CWA with ISE 1.2 on WLC 7.6
Hi,
I referred to the below document from Cisco but still struggling to get the CWA working. The mab status is sucessfull, but the wireless user isnt getting an IP address.
the SSID prompts up with "unable to join network" while in the background the MAB authentication is successful.
redirection acl's are set on the WLC but i don't see any hits on them.
http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html
any suggestions or expert advise is much appreciated.
Hello,
Can you publish here screenshot your policy sets authorization, and results profiles
And, i try help you
Similar Messages
-
Cannot Open the URL of CWA with ISE
Hi Folks,
I have a problem when doing the CWA with ISE so that I can Provide the access of the network for the guests.
Everything goes fine except the URL of the CWA: When the guests open the explorer and enter a domain after connecting the SSID, they will be redirected to the URL like "https://hostname.demo.com:8443/guestportal/..................." which starts with the hostname of the ISE and the domain-name of the ISE, but for us, we don't have any AD and LAN DNS for our network so that we cannot translate the hostname.demo.com into the IP of the ISE, so can I just change the URL into IP type like "https://10.10.10.70:8443/guestportal"?Screenshot of a screenshot (sorry) attached.
Basically it's in authorization policy, allows you to use a static DNS or IP address -
Hi,
we have an ISE 1.2 (Patch 5), two 5760 Controllers (3.3), one acting as Primary Controller (named WC7) for the APs and the other as Guest Anchor (named WC5).
I have trouble with the CWA. The Guest is redirected and enters the correct credentials. After that, the CoA fails with error-cause(272) 4 Session Context Not Found. I have no idea why....
aaa authentication login Webauth_ISE group ISE
aaa authorization network cwa_macfilter group ISE
aaa authorization network Webauth_ISE group ISE
aaa accounting network ISE start-stop group ISE
aaa server radius dynamic-author
client 10.232.127.13 server-key 0 blabla
auth-type any
radius-server attribute 6 on-for-login-auth
radius-server attribute 31 send nas-port-detail mac-only
wlan test4guests 18 test4guests
aaa-override
accounting-list ISE
client vlan 1605
no exclusionlist
mac-filtering cwa_macfilter
mobility anchor
nac
no security wpa
no security wpa akm dot1x
no security wpa wpa2
no security wpa wpa2 ciphers aes
security dot1x authentication-list Webauth_ISE
no shutdown
wc5# debug aaa coa
Feb 27 12:19:08.444: COA: 10.232.127.13 request queued
Feb 27 12:19:08.444: RADIUS: authenticator CC 33 26 77 56 96 30 58 - BC 99 F3 1A 3C 61 DC F4
Feb 27 12:19:08.444: RADIUS: NAS-IP-Address [4] 6 10.232.127.11
Feb 27 12:19:08.444: RADIUS: Calling-Station-Id [31] 14 "40f308c3c53d"
Feb 27 12:19:08.444: RADIUS: Event-Timestamp [55] 6 1393503547
Feb 27 12:19:08.444: RADIUS: Message-Authenticato[80] 18
Feb 27 12:19:08.444: RADIUS: 22 F8 CF 1C 61 F3 F9 42 01 E4 36 77 9C 9B CC 56 [ "aB6wV]
Feb 27 12:19:08.444: RADIUS: Vendor, Cisco [26] 41
Feb 27 12:19:08.444: RADIUS: Cisco AVpair [1] 35 "subscriber:command=reauthenticate"
Feb 27 12:19:08.444: RADIUS: Vendor, Cisco [26] 43
Feb 27 12:19:08.444: RADIUS: Cisco AVpair [1] 37 "subscriber:reauthenticate-type=last"
Feb 27 12:19:08.444: RADIUS: Vendor, Cisco [26] 49
Feb 27 12:19:08.444: RADIUS: Cisco AVpair [1] 43 "audit-session-id=0aea2001530f2e1e000003c6"
Feb 27 12:19:08.444: COA: Message Authenticator decode passed
Feb 27 12:19:08.444: ++++++ CoA Attribute List ++++++
Feb 27 12:19:08.444: 92FB84A0 0 00000001 nas-ip-address(600) 4 10.232.127.11
Feb 27 12:19:08.444: 92FB87EC 0 00000081 formatted-clid(37) 12 40f308c3c53d
Feb 27 12:19:08.444: 92FB8820 0 00000001 Event-Timestamp(445) 4 1393503547(530F2D3B)
Feb 27 12:19:08.444: 92FB8854 0 00000001 reauthenticate-type(756) 4 last
Feb 27 12:19:08.444: 92FB8888 0 00000081 audit-session-id(819) 24 0aea2001530f2e1e000003c6
Feb 27 12:19:08.444: 92FB88BC 0 00000081 ssg-command-code(490) 1 32
Feb 27 12:19:08.444:
Feb 27 12:19:08.444: ++++++ Received CoA response Attribute List ++++++
Feb 27 12:19:08.444: 92FB84A0 0 00000001 nas-ip-address(600) 4 10.232.127.11
Feb 27 12:19:08.444: 92FB87EC 0 00000081 formatted-clid(37) 12 40f308c3c53d
Feb 27 12:19:08.444: 92FB8820 0 00000001 Event-Timestamp(445) 4 1393503547(530F2D3B)
Feb 27 12:19:08.444: 92FB8854 0 00000001 reauthenticate-type(756) 4 last
Feb 27 12:19:08.444: 92FB8888 0 00000081 audit-session-id(819) 24 0aea2001530f2e1e000003c6
Feb 27 12:19:08.444: 92FB88BC 0 00000081 ssg-command-code(490) 1 32
Feb 27 12:19:08.444: 92FB88F0 0 00000002 error-cause(272) 4 Session Context Not Found
Feb 27 12:19:08.444:
wc5#Reason for this are two bugs which prevent this from working:
https://tools.cisco.com/bugsearch/bug/CSCul83594
https://tools.cisco.com/bugsearch/bug/CSCun38344
This is embarrassing because this is a really common scenario. QA anyone?
