Message-Authenticato[80] 18
191533: .Jun 24 10:42:24.340 UTC: RADIUS: E0 3C B2 8C 89 47 67 A8 69 F5 3D 08 61 FF 53 6E [ <Ggi=aSn]
191534: .Jun 24 10:42:24.340 UTC: RADIUS: Vendor, Cisco [26] 43
191535: .Jun 24 10:42:24.340 UTC: RADIUS: Cisco AVpair [1] 37 "subscriber:command=bounce-host-port"
191536: .Jun 24 10:42:24.340 UTC: COA: Message Authenticator decode passed
191537: .Jun 24 10:42:24.340 UTC: ++++++ CoA Attribute List ++++++
191538: .Jun 24 10:42:24.340 UTC: 06D96C58 0 00000001 nas-ip-address(600) 4 172.20.132.100
191539: .Jun 24 10:42:24.349 UTC: 06D9AC18 0 00000081 formatted-clid(37) 17 00:1F:29:7B:BD:82
191540: .Jun 24 10:42:24.349 UTC: 06D9AC4C 0 00000001 disc-cause(434) 4 admin-reset
191541: .Jun 24 10:42:24.349 UTC: 06D9AC80 0 00000001 Event-Timestamp(445) 4 1403606529(53A95601)
191542: .Jun 24 10:42:24.349 UTC: 06D9ACB4 0 00000081 ssg-command-code(490) 1 33
191543: .Jun 24 10:42:24.349 UTC:
191544: .Jun 24 2014 10:42:24.365 UTC: %EPM-6-IPEVENT: IP 10.2.12.45| MAC 001f.297b.bd82| AuditSessionID AC1484640000026B28C02CDC| AUTHTYPE DOT1X| EVENT IP-RELEASE
191545: .Jun 24 2014 10:42:24.382 UTC: %EPM-6-IPEVENT: IP 10.2.12.45| MAC 001f.297b.bd82| AuditSessionID AC1484640000026B28C02CDC| AUTHTYPE DOT1X| EVENT IP-WAIT
191546: .Jun 24 2014 10:42:24.382 UTC: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 001f.297b.bd82| AuditSessionID AC1484640000026B28C02CDC| AUTHTYPE DOT1X| EVENT REMOVE
191547: .Jun 24 2014 10:42:24.390 UTC: %EPM-6-AUTH_ACL: POLICY Auth-Default-ACL-OPEN| EVENT DETACH-SUCCESS
191548: .Jun 24 2014 10:42:26.353 UTC: %LINK-5-CHANGED: Interface GigabitEthernet0/3, changed state to administratively down
191549: .Jun 24 2014 10:42:27.359 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/3, changed state to down
ISE-TEST-SWITCH#
191550: .Jun 24 2014 10:42:36.366 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet0/3, changed state to down
191551: .Jun 24 10:42:40.592 UTC: AAA/BIND(000002A7): Bind i/f
191552: .Jun 24 2014 10:42:41.129 UTC: %AUTHMGR-5-START: Starting 'dot1x' for client (001f.297b.bd82) on Interface Gi0/3 AuditSessionID AC1484640000026C28C2FA05
191553: .Jun 24 2014 10:42:42.580 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet0/3, changed state to up
191554: .Jun 24 2014 10:42:43.586 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/3, changed state to up
! SESSION ID CHANGES, USER ENTERS CREDENTIALS
! ERROR MESSAGE AT CLIENT "YOUR SESSION HAS EXPIRED"
! ERROR MESSAGE IN ISE "86017 SESSION MISSING"
ISE-TEST-SWITCH#show authentication sessions interface gi0/3
Interface: GigabitEthernet0/3
MAC Address: 001f.297b.bd82
IP Address: 10.2.12.45
Status: Running
Domain: UNKNOWN
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC1484640000026C28C2FA05
Acct Session ID: 0x0000029D
Handle: 0x2C00026D
Runnable methods list:
Method State
dot1x Running
mab Not run

Guest authentication failed: 86017: Session cache entry missing
try adjusting the UTC timezone during the guest creation in the sponsor portal.
86017
Guest
Session Missing
Session ID missing. Please contact your System Administrator.
Info

