ISE Problem

Hi Experts
we have new ISE servers at our network and it work good .
but lately i faced the below problem :
the ISE integrated to get the authentication from the microsoft active directory which depend on the windows login username / password , and the dot1x configurations and settings pushed to the users PCs via the active directory and the user can't change it .
if the user login to the windows sucessfully , the ISE put the user in the quarantine vlan , then check the policy and if pass assign the full access to the users .
Our System Admins force the users to change the password monthly bases , so when the password expired , the authentication failed so the ISE will not assign any vlan to the user , and the can't change the password on the Active Directory becouse he is disconnected from the network .
so i need a way to enable the switch to assign a restricted vlan to reach the Active Directory once the user plug the network cable , regardless he authenticate succesfully or not .
our switch configuration is :
aaa new-model
aaa authentication login default local
aaa authentication login TEST group radius
aaa authentication enable default enable
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa server radius dynamic-author
client 10.10.10.238 server-key C1sc0
aaa session-id common
system mtu routing 1500
authentication mac-move permit
ip device tracking
interface FastEthernet0/2
switchport access vlan 22
switchport mode access
switchport voice vlan 110
authentication port-control auto
mab
dot1x pae authenticator
spanning-tree portfast
ip access-list extended ACL-POSTURE-REDIRECT
deny   ip any host 10.10.10.238
deny   ip any host 10.10.10.239
deny   udp any any
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq 8443
ip access-list extended webauth
permit tcp any any eq www
permit tcp any any eq 443
deny   ip any host 10.10.10.238
deny   ip any host 10.10.10.239
ip radius source-interface Vlan10
ip sla enable reaction-alerts
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 20 tries 3
radius-server host 10.10.10.238 auth-port 1812 acct-port 1813
radius-server host 10.10.10.239 auth-port 1812 acct-port 1813
radius-server key C1sc0
radius-server vsa send accounting
radius-server vsa send authentication
aaa new-model
aaa authentication login default local
aaa authentication login TEST group radius
aaa authentication enable default enable
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa server radius dynamic-author
client 10.10.10.238 server-key C1sc0
aaa session-id common
system mtu routing 1500
authentication mac-move permit
ip device tracking
interface FastEthernet0/2
switchport mode access
switchport voice vlan 110
authentication port-control auto
mab
dot1x pae authenticator
spanning-tree portfast
ip access-list extended ACL-POSTURE-REDIRECT
deny   ip any host 10.10.10.238
deny   ip any host 10.10.10.239
deny   udp any any
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq 8443
ip access-list extended webauth
permit tcp any any eq www
permit tcp any any eq 443
deny   ip any host 10.10.10.238
deny   ip any host 10.10.10.239
ip radius source-interface Vlan10
ip sla enable reaction-alerts
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 20 tries 3
radius-server host 10.10.10.238 auth-port 1812 acct-port 1813
radius-server host 10.10.10.239 auth-port 1812 acct-port 1813
radius-server key C1sc0
radius-server vsa send accounting
radius-server vsa send authentication
any suggestion to solve this problem .....
regards
Reyad

Hi Edondurquti
yes you are right .....
i changed the authentication method from user authentication to computer authentication , so when you plug the network cable to the PC , it start authentication and the ISE assign the quarantine vlan to the port , so the changing password problem solved .
the computer authentication solved many problems i faced when implementation .
-     when you try to connect remotly to your PC at the office ( when i applied user authentication ) , it was
connected for seconds , then the PC re-authentiate and assigned to the quarantine vlan , so i lost the connection to my PC .
-     the password expire problem happened on the user authentication especially when you put the option to use the windows login .... its big problem .
-     many PCs can connect to the network using the same username/password ,,, and this is also big problem .
-     no way to enforce the users to join to the domain if you use the user authentication , you can login locally at your pc , then at the popup screen you can enter the AD user .
by using the computer authentication , all the above problems solved , and the connection become more stable , and all PCs enforced to join to the domain to get the authentication.
another helpful command on the switch , is to assign a restricted configured VLAN to the switches as native VLAN , and you can apply the below command on the interface to assign a VLAN when the authentication fail .
Switch(config-if)#authentication event fail action authorize vlan
i hope this can help you in case you faced the above problems ....
Reyad

Similar Messages

  • AD Machine Authentication with Cisco ISE problem

    Hi Experts,
    I am new with ISE, I have configured ISE & Domain computers for PEAP authentication. initially machine gets authenticated and then starts going MAB.
    Authentication policy:
    Allowed protocol = PEAP & TLS
    Authorization Policy:
    Condition for computer to be checked in external identity store (AD) = Permit access
    Condition for users to be checked in external identity store (AD) plus WasMachineAuthenticated = permit access
    All of the above policies do match and download the ACL from ISE but computer starts to mab authentication again...
    Switchport configuration:
    ===============================================
    ip access-list extended ACL-DEFAULT
    remark Allow DHCP
    permit udp any eq bootpc any eq bootps
    remark Allow DNS
    permit udp any any eq domain
    permit ip any host (AD)
    permit icmp any any
    permit ip any host (ISE-1)
    permit ip any host  (ISE-2)
    permit udp any host (CUCM-1) eq tftp
    permit udp any host (CUCM-2)eq tftp
    deny ip any any
    ===============================================
    switchport config
    ===============================================
    Switchport Access vlan 10
    switchport mode access
    switchport voice vlan 20
    ip access-group ACL-DEFAULT in
    authentication open
    authentication event fail action next-method
    authentication event server dead action authorize vlan 1
    authentication event server alive action reinitialize
    authentication host-mode multi-domain
    authentication order dot1x mab
    authentication priority dot1x mab
    authentication port-control auto
    authentication periodic
    authentication timer reauthenticate server
    authentication timer inactivity 180
    authentication violation restrict
    mab
    dot1x pae authenticator
    dot1x timeout tx-period 100
    ====================================================
    One more problem about the "authentication open" and default ACL. Once the authentication succeeds and per user is ACL pushed though ISE to the switch. The default ACL still blocks communication on this switchprort.
    Your help will highly appreciated.
    Regards,