So, with ISE and 5760 CWA is not working at this time. -
Having a heck of a time getting this to work.
First option is for the device to try and authenticate using Dot1X/EAP-TLS - for domain-connected devices only.
If that fails, they want the option to pop a CWA portal where they can enter either AD creds, or internal Guest user creds.
My challenge is the Policies and where to insert.
I'm using Policy Sets in ISE 1.2
Currently, I have these statements in the Default Policy Set:
Rule Name
Conditions
Permissions
Wired Guest Portal Auth
if Net Access:UseCase EQUALS Guest Flow
Permit Access
Wired Guest Redirect
if Wired_MAB
Wired CWA
What i figured is if they fail the .1X, they'll drop down here to Wired MAB, and that will initiate a redirect and Guest Flow.
Couple problems:
First, it does seem to try; a show auth sess shows the proper redirect URL getting sent to the switchport.
Unfortunately, my browser pop gives me a certificate not recognized error, and if i try to continue anyways, it doesn't do anything. Wireless Guest, which I copied works fine.
Second challenge is that it forces the redirect whether i have the switch (NAD) in Monitor Mode or Low Impact Mode. This is a problem because there are multiple sites, and we're cutting each over to Low Impact progressively.
Does anyone have any insight, or a document laying out in step by step terms implementing this?
thanks in advance.Hi Andrew! Yes, good job on fixing the portal issue!
And yes, the authorization rules are considered even in an open mode! And you are also correct that you will need to create different rules to account for NADs that are in production and for NADs that are in monitor mode. I have always liked using a separate Policy Set for Monitor Mode and a separate Policy Set for Production Mode. Then I used device location to match against these conditions. For each location I have two sub-groups: One for Monitor and one for Production. That way I can move a NAD from monitor mode to full production by simply changing its group.
Lastly, yes, your CWA rules should be at the bottom of your production authorization rules.
Thank you for rating helpful posts! -
CWA with WLC Firmware 7.0.228 and ISE 1.1.1
Hi,
Does Cisco ISE central web authentication supports on WLC version 7.0.228 ?
My customer has many access points which are support only for firmware code 7.0.228.
Cisco ISE version 1.1.1
WLC 5500 Series but the existing access point is cannot support to 7.3
Thanks,
Pongsatorn ManeesudTarik is correct, you need 7.2.x and later to use CWA with ISE. Here is a general summary of features supported on ISE on 7.0 and 7.2 versions of code:
Scenarios WLC 7.0 7.2
802.1X Auth Yes Yes
802.1X + Posture Yes Yes
802.1X + Profiling Yes Yes
Web Auth + Posture No * Yes
Web Auth + Profiling Inventory only * Yes
Central Web Auth(CWA) No * Yes
Local Web Auth(LWA) Yes Yes -
LWA Guest Access with ISE and WLC
Hi guys,
Our Company try to implement Guest Access with ISE dan WLC with Local Web Auth Method. But there is problem that comes up with the certificate. This is the scenario :
1. Guests try to connect wifi with SSID Guest
2. Once it connect, guests open the browser and try to open a webpage (example: cisco.com)
3. Because, guests didn't login, so it redirect to "ISE Guest Login Page" (url became :
https://ise-hostname:8443/guestportal/Login.action?switch_url=https://1.1.1.1/login.html&wlan=Guest&redirect=www.cisco.com/
4. If there is no ISE Guest Login Page installed, message Untrusted Connection message will appear, but it will be fine if they "Add Exception and install the certificate"
5. After that the Guest Login Page will appear, and guests input their username and password.
6. Login success and they will be redirected to www.cisco.com and there is pop up from 1.1.1.1 (WLC Virtual Interface IP) with logout button.
The problem happen in scenario 6, after login success, the webpage with ISE IP address and message certificate error for 1.1.1.1 is appear.
I know it happened when guests didn't have the WLC Login Page Certificate...
My Question is, is there a way to tunneling WLC Certificate on ISE ? Or what can we do to make ISE validate WLC Certificate, so guests doesn't need to install WLC Certificate/ Root Certificate before connect to Wifi ?