Central web authentication

I have downloaded the new Cisco ISE, I've managed to configure 802.1x and MAB succesfully but I want to configure wired centralized web authentication, but I cannot find any documentation how to configure ISE and Cisco Catalyst (IOS) switches to use this feature (I only find (limited) documentation about local web auth on the switch).
I want to achieve the following authentication order on a switchport:
802.1x
MAB
central web authentication
So if a guest user comes with his laptop, 802.1x is not configured on his laptop and he's not in the Mac Bypass DB, he should "failover" to web auth and get the ISE guest portal webpage with his web browser. There he enters a guest username and password (which is of course already in the ISE DB) and he should get web access.
I've configured the switchport with the following commands
switchport access vlan 99
switchport mode access
switchport voice vlan 50
authentication event no-response action authorize vlan 32
authentication host-mode multi-domain
authentication order dot1x mab webauth
authentication port-control auto
authentication violation protect
authentication fallback webprofile
mab
dot1x pae authenticator
dot1x timeout quiet-period 2
dot1x timeout tx-period 2
spanning-tree portfast
spanning-tree bpduguard enable
the web-profile with access-list to permit DHCP traffic between the attached device and any DHCP server in the vlan 99, and communications with ISE (also in vlan 99) at the moment "fallback webprofile" is triggered (I don't know if this should be configured with central webauth?)
SW01T#sh fallback profile webprofile
Profile Name: webprofile
Description : webauth profile
IP Admission Rule : NONE
IP Access-Group IN: 133
FYI, the access list:
Extended IP access list 133
10 permit ip any host 10.175.0.29
30 permit udp any any eq bootps
40 permit udp any eq bootpc any
In the ISE, I configured DOT1x and MAB. In the MAB profile, I configured "continue" if user is unknown, and then an authorization profile for the web authentication:
(attributes of the profile):
Access Type = ACCESS_ACCEPT
cisco-av-pair = url-redirect-acl=webauth
cisco-av-pair = url-redirect=https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&portal=https://10.175.0.29:8443/guestportal/gateway?sessionId=SessionIdValue&portal=http&action=cwa&action=cwa
But it doesn't work. If I attach a device, it tries 802.1x, it tries MAB, then it fails over to "web authentication" but immediately fails with "no-response" message:
001420: Jul 1 12:09:19: %AUTHMGR-5-START: Starting 'webauth' for client (0011.2
5d7.6c6c) on Interface Fa1/0/3 AuditSessionID 0AAF003E000000582E866B69
5d7.6c6c) on Interface Fa1/0/3 AuditSessionID 0AAF003E000000582E866B69
from 'webauth' for client (0011.25d7.6c6c) on Interface Fa1/0/3 AuditSessionID 0
AAF003E000000582E866B69
001422: Jul 1 12:09:19: %AUTHMGR-7-FAILOVER: Failing over from 'webauth' for cl
ient (0011.25d7.6c6c) on Interface Fa1/0/3 AuditSessionID 0AAF003E000000582E866B
69
001423: Jul 1 12:09:19: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication
methods for client (0011.25d7.6c6c) on Interface Fa1/0/3 AuditSessionID 0AAF003 001420:
Is there some configuration guide or steps available in order to make this work please?
kind regards

Hi Tarik,
thank you for the fast reply.
I've configuried the extra settings you told me (although I thought the ip admission configuration was only for local web authentication (where the switch acts as a http server).
But it still doesn't work. The pc is getting the ip address from the dhcp server but if I open a browser session, I do not get redirected to the ISE portal in order to log me in with a Guest account.
If I look at the authentication session of the port, it looks like the ISE has correctly sent the redirect acl and redirect url to the switchport:
Switch# show auth sessions int fa 1/0/3
           Interface: FastEthernet1/0/3
         MAC Address: 0011.25d7.6c6c
          IP Address: 10.175.0.229
           User-Name: 001125d76c6c
              Status: Authz Success
              Domain: DATA
     Security Policy: Should Secure
     Security Status: Unsecure
      Oper host mode: multi-domain
    Oper control dir: both
       Authorized By: Authentication Server
          Vlan Group: N/A
    URL Redirect ACL: webauth
        URL Redirect: https://ISE.onemrva.priv:8443/guestportal/gateway?session
Id=0AAF003E0000175A43004FE3&action=cwa
     Session timeout: N/A
        Idle timeout: N/A
   Common Session ID: 0AAF003E0000175A43004FE3
     Acct Session ID: 0x000018CF
              Handle: 0xEF00075B
Runnable methods list:
       Method   State
       dot1x    Failed over
       mab      Authc Success
       webauth Not run
As you can see, the "web authentication" is the result of a "succesful MAB". This is because I had to configure ISE to continue on MAB if the user was not found (I found that somewhere in documentation). Then I have configured a default authorization profile where the "web authentication" is triggered. This is where I've configured the redirect-url and so on and this is of course sent to the switch as a succesfull MAB:
authorization profile "webauthentication" with the "centralized web authentication" settings configured (see attributes output):
Access Type = ACCESS_ACCEPT
cisco-av-pair = url-redirect-acl=webauth
cisco-av-pair = url-redirect=https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cwa
Actually, I really have no idea if I have correctly configured ISE to handle central web authentication...
If I check the "show ip admission cache", nothing is seen in there.

FlexConnect (aka H-REAP) and Auto-Anchor functionality

Hi Board,
I never did H-REAP on my wireless deployments. Now, I have an H-REAP (FlexConnect) requirement for branch offices.
Also there is the requirement for guest access at the same time.
From my understanding those features (FlexConnect and Auto-Anchor) should work together.
Please refer to the following exibit:
There is a FlexConnect AP at my branch office. The traffic from internal users (SSID "Internal") should be switches locally at the LAP (Lightweight Access Point). At the same time the guest SSID (SSID "Guest") should be tunneled back via CAPWAP to the controller to which the LAP is associated ("Central Controller"). The guest traffic should not emerge (switched) at the "Central Controller", instead it should be tunneled to an anchor controller in a DMZ via an "Ethernet Over IP tunnel" (Auto-Anchor functionality).
First question: Does this work (FlexConnect in conjunction with Auto-Anchor functionality)?
If this works, where's the web portal for guest authentication hosted (if using the internal web auth on WLC)? On the "central controller" or the Anchor controller? (I guess at the Anchor Controller in the DMZ, right?)
Is it possible to leave the guest SSID "open" with no webauth and still using the Anchor Controller? This would be needed if I have an external web authentication service, which would be hosted by a provider.
Thanks in advance for all your replies!
Johannes

The Flex 7500 deployment guide ("
http://www.cisco.com/en/US/products/ps11635/products_tech_note09186a0080b7f141.shtml
") states:
"The Cisco FlexConnect Solution also supports Central Client Data Traffic, but it should be limited to Guest data traffic only."
later in the document there is a section about Guest access that states "Flex 7500 will allow and continue to support creation of EoIP tunnel to your guest anchor controller in DMZ."
Hope that helps.

Cisco Auto Anchor Web Authentication - NAS IP Address

Similar Messages

Maybe you are looking for