    You need to watch the switch during an authentication, see if the machine is passing authentication and the user may be failing authentication causing the switch to fail to mab.  If your switch configuration is on auth failure continue to next method, then this makes sense.  The question is why is the user failing auth but the machine is passing, could be something in the policy.  Make sure your AD setup has machine authentciation checked or it may not tie the machine and user auth together and the user may be failing because ISE can't make that relationship so the machinewasauth=true is not beeing matched.  Easy way to check is remove that rule from your policy and see if the same thing happens.
    I've also seen this happen when clients want to use EAP-TLS on the wired, machines passes auth, then the user logs into a machine for the first time.  The user auth kicks off before the user gets a cert and fails auth with a null certificate, since this is a auth failure the switchport kicks over to MAB.
    I don't think wasmachineauth=true is that great, I prefer to use EAP-FASTv2 using Cisco Anyconnect NAM with eap-chaining.  This is great because you can do two part authentication.  EAP-FAST outer with EAP-TLS inner for the machine auth, and MSCHAPv2 for the inner of the user auth. You get your EAP-TLS auth for the machine and don't have to worry about a user logging into a machine for the first time and switching to MAB because the user doesn't have a cert yet.  I also do my rule to say if machine pass and user fail, then workstaion policy, if machine and user pass then corp policy.

  • ISE problem with EAP-TLS Supplicant Provisioning

    Hi All,
    I have a demo built using ISE v1.1.3 patch 1 and a WLC using v7.4.100.0 software.  The aim of the demo is to provision a device's supplicant with an EAP-TLS Certificate...  'device on-boarding'
    The entire CWA / Device Registration process is all fine and works well.  I'm using a publically signed Cert on ISE that is built from [Root CA + Intermediate CA + Host Cert] which is used for both HTTPS and EAP and I also have SCEP operating against my Win 2k8 Enterprise Edition CA that is part of my Active Directory.  All of this works fine.
    The problem is that when ISE pushes the WLAN config down to the device, it instructs the Client to check for the Root CA, but the RADIUS processes within ISE are bound to the Intermediate CA.  This leads to a problem where the Client doesn't trust the Certificate presented to it from ISE.  There doesn't seem to be any way to configure this behaviour within ISE.
    Has anybody else encountered this? Know a solution? Have suggestions for a workaround?
    Cheers,
    Richard
    PS - Also using WinSPWizard 1.0.0.28

    Hi Richard,
    This is a misbehavior that ISE is provisioning the intermediate CA certificate during the BYOD registration process in similar (hierarchical certificate authority) scenarios. It is going to be fixed soon. Engineering is almost ready with the fix.
    Istvan Segyik
    Systems Engineer
    Global Virtual Engineering
    WW Partner Organization
    Cisco Systems, Inc
    Email: [email protected]
    Work: +36 1 2254604
    Monday - Friday, 8:30 am-17:30 pm - UTC+1 (CET)

  • ISE Problem: EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain

    Hello, I´m stucked with this problem for 3 weeks now.
    I´m not able to configure the EAP-TLS autentication.
    In the "Certificate Store" of the ISE server I have Installed the Root, policy and the Issuing certificates as "trust for client authentication",and in the Local store I have a certificate issuing for the same issuing authority which sign the thw client ones.
    The ISE´s certificate has been issued with the "server Authentication certificate" template.
    The clients have installed the certificates  also the certificate chain.
    When I try to authenticate the wireless clients I allways get the same error: "     Authentication failed : 12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain"
    and "OpenSSLErrorMessage=SSL alert
    code=0x230=560 ; source=local ; type=fatal ; message="Unknown CA - error self-signed certificate in chain",OpenSSLErrorStack=  1208556432:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned:s3_srvr.c:2720"
    I don´t know what else can I do.
    Thank you
    Jorge

    Hi Rik,
    the Below are the certificate details
    ISE Certificate Signed by XX-CA-PROC-06
    User PKI Signed by XX-CA-OTHER-08
    In ISE certificate Store i have the below certificates
    XX-CA-OTHER-08 signed by XX-CA-ROOT-04
    XX-CA-PROC-06 signed by XX-CA-ROOT-04
    XX-CA-ROOT-04 signed by XX-CA-ROOT-04
    ISE certificate signed by XX-CA-PROC-06
    I have enabled - 'Trust for client authentication' on all three certificates
    this is unchecked - 'Enable Validation of Certificate Extensions (accept only valid certificate)'
    when i check the certificates of current user in the Client PC this is how it shows.
    XX-CA-ROOT-04 is listed in Trusted root Certification Authority
    and XX-CA-PROC-06 and XX-CA-OTHER-08  are in Intermediate Certificate Authorities