Thx 4 your answer and sorry for my bad English....Thx for your reply Peter, your solution is right,
i don't choose CWA, because their DNS is not stable...
i've found the problem...
the third-party CA is revoked, so there is no way it will success until it fixed...
and there is no guarantee, they will fix it soon..
so solution that we choose is by disable "HTTPS" on WLC...
"config network web-auth secureweb disable".
"config network web-auth secureweb disable".
"config network web-auth secureweb disable".
"config network web-auth secureweb disable".
"config network web-auth secureweb disable"
thank you all... -
Wireless guest access with CWA and ISE using mobility anchor
My team is trying to demo wireless guest access using CWA with an ISE server. We appear to be hitting an issue when combining this with mobility anchoring.
When we don't use a mobility anchor the authentication goes off without a hitch seemingly proving that the ISE configuration is sound. The test laptop associates and gets redirected, auths, moves to the RUN state and access to the network is granted.
When the mobility anchor is enabled, the test laptop does get redirected, authentication is successful, but the process does not fully complete, as on the foreign controller the user is in RUN state whereas on the anchor the user is still stuck at CWA required.
Now, I've read the L2 auth occurs between the foreign controller and ISE, and the L3 auth occurs between the anchor controller and ISE, but this does not appear to borne out in packet captures of the process where both parts of the auth seems to go to and from the foreign controller and ISE.
I'm curious to know if anyone else has come across this issue, or has ideas where I should be looking in the config or debugs to find the root cause.
When setting up the controllers and ISE this guide (linked below) was used and the controllers are 2504 controllers on 7.5 series software and ISE is on the latest 1.2 patches:
http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml
To me it seems to be mobility related, but the authentication flow does seem to be off compared with what the guide says.FOREIGN
*apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Adding mobile on LWAPP AP 0c:d9:96:ba:7d:20(1)
*apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Association received from mobile on BSSID 0c:d9:96:ba:7d:2f
*apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Global 200 Clients are allowed to AP radio
*apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Max Client Trap Threshold: 0 cur: 0
*apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Rf profile 600 Clients are allowed to AP wlan
*apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Applying Interface policy on Mobile, role Unassociated. Ms NAC State 0 Quarantine Vlan 0 Access Vlan 0
*apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Re-applying interface policy for client
*apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2164)
*apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2185)
*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Retaining the ACL recieved in AAA attributes 255 on mobile
*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 In processSsidIE:4565 setting Central switched to TRUE
*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 In processSsidIE:4568 apVapId = 1 and Split Acl Id = 65535
*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 Applying site-specific Local Bridging override for station 00:1e:c2:c0:96:05 - vapId 1, site 'AP-Group-CHEC.default', interface 'management'
*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 Applying Local Bridging Interface Policy for station 00:1e:c2:c0:96:05 - vlan 84, interface id 0, interface 'management'
*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 processSsidIE statusCode is 0 and status is 0
*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 processSsidIE ssid_done_flag is 0 finish_flag is 0
*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 STA - rates (8): 140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0
*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 suppRates statusCode is 0 and gotSuppRatesElement is 1
*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 apfProcessAssocReq (apf_80211.c:7830) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from Idle to AAA Pending
*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 Scheduling deletion of Mobile Station: (callerId: 20) in 10 seconds
*radiusTransportThread: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Username entry (00-1E-C2-C0-96-05) created for mobile, length = 253
*radiusTransportThread: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Username entry (00-1E-C2-C0-96-05) created in mscb for mobile, length = 253
*apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Received SGT for this Client.
*apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Redirect URL received for client from RADIUS. Client will be moved to WebAuth_Reqd state to facilitate redirection. Skip web-auth Flag = 0
*apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Resetting web IPv4 acl from 255 to 255
*apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Resetting web IPv4 Flex acl from 65535 to 65535
*apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Applying Interface policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 84
*apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Re-applying interface policy for client
*apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2164)
*apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2185)
*apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Retaining the ACL recieved in AAA attributes 0 on mobile
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Inserting AAA Override struct for mobile
MAC: 00:1e:c2:c0:96:05, source 2
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Initializing policy
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state START (0)
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state AUTHCHECK (2)
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Not Using WMM Compliance code qosCap 00
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 0c:d9:96:ba:7d:20 vapId 1 apVapId 1 flex-acl-name:
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state L2AUTHCOMPLETE (4)
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfMsAssoStateInc
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfPemAddUser2 (apf_policy.c:333) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from AAA Pending to Associated
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfPemAddUser2:session timeout forstation 00:1e:c2:c0:96:05 - Session Tout 1800, apfMsTimeOut '1800' and sessionTimerRunning flag is 0
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Scheduling deletion of Mobile Station: (callerId: 49) in 1800 seconds
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Func: apfPemAddUser2, Ms Timeout = 1800, Session Timeout = 1800
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Sending Assoc Response to station on BSSID 0c:d9:96:ba:7d:2f (status 0) ApVapId 1 Slot 1
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfProcessRadiusAssocResp (apf_80211.c:3066) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from Associated to Associated
*DHCP Socket Task: Jan 28 23:04:59.567: 00:1e:c2:c0:96:05 DHCP received op BOOTREQUEST (1) (len 308,vlan 84, port 13, encap 0xec03)
*DHCP Socket Task: Jan 28 23:04:59.567: 00:1e:c2:c0:96:05 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff
*DHCP Socket Task: Jan 28 23:04:59.567: 00:1e:c2:c0:96:05 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0, mobility state = 'apfMsMmQueryRequested'
*DHCP Socket Task: Jan 28 23:05:01.523: 00:1e:c2:c0:96:05 DHCP received op BOOTREQUEST (1) (len 308,vlan 84, port 13, encap 0xec03)
*DHCP Socket Task: Jan 28 23:05:01.523: 00:1e:c2:c0:96:05 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff
*DHCP Socket Task: Jan 28 23:05:01.523: 00:1e:c2:c0:96:05 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0, mobility state = 'apfMsMmQueryRequested'
*mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=ExpForeign, client state=APF_MS_STATE_ASSOCIATED
*mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 apfMsRunStateInc
*mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 DHCP_REQD (7) Change state to RUN (20) last state DHCP_REQD (7)
*mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Reached PLUMBFASTPATH: from line 5793
*mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Adding Fast Path rule
type = Airespace AP Client
on AP 0c:d9:96:ba:7d:20, slot 1, interface = 13, QOS = 0
IPv4 ACL ID = 255, IPv6 ACL ID = 255,
*mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206 Local Bridging Vlan = 84, Local Bridging intf id = 0
*mmMaListen: Jan 28 23:05:02.363: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
*pemReceiveTask: Jan 28 23:05:02.364: 00:1e:c2:c0:96:05 Set bi-dir guest tunnel for 00:1e:c2:c0:96:05 as in Export Foreign role
*pemReceiveTask: Jan 28 23:05:02.364: 00:1e:c2:c0:96:05 0.0.0.0 Added NPU entry of type 1, dtlFlags 0x4
*pemReceiveTask: Jan 28 23:05:02.364: 00:1e:c2:c0:96:05 Skip Foreign / Export Foreign Client IP 0.0.0.0 plumbing in FP SCB
*DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP received op BOOTREQUEST (1) (len 308,vlan 84, port 13, encap 0xec03)
*DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff
*DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP processing DHCP REQUEST (3)
*DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP xid: 0xafea6bc9 (2951375817), secs: 5, flags: 0
*DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP chaddr: 00:1e:c2:c0:96:05
*DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP ciaddr: 0.0.0.0, yiaddr: 0.0.0.0
*DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP siaddr: 0.0.0.0, giaddr: 0.0.0.0
*DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP requested ip: 10.130.98.8
*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP received op BOOTREPLY (2) (len 320,vlan 84, port 13, encap 0xec07)
*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP processing DHCP ACK (5)
*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP xid: 0xafea6bc9 (2951375817), secs: 0, flags: 0
*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP chaddr: 00:1e:c2:c0:96:05
*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP ciaddr: 0.0.0.0, yiaddr: 10.130.98.8
*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP siaddr: 10.30.4.173, giaddr: 0.0.0.0
*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP server id: 1.1.1.2 rcvd server id: 1.1.1.2
*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) DHCP Address Re-established
*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Reached PLUMBFASTPATH: from line 6978
*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Replacing Fast Path rule
type = Airespace AP Client
on AP 0c:d9:96:ba:7d:20, slot 1, interface = 13, QOS = 0
IPv4 ACL ID = 255, IPv6 ACL ID
*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206 Local Bridging Vlan = 84, Local Bridging intf id = 0
*DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
*DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 Assigning Address 10.130.98.8 to mobile
*DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 DHCP success event for client. Clearing dhcp failure count for interface management.
*DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 DHCP success event for client. Clearing dhcp failure count for interface management.
*DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 DHCP successfully bridged packet to STA
*pemReceiveTask: Jan 28 23:05:03.889: 00:1e:c2:c0:96:05 Set bi-dir guest tunnel for 00:1e:c2:c0:96:05 as in Export Foreign role
*pemReceiveTask: Jan 28 23:05:03.889: 00:1e:c2:c0:96:05 10.130.98.8 Added NPU entry of type 1, dtlFlags 0x4
*pemReceiveTask: Jan 28 23:05:03.890: 00:1e:c2:c0:96:05 Skip Foreign / Export Foreign Client IP 10.130.98.8 plumbing in FP SCB
*apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Received SGT for this Client.
*apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Resetting web IPv4 acl from 0 to 255
*apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Resetting web IPv4 Flex acl from 65535 to 65535
*apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 AAA redirect is NULL. Skipping Web-auth for Radius NAC enabled WLAN.
*apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Retaining the ACL recieved in AAA attributes 255 on mobile
*apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
*apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Inserting AAA Override struct for mobile
MAC: 00:1e:c2:c0:96:05, source 2
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Setting session timeout 3600 on mobile 00:1e:c2:c0:96:05
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Session Timeout is 3600 - starting session timer for the mobile
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Applying cached RADIUS Override values for mobile 00:1e:c2:c0:96:05 (caller pem_api.c:2307)
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Setting session timeout 3600 on mobile 00:1e:c2:c0:96:05
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Session Timeout is 3600 - starting session timer for the mobile
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Applied RADIUS override policy
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Replacing Fast Path rule
type = Airespace AP Client
on AP 0c:d9:96:ba:7d:20, slot 1, interface = 13, QOS = 0
IPv4 ACL ID = 255, IPv6 ACL ID
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206 Local Bridging Vlan = 84, Local Bridging intf id = 0
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Not Using WMM Compliance code qosCap 00
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Plumbed mobile LWAPP rule on AP 0c:d9:96:ba:7d:20 vapId 1 apVapId 1 flex-acl-name:
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Change state to RUN (20) last state RUN (20)
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 apfMsAssoStateInc
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 apfPemAddUser2 (apf_policy.c:333) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from AAA Pending to Associated
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 apfPemAddUser2:session timeout forstation 00:1e:c2:c0:96:05 - Session Tout 3600, apfMsTimeOut '1800' and sessionTimerRunning flag is 1
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Scheduling deletion of Mobile Station: (callerId: 49) in 3600 seconds
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Func: apfPemAddUser2, Ms Timeout = 1800, Session Timeout = 3600
*apfReceiveTask: Jan 28 23:05:18.718: 00:1e:c2:c0:96:05 Sending Assoc Response to station on BSSID 0c:d9:96:ba:7d:2f (status 0) ApVapId 1 Slot 1
*apfReceiveTask: Jan 28 23:05:18.718: 00:1e:c2:c0:96:05 apfProcessRadiusAssocResp (apf_80211.c:3066) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from Associated to Associated
*pemReceiveTask: Jan 28 23:05:18.720: 00:1e:c2:c0:96:05 Set bi-dir guest tunnel for 00:1e:c2:c0:96:05 as in Export Foreign role
*pemReceiveTask: Jan 28 23:05:18.720: 00:1e:c2:c0:96:05 10.130.98.8 Added NPU entry of type 1, dtlFlags 0x4 -
WLC with ISE as radius and also external web server
Hi friends,
I am biulding a wireless network with 5508 WLC and trying to use ISE as radius server and also to redirect the web-login to it.
I was trying to understand that to achieve the external web-login, do i need to use the raduius-nac option under advanced on the guest wireless where i am trying this out. and if not, where do i actually use it?
So far what i have understood that i do need to have preauth ACL on the Layer 3 security, but the issue is there is no hit reaching the ISE.
any suggestions would be higly appreciated guys!
Regards,
MohitHi mohit,
Please make sure the below steps for guest auth thru ISE,
1)Add the WLC in your ISE as netork devices.
2)In Guest SSID you need to choose the pre authentication acl.That acl should allow the below traffic
a. any to ISE
b.ISE to any
c.any to dns server
d.dns to any
3)The external redirect url will be
https://ip address:8443/guestportal/Login.action
4)AAA server for that SSId would be your ISE ip with port number 1812.
5)In advanced tab please choose the AAA override. No need of radius nac.
6)Create appropriate authorization profile in ISE for guest.Example is below , -
Cisco WLC with ISE - need to restrict access during non-business hours
Hello,
We have a requirement to turn off our wireless during non-business hours. We have a 5508 WLC with ISE. What is the best way to accomplish this task?
Thank you in advance.
BethAside from Steve's respond, there are several methods of doing this and this will all depend on how complex your network is and how technical you want to do this.
1. As what Steve said, use PI and you can define several schedules when to turn off/on the SSID;
2. If you have corporate access, you can use AD to schedule non-business hours;
3. If you have Cisco PoE switches, you can enable EnergyWise to power off the APs;
4. If you manage your core network, you can enable time-based ACL to disable the default gateway of the dynamic interface which is attached to your SSID.
The most "destructive" method is option #3, because there are chances that your AP won't power up properly, if not power up at all. -
Web auth with , intenal web page of WLC and ISE as radius server
Hi All ,
We have created a SSID as web auth with internal web page for login . In advanced tab we configured AAA server. AD is integrated with ISE .
When the user tries to get connect , he is getting redirect URL . But during the authentication , we are getting error in ISE as
"ise has problems communicating with active directory using its machine credentials " and authentication getting failed .
When we have L2 security mechanism enabled with PEAP , ISE is able to read the AD and providing authentication .
Only for L3 web auth it is not happening..
Any clue on this ..???
Thanks,
Regards,
Vijay.Machine credentials requires a lookup on the computer OU and that has to be defined on the client side.
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered" -
Limit the number of session per user in the Wired dot1x environment with ISE 1.2
Hello,
I need to check if there is any configuration/workaround to limit the number of sessions/access per user in the Wired dot1x configuration.
I need to check if this feature is available or not to solve the following scenario:
I have 2 SW ports configured to use dot1x authentication with ISE 1.2 server.
If user A connects to the 1st port and authenticated then he will placed on a VLAN based on the authorization profile.
The case, that I need to deny the same user to connect on a different machine with the same credentials.
The ISE itself does not have this feature currently, the only feature available is to limit the number of sessions for the guest user.