  • ISE problem "Joined to domain but disconnected"

                       Hi all experts.
    I recently have experienced this issue.
    I have been using ISE1.1.2.145 and joined to AD since the ISE was released, but never seen this error before.
    I did not touch any configuration and I was trying to test CWA with multiple WLCs.
    I finished all configuration about CWA, and I was verifing if it is working.
    while I was trying to login as user on AD, I could not. so I looked up on External Identity Source and it apears.
    does anyone know why it is giving me that error ?
    the ISE and AD both see the same NTP and time difference between them is only 1 minute, timezone is same.
    even though they are looking at the same NTP, it's outside of private network and it is isolated.
    also, I am able to ping each other. DNS is working. I don't see why it is not working......
    can anyone help me with this problem ?

    I had this issue as well but my NTP settings were correct and the time was not slipped at all.
    I logged into the cli and ran this: #sh logging application ad_agent.log tail
    which led me to this error:
    2013-11-15T07:55:57.177566-06:00 host-psn1 adclient[10469]: INFO  base.bind.healing Lost connection to DVN.COM(GC). Running in disconnected mode: KDC refused skey: Preauthentication failed
    2013-11-15T07:55:57.282448-06:00 host-psn1 adclient[10469]: ERROR base.adagent Can't use default machine password. Please reset computer account in Active Directory.
    Go into Active Directory Users and Computers and right click on the computer account object and click reset account.
    Which resulted in these log entries:
    2013-11-15T07:57:57.473370-06:00 host-psn1 adclient[10469]: INFO  samba.interop Attempting interoperability with untested Samba version .
    2013-11-15T07:57:58.266485-06:00 host-psn1 adclient[10469]: INFO  base.bind.healing Reconnected to odcmsadrw002p.dvn.com(GC).  Running in connected
    mode.
    2013-11-15T07:58:25.006230-06:00 host-psn1 adclient[10469]: INFO  daemon.main Start trusted domain discovery
    2013-11-15T07:58:25.058151-06:00 host-psn1 adclient[10469]: INFO  daemon.main Trusted domain discovery complete : 4 domains found
    2013-11-15T07:58:25.058189-06:00 host-psn1 adclient[10469]: INFO  daemon.main Have new domain info map: flushing all negative objects
    2013-11-15T07:58:25.100676-06:00 host-psn1 adclient[10469]: INFO  base.kerberos.krb5conf Wrote /etc/krb5.conf
    That fixed me up. Hope this helps someone else out there.

  • ISE problem with VM-esxi4

    I tried to install ISE with VM-esxi4 but seems like stuck after setup...
    ESX server  - Lenovo with 4GB RAM
    Does anyone have similar issue?

    Hello,
    Might be you are using the corrupt software for Cisco Identity Services  Engine.
    please download the latest software from the below link and try. I  installed the same and it’s working.
    http://software.cisco.com/download/release.html?mdfid=283801620&flowid=26081&softwareid=283802505&release=1.1.3&relind=AVAILABLE&rellifecycle=&reltype=latest

  • ISE problem with BYOD smart solution...

    Hi
    I did all configurations in the byod smart solution.
    and I was curious.....how they idenfity OS of devices...
    I wanted to use 'Session:Devices-OS' ... but it seems not to work..
    Also,
    I want to profile self-registered devices. so if someones register their iPad2 or iPhone,
    I want them to profiled in Mobile under the RegisteredDevices ( I was able to create a group called Mobile under the RegisteredDevices).
    and I want to use this identity group when I create authorization rules.
    is there any way to do it??
    Hope this is clear enough to be understood.
    thank you.
    Best regards.
    Justin

    Hi,
    The following thread covers the answer you are after.
    https://supportforums.cisco.com/message/3744919#3744919
    Basically the device-os attribute is satisfied through posturing or using nmap. Not through http/dns/dhcp profiling.
    thanks,
    Tarik Admani
    *Please rate helpful posts*

  • ISE 1.2, Patch 7: "NAK requesting to use PEAP instead"

    We're experiencing seemingly random occurrences of users failing authentication because they're trying PEAP vs EAP. Does anyone know if it is possible to force the Windows supplicant to use EAP only?
    For what it's worth, the user can fail authentication for hours and I can either allow open authentication on the port for a bit, or the user can leave for the day and come back tomorrow and authentication will succeed. I'm not sure if it's an ISE problem or a supplicant problem, but I'm leaning towards supplicant.
    Personas:
    Administration
    Role:
    PRIMARY(A)
    System Time:
    Apr 24 2014 08:26:58 AM America/New_York
    FIPS Mode:
    Disabled
    Version:
    1.2.0.899
    Patch Information:
    7,1,3
    11001
    Received RADIUS Access-Request
    11017
    RADIUS created a new session
    15049
    Evaluating Policy Group
    15008
    Evaluating Service Selection Policy
    15048
    Queried PIP
    15048
    Queried PIP
    15004
    Matched rule
    11507
    Extracted EAP-Response/Identity
    12500
    Prepared EAP-Request proposing EAP-TLS with challenge
    12625
    Valid EAP-Key-Name attribute received
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12301
    Extracted EAP-Response/NAK requesting to use PEAP instead
    12300
    Prepared EAP-Request proposing PEAP with challenge
    12625
    Valid EAP-Key-Name attribute received
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12302
    Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
    12318
    Successfully negotiated PEAP version 0
    12800
    Extracted first TLS record; TLS handshake started
    12805
    Extracted TLS ClientHello message
    12806
    Prepared TLS ServerHello message
    12807
    Prepared TLS Certificate message
    12810
    Prepared TLS ServerDone message
    12305
    Prepared EAP-Request with another PEAP challenge
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12304
    Extracted EAP-Response containing PEAP challenge-response
    12305
    Prepared EAP-Request with another PEAP challenge
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12304
    Extracted EAP-Response containing PEAP challenge-response
    12305
    Prepared EAP-Request with another PEAP challenge
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12304
    Extracted EAP-Response containing PEAP challenge-response
    12305
    Prepared EAP-Request with another PEAP challenge
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12304
    Extracted EAP-Response containing PEAP challenge-response
    12318
    Successfully negotiated PEAP version 0
    12812
    Extracted TLS ClientKeyExchange message
    12804
    Extracted TLS Finished message
    12801
    Prepared TLS ChangeCipherSpec message
    12802
    Prepared TLS Finished message
    12816
    TLS handshake succeeded
    12310
    PEAP full handshake finished successfully
    12305
    Prepared EAP-Request with another PEAP challenge
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12304
    Extracted EAP-Response containing PEAP challenge-response
    12313
    PEAP inner method started
    11521
    Prepared EAP-Request/Identity for inner EAP method
    12305
    Prepared EAP-Request with another PEAP challenge
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12304
    Extracted EAP-Response containing PEAP challenge-response
    11522
    Extracted EAP-Response/Identity for inner EAP method
    11806
    Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
    12305
    Prepared EAP-Request with another PEAP challenge
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12304
    Extracted EAP-Response containing PEAP challenge-response
    11808
    Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
    15041
    Evaluating Identity Policy
    15006
    Matched Default Rule
    15013
    Selected Identity Source - *****
    24431
    Authenticating machine against Active Directory
    24470
    Machine authentication against Active Directory is successful
    22037
    Authentication Passed
    11824
    EAP-MSCHAP authentication attempt passed
    12305
    Prepared EAP-Request with another PEAP challenge
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12304
    Extracted EAP-Response containing PEAP challenge-response
    11810
    Extracted EAP-Response for inner method containing MSCHAP challenge-response
    11814
    Inner EAP-MSCHAP authentication succeeded
    11519
    Prepared EAP-Success for inner EAP method
    12314
    PEAP inner method finished successfully
    12305
    Prepared EAP-Request with another PEAP challenge
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12304
    Extracted EAP-Response containing PEAP challenge-response
    15036
    Evaluating Authorization Policy
    24433
    Looking up machine in Active Directory - host/*****
    24435
    Machine Groups retrieval from Active Directory succeeded
    15048
    Queried PIP
    15048
    Queried PIP
    15048
    Queried PIP
    15048
    Queried PIP
    15048
    Queried PIP
    15004
    Matched rule - Default
    15016
    Selected Authorization Profile - DenyAccess
    15039
    Rejected per authorization profile
    12306
    PEAP authentication succeeded
    11503
    Prepared EAP-Success
    11003
    Returned RADIUS Access-Reject 

    salodh,
    Thank you for your response. Below is the authorization policy it should hit. The trouble is the workstation wants to use PEAP for some reason but we don't want PEAP because we're certificate-based. I understand what you're saying, and it's because I didn't word my question correctly. 
    12500
    Prepared EAP-Request proposing EAP-TLS with challenge
    12625
    Valid EAP-Key-Name attribute received
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12301
    Extracted EAP-Response/NAK requesting to use PEAP instead 
    If the NAK would not request PEAP, it would continue on to the following Authorization Policy (and succeed):
    Name
    Wired-******-PC
     Conditions
    Radius:Service-Type EQUALS Framed
    AND
    Radius:NAS-Port-Type EQUALS Ethernet
    AND
    *******:ExternalGroups EQUALS **********/Users/Domain Computers
    AND
    Network Access:EapAuthentication EQUALS EAP-TLS
    Again, this PEAP request only happens occasionally. This same workstation will work at other days/times. If I could figure out why some workstations randomly request PEAP (or find a way to force EAP only) I think that would take care of it.
    Thanks again, sir.
    Andrew