Is there any workaround on the Cisco switches to solve this? Cisco WLC has this feature and for the VPN we can limit the number of sessions also from the ASA itself.
Thanks.limit number of session per user using wired dot1x is not available in 1.3
-
CWA using ISE and mobility anchor
My team is trying to demo wireless guest access using CWA with an ISE server. We appear to be hitting an issue when combining this with mobility anchoring.
When we don't use a mobility anchor the authentication goes off without a hitch seemingly proving that the ISE configuration is sound. The test laptop associates and gets redirected, auths, moves to the RUN state and access to the network is granted.
When the mobility anchor is enabled, the test laptop does get redirected, authentication is successful, but the process does not fully complete, as on the foreign controller the user is in RUN state whereas on the anchor the user is still stuck at CWA required.
Now, I've read the L2 auth occurs between the foreign controller and ISE, and the L3 auth occurs between the anchor controller and ISE, but this does not appear to borne out in packet captures of the process where both parts of the auth seems to go to and from the foreign controller and ISE.
I'm curious to know if anyone else has come across this issue, or has ideas where I should be looking in the config or debugs to find the root cause.
When setting up the controllers and ISE this guide (linked below) was used and the controllers are 2504 controllers on 7.5 series software and ISE is on the latest 1.2 patches:
http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml
To me it seems to be mobility related, but the authentication flow does seem to be off compared with what the guide says.FOREIGN
*apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Adding mobile on LWAPP AP 0c:d9:96:ba:7d:20(1)
*apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Association received from mobile on BSSID 0c:d9:96:ba:7d:2f
*apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Global 200 Clients are allowed to AP radio
*apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Max Client Trap Threshold: 0 cur: 0
*apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Rf profile 600 Clients are allowed to AP wlan
*apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Applying Interface policy on Mobile, role Unassociated. Ms NAC State 0 Quarantine Vlan 0 Access Vlan 0
*apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Re-applying interface policy for client
*apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2164)
*apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2185)
*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Retaining the ACL recieved in AAA attributes 255 on mobile
*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 In processSsidIE:4565 setting Central switched to TRUE
*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 In processSsidIE:4568 apVapId = 1 and Split Acl Id = 65535
*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 Applying site-specific Local Bridging override for station 00:1e:c2:c0:96:05 - vapId 1, site 'AP-Group-CHEC.default', interface 'management'
*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 Applying Local Bridging Interface Policy for station 00:1e:c2:c0:96:05 - vlan 84, interface id 0, interface 'management'
*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 processSsidIE statusCode is 0 and status is 0
*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 processSsidIE ssid_done_flag is 0 finish_flag is 0
*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 STA - rates (8): 140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0
*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 suppRates statusCode is 0 and gotSuppRatesElement is 1
*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 apfProcessAssocReq (apf_80211.c:7830) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from Idle to AAA Pending
*apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 Scheduling deletion of Mobile Station: (callerId: 20) in 10 seconds
*radiusTransportThread: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Username entry (00-1E-C2-C0-96-05) created for mobile, length = 253
*radiusTransportThread: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Username entry (00-1E-C2-C0-96-05) created in mscb for mobile, length = 253
*apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Received SGT for this Client.
*apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Redirect URL received for client from RADIUS. Client will be moved to WebAuth_Reqd state to facilitate redirection. Skip web-auth Flag = 0
*apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Resetting web IPv4 acl from 255 to 255
*apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Resetting web IPv4 Flex acl from 65535 to 65535
*apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Applying Interface policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 84
*apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Re-applying interface policy for client
*apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2164)
*apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2185)
*apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Retaining the ACL recieved in AAA attributes 0 on mobile
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Inserting AAA Override struct for mobile
MAC: 00:1e:c2:c0:96:05, source 2
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Initializing policy
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state START (0)
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state AUTHCHECK (2)
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Not Using WMM Compliance code qosCap 00
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 0c:d9:96:ba:7d:20 vapId 1 apVapId 1 flex-acl-name:
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state L2AUTHCOMPLETE (4)
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfMsAssoStateInc
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfPemAddUser2 (apf_policy.c:333) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from AAA Pending to Associated
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfPemAddUser2:session timeout forstation 00:1e:c2:c0:96:05 - Session Tout 1800, apfMsTimeOut '1800' and sessionTimerRunning flag is 0
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Scheduling deletion of Mobile Station: (callerId: 49) in 1800 seconds
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Func: apfPemAddUser2, Ms Timeout = 1800, Session Timeout = 1800
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Sending Assoc Response to station on BSSID 0c:d9:96:ba:7d:2f (status 0) ApVapId 1 Slot 1
*apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfProcessRadiusAssocResp (apf_80211.c:3066) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from Associated to Associated
*DHCP Socket Task: Jan 28 23:04:59.567: 00:1e:c2:c0:96:05 DHCP received op BOOTREQUEST (1) (len 308,vlan 84, port 13, encap 0xec03)
*DHCP Socket Task: Jan 28 23:04:59.567: 00:1e:c2:c0:96:05 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff
*DHCP Socket Task: Jan 28 23:04:59.567: 00:1e:c2:c0:96:05 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0, mobility state = 'apfMsMmQueryRequested'
*DHCP Socket Task: Jan 28 23:05:01.523: 00:1e:c2:c0:96:05 DHCP received op BOOTREQUEST (1) (len 308,vlan 84, port 13, encap 0xec03)
*DHCP Socket Task: Jan 28 23:05:01.523: 00:1e:c2:c0:96:05 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff
*DHCP Socket Task: Jan 28 23:05:01.523: 00:1e:c2:c0:96:05 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0, mobility state = 'apfMsMmQueryRequested'
*mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=ExpForeign, client state=APF_MS_STATE_ASSOCIATED
*mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 apfMsRunStateInc
*mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 DHCP_REQD (7) Change state to RUN (20) last state DHCP_REQD (7)
*mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Reached PLUMBFASTPATH: from line 5793
*mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Adding Fast Path rule
type = Airespace AP Client
on AP 0c:d9:96:ba:7d:20, slot 1, interface = 13, QOS = 0
IPv4 ACL ID = 255, IPv6 ACL ID = 255,
*mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206 Local Bridging Vlan = 84, Local Bridging intf id = 0
*mmMaListen: Jan 28 23:05:02.363: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
*pemReceiveTask: Jan 28 23:05:02.364: 00:1e:c2:c0:96:05 Set bi-dir guest tunnel for 00:1e:c2:c0:96:05 as in Export Foreign role
*pemReceiveTask: Jan 28 23:05:02.364: 00:1e:c2:c0:96:05 0.0.0.0 Added NPU entry of type 1, dtlFlags 0x4
*pemReceiveTask: Jan 28 23:05:02.364: 00:1e:c2:c0:96:05 Skip Foreign / Export Foreign Client IP 0.0.0.0 plumbing in FP SCB
*DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP received op BOOTREQUEST (1) (len 308,vlan 84, port 13, encap 0xec03)
*DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff
*DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP processing DHCP REQUEST (3)
*DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP xid: 0xafea6bc9 (2951375817), secs: 5, flags: 0
*DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP chaddr: 00:1e:c2:c0:96:05
*DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP ciaddr: 0.0.0.0, yiaddr: 0.0.0.0
*DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP siaddr: 0.0.0.0, giaddr: 0.0.0.0
*DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP requested ip: 10.130.98.8
*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP received op BOOTREPLY (2) (len 320,vlan 84, port 13, encap 0xec07)
*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP processing DHCP ACK (5)
*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP xid: 0xafea6bc9 (2951375817), secs: 0, flags: 0
*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP chaddr: 00:1e:c2:c0:96:05
*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP ciaddr: 0.0.0.0, yiaddr: 10.130.98.8
*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP siaddr: 10.30.4.173, giaddr: 0.0.0.0
*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP server id: 1.1.1.2 rcvd server id: 1.1.1.2
*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) DHCP Address Re-established
*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Reached PLUMBFASTPATH: from line 6978
*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Replacing Fast Path rule
type = Airespace AP Client
on AP 0c:d9:96:ba:7d:20, slot 1, interface = 13, QOS = 0
IPv4 ACL ID = 255, IPv6 ACL ID
*DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206 Local Bridging Vlan = 84, Local Bridging intf id = 0
*DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
*DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 Assigning Address 10.130.98.8 to mobile
*DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 DHCP success event for client. Clearing dhcp failure count for interface management.
*DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 DHCP success event for client. Clearing dhcp failure count for interface management.
*DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 DHCP successfully bridged packet to STA
*pemReceiveTask: Jan 28 23:05:03.889: 00:1e:c2:c0:96:05 Set bi-dir guest tunnel for 00:1e:c2:c0:96:05 as in Export Foreign role
*pemReceiveTask: Jan 28 23:05:03.889: 00:1e:c2:c0:96:05 10.130.98.8 Added NPU entry of type 1, dtlFlags 0x4
*pemReceiveTask: Jan 28 23:05:03.890: 00:1e:c2:c0:96:05 Skip Foreign / Export Foreign Client IP 10.130.98.8 plumbing in FP SCB
*apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Received SGT for this Client.
*apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Resetting web IPv4 acl from 0 to 255
*apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Resetting web IPv4 Flex acl from 65535 to 65535
*apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 AAA redirect is NULL. Skipping Web-auth for Radius NAC enabled WLAN.
*apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Retaining the ACL recieved in AAA attributes 255 on mobile
*apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
*apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Inserting AAA Override struct for mobile
MAC: 00:1e:c2:c0:96:05, source 2
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Setting session timeout 3600 on mobile 00:1e:c2:c0:96:05
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Session Timeout is 3600 - starting session timer for the mobile
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Applying cached RADIUS Override values for mobile 00:1e:c2:c0:96:05 (caller pem_api.c:2307)
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Setting session timeout 3600 on mobile 00:1e:c2:c0:96:05
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Session Timeout is 3600 - starting session timer for the mobile
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Applied RADIUS override policy
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Replacing Fast Path rule
type = Airespace AP Client
on AP 0c:d9:96:ba:7d:20, slot 1, interface = 13, QOS = 0
IPv4 ACL ID = 255, IPv6 ACL ID
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206 Local Bridging Vlan = 84, Local Bridging intf id = 0
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Not Using WMM Compliance code qosCap 00
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Plumbed mobile LWAPP rule on AP 0c:d9:96:ba:7d:20 vapId 1 apVapId 1 flex-acl-name:
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Change state to RUN (20) last state RUN (20)
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 apfMsAssoStateInc
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 apfPemAddUser2 (apf_policy.c:333) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from AAA Pending to Associated
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 apfPemAddUser2:session timeout forstation 00:1e:c2:c0:96:05 - Session Tout 3600, apfMsTimeOut '1800' and sessionTimerRunning flag is 1
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Scheduling deletion of Mobile Station: (callerId: 49) in 3600 seconds
*apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Func: apfPemAddUser2, Ms Timeout = 1800, Session Timeout = 3600
*apfReceiveTask: Jan 28 23:05:18.718: 00:1e:c2:c0:96:05 Sending Assoc Response to station on BSSID 0c:d9:96:ba:7d:2f (status 0) ApVapId 1 Slot 1
*apfReceiveTask: Jan 28 23:05:18.718: 00:1e:c2:c0:96:05 apfProcessRadiusAssocResp (apf_80211.c:3066) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from Associated to Associated
*pemReceiveTask: Jan 28 23:05:18.720: 00:1e:c2:c0:96:05 Set bi-dir guest tunnel for 00:1e:c2:c0:96:05 as in Export Foreign role
*pemReceiveTask: Jan 28 23:05:18.720: 00:1e:c2:c0:96:05 10.130.98.8 Added NPU entry of type 1, dtlFlags 0x4 -
Hi Everyone,
I have a issue trying to deploy Flexconnect in WLC integrated with ISE.
In the scenario, the users are working properly through the wireless network and they are able to authenticate, the NAC agent is invoked and everyone can get authorization access to the network using Radius NAC as NAC State. But when we tick the feature ""FlexConnect Local Switching"" and change the users cannot get IP Address from DHCP and the client status in WLC show POSTURE_REQD.
We can see this in ISE that the user is able to authenticate but never get authorization and the NAC state is not showing in the PC.
Any idea about this issue?? This is maybe any limitation or configuration error?
RegardsThere are some documents for this type of deployment:
http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080c090eb.shtml
http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bcb905.shtml#anc13
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni -
Existing environment has a dedicated guest controller. Principal would like to retain the guest controller in the DMZ and open ports for CWA to ISE inside the firewall. The question is on configuration of the wireless LAN. Should the foreign controller be configured for MAC auth? Obviously the anchor would need to be but not sure about the foreign.
When you have anchor/foreign, the web auth traffic always go to the anchor, so with CWA, the traffic from the anchor to the ISE will need to be permitted . go through the following link this may of help
https://supportforums.cisco.com/docs/DOC-26442 -
5760 Central Web Auth with ISE
Hi,
I am having problems with getting central web auth to work on the 5760, I cant seem to find any documentation for the 5760-Central Web Auth.
The setup is with a Cisco 5760 and Cisco ISE, for guest users to be re-directed to ISE guest portal to authenticate. Has anyone configured this or have any advice, that would be great.
ThanksHi Roger,
I have gotten CWA running on the 5760 with ISE, below is the config for the guest SSID:
wlan Guest 1 TEST-guest
aaa-override
ip dhcp required
mac-filtering cwa_macfilter
mobility anchor 10.1.1.100
nac
no security wpa
no security wpa akm dot1x
no security wpa wpa2
no security wpa wpa2 ciphers aes
security dot1x authentication-list ISE_Auth_Group
session-timeout 14400
no shutdown
! ***You will need the following commands as well:
ip http server
ip http authentication local
ip http secure-server
aaa authentication login ISE_Auth_Group group ISE
aaa authorization network cwa_macfilter group ISE
Hope it helps =)
Maybe you are looking for
-
Hi everyone, I'm having some trouble with Facebook for iPhoto. I recently migrated my buisness profile to a Page, per Facebook's rules, so when I log-in, I only have my Page. I connected the e-mail and password with iPhoto and have been trying to upl
-
Why has my iBook app frozen? I was perusing a list of authors and got stuck on Jane Austin. I can't get back to the home page and my book shelf. Pleas help!
-
NullPointerException, how do i get rid of?
Hey guys, I'm totally puzzled by this one. All i'm trying to do is to change the content of JTextField(), but every time i do i get a NullPointerException. Here's the code: public class PrivateMessageWindow extends JFrame private Container conta
-
Copying from dvd to hard drive. processs freezes
copying a MP4 from dvd to hard drive. 95% complete then frozen. unable to stop download, or eject dvd. what now?
-
Is HP dv6-1220sp SATA III compatible
hello, i bought a samsung 840 evo ssd disk and the Samsung magician software says that my system does not support SATA 3. there are any update i can make to support SATA 3 ? thank's in advance.