  • WLC, FlexConnect, ISE: Dynamic VLAN not working

    Hi,
    Not sure if this is a WLC or ISE problem, but since I am unsure of the WLC config I will try here first.
    Equipment:
    WiSM2 7.2.111.3
    ISE 1.1.1.268
    AP 3502 in FlexConnect
    What I want to achive:
    One SSID, multiple VLAN
    Devices gets profiled in ISE and based on type of device it gets asigned to a VLAN
    Problem:
    When the device connects the first time it ends up in native VLAN and not switched to the right VLAN, but when I reconnect then it is added to the right VLAN.
    WLC config (I know you like images so here you go ):
    I must be missing something but I can't figure out what. I will be attaching a debug aaa event enable for when the client connect the first time.
    In ISE I have an Authorization Profile that just say VLAN ID/Tag 158 (the VLAN that the device should go to) an it is added to the Authorization rule of the profiled device. CoA is set to Reauth.
    When the client connects I get three events in ISE:
    1.
    Authentication failed :
    22056 Subject not found in the applicable identity store(s)
    2. Authentication Success. With the results:
    UserName=00:18:DE:A2:BC:3A
    User-Name=00-18-DE-A2-BC-3A
    State=ReauthSession:c20e8b2f0000027e50ed27f8
    Class=CACS:c20e8b2f0000027e50ed27f8:ISE01/144259326/671335
    Termination-Action=RADIUS-Request
    Tunnel-Type=(tag=1) VLAN
    Tunnel-Medium-Type=(tag=1) 802
    Tunnel-Private-Group-ID=(tag=1) 158
    cisco-av-pair=profile-name=AX-Intel-Device
    3.
    Dynamic Authorization failed :
    11213 No response received from Network Access Device
    Has anyone got this to work? Do I need to add FlexConnect groups? If so then why?
    Regards,
    Philip

    I think you're hitting CSCua58554
    The bugtoolkit description is horrible....  From what I recall when I ran into it, I believe that Flex connect is having a problem with Mac filtering based AAA override on open wlans (and/or CWA based).  In general, AAA override works fine when it is from like an eap authentication.
    We had to use a 7.3 ES to resolve it.....
    Looks like it is implemented in 7.4 though.....     If you dont want to join the 7.4 bandwagon quite yet, you might could ask TAC for an ES of 7.3,  don't think they have a 7.2 build.

  • ISE doesn't remove URL redirect

    We have an ISE problem, in that the URL redirect sent to the access switch for guest auth is not removed even after successful authentication.
    Debug shows RADIUS activity as normal, 802.1X failover to MAB, then rediect to webauth;
    003064: Aug 22 17:48:08.340: %AUTHMGR-5-START: Starting 'mab' for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000007201857889
    003065: Aug 22 17:48:08.365: %MAB-5-SUCCESS: Authentication successful for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000007201857889
    003066: Aug 22 17:48:08.365: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000007201857889
    003067: Aug 22 17:48:08.382: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007201857889| AUTHTYPE DOT1X| EVENT APPLY
    003068: Aug 22 17:48:08.390: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.60.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007201857889| AUTHTYPE DOT1X| POLICY_TYPE URL Redirect| POLICY_NAME
    https://ukhatfnac0001.dtukad.local:8443/guestportal/gateway?sessionId=C0A8D60D0000007201857889&action=cwa
    | RESULT SUCCESS
    NWS-TSL-HATB3F3-DistSW1#
    003069: Aug 22 17:48:08.390: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.60.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007201857889| AUTHTYPE DOT1X| POLICY_TYPE URL Match ACL| POLICY_NAME web_guest_redirect| RESULT SUCCESS                                                                                                                 
    003138: Aug 22 18:01:18.718: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000007401914245
    000054: Aug 22 18:01:18.345: %AUTHMGR-5-VLANASSIGN: VLAN 1040 assigned to Interface Gi1/0/4 AuditSessionID C0A8D60D0000007401914245 (NWS-TSL-HATB3F3-DistSW1-2)
    003139: Aug 22 18:01:19.490: %EPM-6-IPEVENT: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007401914245| AUTHTYPE DOT1X| EVENT IP-ASSIGNMENT
    003140: Aug 22 18:01:19.490: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007401914245| AUTHTYPE DOT1X| POLICY_TYPE Named ACL| POLICY_NAME xACSACLx-IP-PERMIT_ALL_TRAFFIC-4f57e406| RESULT SUCCESS
    NWS-TSL-HATB3F3-DistSW1#
    003141: Aug 22 18:01:19.515: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007401914245| AUTHTYPE DOT1X| POLICY_TYPE URL Redirect| POLICY_NAME
    https://ukhatfnac0001.dtukad.local:8443/guestportal/gateway?sessionId=C0A8D60D0000007401914245&action=cwa
    | RESULT SUCCESS
    003142: Aug 22 18:01:19.515: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007401914245| AUTHTYPE DOT1X| POLICY_TYPE URL Match ACL| POLICY_NAME web_guest_redirect| RESULT SUCCESS  
    003064: Aug 22 17:48:08.340: %AUTHMGR-5-START: Starting 'mab' for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000007201857889
    003065: Aug 22 17:48:08.365: %MAB-5-SUCCESS: Authentication successful for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000007201857889
    003066: Aug 22 17:48:08.365: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000007201857889
    003067: Aug 22 17:48:08.382: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007201857889| AUTHTYPE DOT1X| EVENT APPLY
    003068: Aug 22 17:48:08.390: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.60.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007201857889| AUTHTYPE DOT1X| POLICY_TYPE URL Redirect| POLICY_NAME https://ukhatfnac0001.dtukad.local:8443/guestportal/gateway?sessionId=C0A8D60D0000007201857889&action=cwa
    | RESULT SUCCESS
    NWS-TSL-HATB3F3-DistSW1#
    003069: Aug 22 17:48:08.390: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.60.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007201857889| AUTHTYPE DOT1X| POLICY_TYPE URL Match ACL| POLICY_NAME web_guest_redirect| RESULT SUCCESS          
    Then after successful authentication, VLAN is moved and xACSACLx-IP-PERMIT_ALL_TRAFFIC is sent, but rediect is sent again from ISE. We've been over configs several times, but can't get to the bottom of this. Can anyone shed any light ?
    003138: Aug 22 18:01:18.718: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000007401914245
    000054: Aug 22 18:01:18.345: %AUTHMGR-5-VLANASSIGN: VLAN 1040 assigned to Interface Gi1/0/4 AuditSessionID C0A8D60D0000007401914245 (NWS-TSL-HATB3F3-DistSW1-2)
    003139: Aug 22 18:01:19.490: %EPM-6-IPEVENT: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007401914245| AUTHTYPE DOT1X| EVENT IP-ASSIGNMENT
    003140: Aug 22 18:01:19.490: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007401914245| AUTHTYPE DOT1X| POLICY_TYPE Named ACL| POLICY_NAME xACSACLx-IP-PERMIT_ALL_TRAFFIC-4f57e406| RESULT SUCCESS
    NWS-TSL-HATB3F3-DistSW1#
    003141: Aug 22 18:01:19.515: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007401914245| AUTHTYPE DOT1X| POLICY_TYPE URL Redirect| POLICY_NAME https://ukhatfnac0001.dtukad.local:8443/guestportal/gateway?sessionId=C0A8D60D0000007401914245&action=cwa| RESULT SUCCESS
    003142: Aug 22 18:01:19.515: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007401914245| AUTHTYPE DOT1X| POLICY_TYPE URL Match ACL| POLICY_NAME web_guest_redirect| RESULT SUCCESS                                                                                                           

    Fixed it !
    Great info from Tarik above, which lead me to the issue. My authz policy for redirect didn't include the Network Access:Usecase=Host Lookup, so this policy still (incorrectly) remained =true after valid guest authentication. As this policy remained =true, ISE was correctly applying URL rediect. Once I sorted the policy, by adding ...AND Network Access:Usecase=Host Lookup, all wored as expected.
    After valid guest auth we now see DACL 'PERMIT_GUEST' and move to VL1040 as expected, without the URL rediect.
    003543: Aug 22 19:03:15.169: %EPM-6-POLICY_REQ: IP 192.168.60.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000008501C99767| AUTHTYPE DOT1X| EVENT APPLY
    003544: Aug 22 19:03:15.186: %EPM-6-AAA: POLICY xACSACLx-IP-PERMIT_GUEST-50350e3a| EVENT DOWNLOAD-REQUEST
    003545: Aug 22 19:03:15.354: %EPM-6-AAA: POLICY xACSACLx-IP-PERMIT_GUEST-50350e3a| EVENT DOWNLOAD-SUCCESS
    003546: Aug 22 19:03:15.354: %EPM-6-IPEVENT: IP 0.0.0.0| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000008501C99767| AUTHTYPE DOT1X| EVENT IP-WAIT
    NWS-TSL-HATB3F3-DistSW1#  
    003547: Aug 22 19:03:15.849: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000008501C99767
    000069: Aug 22 19:03:15.241: %AUTHMGR-5-VLANASSIGN: VLAN 1040 assigned to Interface Gi1/0/4 AuditSessionID C0A8D60D0000008501C99767 (NWS-TSL-HATB3F3-DistSW1-2)
    NWS-TSL-HATB3F3-DistSW1#  
    003548: Aug 22 19:03:17.560: %EPM-6-IPEVENT: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000008501C99767| AUTHTYPE DOT1X| EVENT IP-ASSIGNMENT
    003549: Aug 22 19:03:17.560: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000008501C99767| AUTHTYPE DOT1X| POLICY_TYPE Named ACL| POLICY_NAME xACSACLx-IP-PERMIT_GUEST-50350e3a| RESULT SUCCESS
    003543: Aug 22 19:03:15.169: %EPM-6-POLICY_REQ: IP 192.168.60.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000008501C99767| AUTHTYPE DOT1X| EVENT APPLY
    003544: Aug 22 19:03:15.186: %EPM-6-AAA: POLICY xACSACLx-IP-PERMIT_GUEST-50350e3a| EVENT DOWNLOAD-REQUEST
    003545: Aug 22 19:03:15.354: %EPM-6-AAA: POLICY xACSACLx-IP-PERMIT_GUEST-50350e3a| EVENT DOWNLOAD-SUCCESS
    003546: Aug 22 19:03:15.354: %EPM-6-IPEVENT: IP 0.0.0.0| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000008501C99767| AUTHTYPE DOT1X| EVENT IP-WAIT
    NWS-TSL-HATB3F3-DistSW1#  
    003547: Aug 22 19:03:15.849: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000008501C99767
    000069: Aug 22 19:03:15.241: %AUTHMGR-5-VLANASSIGN: VLAN 1040 assigned to Interface Gi1/0/4 AuditSessionID C0A8D60D0000008501C99767 (NWS-TSL-HATB3F3-DistSW1-2)
    NWS-TSL-HATB3F3-DistSW1#  
    003548: Aug 22 19:03:17.560: %EPM-6-IPEVENT: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000008501C99767| AUTHTYPE DOT1X| EVENT IP-ASSIGNMENT
    003549: Aug 22 19:03:17.560: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000008501C99767| AUTHTYPE DOT1X| POLICY_TYPE Named ACL| POLICY_NAME xACSACLx-IP-PERMIT_GUEST-50350e3a| RESULT SUCCESS

  • ISE 1.3 Guest account Activate

    Hi,
    Has anyone worked with ISE 1.3 with creating guest accounts using sponsor portal.?.
    Our issue is that whenever we create new guest account using sponsor portal the account is shown as "Created" not as "Active". When we try to use the same account in guest portal it gives authentication failed and shows as "account is not yet active" in ISE report. (please see the attached file)
    Can anyone tell how to make new account active or why it shown as "created" not as "active"?
    thanks in advance.

    Hi there,
    I am having the exact same problem with my ISE 1.3 deployment after upgrading from 1.2 to 1.3 .
    The issue seems to relate to timezones (as a lot of ISE problems do!) .
    The issue relates to settings under Guest Access -> Settings ->Guest Locations and SSID . You should have defined a location local to you, for me it is 'Southampton, Europe/ London', the San Jose entry cannot be removed.
    There should be an option to select timezone in the Sponsor Portal but it is missing so defaults to 'San Jose'. This causes a time-zone mis-match between between the account itself and the SSID location.
    However if you create a guest account using the admin GUI: Guest Access -> Manage Accounts, although you still cannot select the timezone it will choose the correct one for the SSID and you will then be able to use the account via the Guest Portal. I don't know what would happen if you had a second SSID and alternative location, it would probably be totally broken!
    I have raised this issue with TAC three weeks ago, and had a webex with the Business Unit last week. They saw the issue and took some debug logs, all very helpful people, but the problem is still unresolved.
    cheers,
    Seb.

  • Native Supplicant "NAK requesting to use PEAP instead"

    Hello,
    We have a Cisco ISE infrastructure in place and we're experiencing seemingly random occurrences of users failing authentication because they're trying PEAP vs EAP. Does anyone know if it is possible to force the native Windows supplicant to use EAP only?
    "Microsoft: Smart Card or other certificate" is selected under network authentication method, by group policy, and I thought that wouldn't allow PEAP, but our ISE logs show "NAK requesting to use PEAP instead", after which authorization
    fails because we're not using PEAP.
    For what it's worth, the user can fail authentication for hours and I can either allow open authentication on the port for a bit, or the user can leave for the day and come back tomorrow and authentication will succeed. I'm not sure if it's an ISE problem or
    a supplicant problem, but I'm leaning towards supplicant.
    Thanks,
    Andrew

    Hi,
    About this issue, please contact Cisco Tech Support for help.
    Karen Hu
    TechNet Community Support
    I've already been in contact with them and they've verified our configuration. All that can be done on the Cisco side is to "propose" the client to go through EAP-TLS as the first option, which we are doing. This will not block any clients trying to connect
    using other protocols, and, though this will propose EAP-TLS, there is now way to enforce it at the supplicant level. This will be a client decision always. From Cisco: 
    Please monitor this after the  change we applied,   but if the issue persists,   since we are dealing with windows supplicant,   it would be a good idea to involve the native supplicant support.

  • ISE 1.2 web authentication problem with wired clients

    Hello,
    i am having problems with centralized web authentication using a Catalyst 3650X with IOS 15.0.2 SE01 and ISE 1.2.
    Redirecting the client works fine, but as soon the client opens a web browser and ISE websites open to authenticate the client, the switch port resets, the authentication process restarts and the session ID changes. After the client enters the credentials a session expired messages appears on the client and i get an 86017 Session Missing message in ISE.
    here the output form the debug aaa coa log.
    Any ideas
    thanks in advanced
    Alex
    ! CLIENT CONNECT TO SWITCHPORT
    ISE-TEST-SWITCH#show authentication sessions interface gi0/3
                Interface:  GigabitEthernet0/3
              MAC Address:  001f.297b.bd82
               IP Address:  10.2.12.45
                User-Name:  00-1F-29-7B-BD-82
                   Status:  Authz Success
                   Domain:  DATA
          Security Policy:  Should Secure
          Security Status:  Unsecure
           Oper host mode:  multi-auth
         Oper control dir:  both
            Authorized By:  Authentication Server
              Vlan Policy:  N/A
                  ACS ACL:  xACSACLx-IP-PERMIT_ALL_TRAFFIC-537cb1d6
         URL Redirect ACL:  ACL-WEBAUTH-REDIRECT
             URL Redirect:  https://nos-ch-wbn-ise1.nosergroup.lan:8443/guestportal/gateway?sessionId=AC1484640000026B28C02CDC&action=cwa
          Session timeout:  N/A
             Idle timeout:  N/A
        Common Session ID:  AC1484640000026B28C02CDC
          Acct Session ID:  0x0000029C
                   Handle:  0x8C00026C
    Runnable methods list:
           Method   State
           dot1x    Failed over
           mab      Authc Success
    ! CLIENT OPENS INTERNETEXPLORER -> REDIRECTS TO ISE 
    ! SWITCHPORT GOES IN ADMINISTRATIVE DOWN STARTS AUTHENTICATION AGAIN
    ISE-TEST-SWITCH#
    191526: .Jun 24 10:42:24.340 UTC: COA: 10.0.128.38 request queued
    191527: .Jun 24 10:42:24.340 UTC: RADIUS:  authenticator 7F A9 85 AB F6 4A D0 F3 - B4 E6 F2 56 74 C6 2D 33
    191528: .Jun 24 10:42:24.340 UTC: RADIUS:  NAS-IP-Address      [4]   6   172.20.132.100
    191529: .Jun 24 10:42:24.340 UTC: RADIUS:  Calling-Station-Id  [31]  19  "00:1F:29:7B:BD:82"
    191530: .Jun 24 10:42:24.340 UTC: RADIUS:  Acct-Terminate-Cause[49]  6   admin-reset               [6]
    191531: .Jun 24 10:42:24.340 UTC: RADIUS:  Event-Timestamp     [55]  6   1403606529
    191532: .Jun 24 10:42:24.340 UTC: RADIUS:  Message-Authenticato[80]  18
    191533: .Jun 24 10:42:24.340 UTC: RADIUS:   E0 3C B2 8C 89 47 67 A8 69 F5 3D 08 61 FF 53 6E          [ <Ggi=aSn]
    191534: .Jun 24 10:42:24.340 UTC: RADIUS:  Vendor, Cisco       [26]  43
    191535: .Jun 24 10:42:24.340 UTC: RADIUS:   Cisco AVpair       [1]   37  "subscriber:command=bounce-host-port"
    191536: .Jun 24 10:42:24.340 UTC: COA: Message Authenticator decode passed
    191537: .Jun 24 10:42:24.340 UTC:  ++++++ CoA Attribute List ++++++
    191538: .Jun 24 10:42:24.340 UTC: 06D96C58 0 00000001 nas-ip-address(600) 4 172.20.132.100
    191539: .Jun 24 10:42:24.349 UTC: 06D9AC18 0 00000081 formatted-clid(37) 17 00:1F:29:7B:BD:82
    191540: .Jun 24 10:42:24.349 UTC: 06D9AC4C 0 00000001 disc-cause(434) 4 admin-reset
    191541: .Jun 24 10:42:24.349 UTC: 06D9AC80 0 00000001 Event-Timestamp(445) 4 1403606529(53A95601)
    191542: .Jun 24 10:42:24.349 UTC: 06D9ACB4 0 00000081 ssg-command-code(490) 1 33
    191543: .Jun 24 10:42:24.349 UTC:
    191544: .Jun 24 2014 10:42:24.365 UTC: %EPM-6-IPEVENT: IP 10.2.12.45| MAC 001f.297b.bd82| AuditSessionID AC1484640000026B28C02CDC| AUTHTYPE DOT1X| EVENT IP-RELEASE
    191545: .Jun 24 2014 10:42:24.382 UTC: %EPM-6-IPEVENT: IP 10.2.12.45| MAC 001f.297b.bd82| AuditSessionID AC1484640000026B28C02CDC| AUTHTYPE DOT1X| EVENT IP-WAIT
    191546: .Jun 24 2014 10:42:24.382 UTC: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 001f.297b.bd82| AuditSessionID AC1484640000026B28C02CDC| AUTHTYPE DOT1X| EVENT REMOVE
    191547: .Jun 24 2014 10:42:24.390 UTC: %EPM-6-AUTH_ACL: POLICY Auth-Default-ACL-OPEN| EVENT DETACH-SUCCESS
    191548: .Jun 24 2014 10:42:26.353 UTC: %LINK-5-CHANGED: Interface GigabitEthernet0/3, changed state to administratively down
    191549: .Jun 24 2014 10:42:27.359 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/3, changed state to down
    ISE-TEST-SWITCH#
    191550: .Jun 24 2014 10:42:36.366 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet0/3, changed state to down
    191551: .Jun 24 10:42:40.592 UTC: AAA/BIND(000002A7): Bind i/f
    191552: .Jun 24 2014 10:42:41.129 UTC: %AUTHMGR-5-START: Starting 'dot1x' for client (001f.297b.bd82) on Interface Gi0/3 AuditSessionID AC1484640000026C28C2FA05
    191553: .Jun 24 2014 10:42:42.580 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet0/3, changed state to up
    191554: .Jun 24 2014 10:42:43.586 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/3, changed state to up
    ! SESSION ID CHANGES, USER ENTERS CREDENTIALS 
    ! ERROR MESSAGE AT CLIENT "YOUR SESSION HAS EXPIRED"
    ! ERROR MESSAGE IN ISE "86017 SESSION MISSING"
    ISE-TEST-SWITCH#show authentication sessions interface gi0/3
                Interface:  GigabitEthernet0/3
              MAC Address:  001f.297b.bd82
               IP Address:  10.2.12.45
                   Status:  Running
                   Domain:  UNKNOWN
          Security Policy:  Should Secure
          Security Status:  Unsecure
           Oper host mode:  multi-auth
         Oper control dir:  both
          Session timeout:  N/A
             Idle timeout:  N/A
        Common Session ID:  AC1484640000026C28C2FA05
          Acct Session ID:  0x0000029D
                   Handle:  0x2C00026D
    Runnable methods list:
           Method   State
           dot1x    Running
           mab      Not run

    Guest authentication failed: 86017: Session cache entry missing
    try adjusting the UTC timezone during the guest creation in the sponsor portal.
    86017
    Guest
    Session Missing
    Session ID missing. Please contact your System Administrator.
    Info

  • Web Redirection Problem on Cisco ISE 1.2 and WLC 7.5

    Hello,
    We are at initial phase of deploying ISE 1.2 in our environment for Wireless Guest Users.
    I have configured ISE and WLC to talk to each other which is working fine. An SSID with MAC-Filtering is also configured on WLC and ACL only allowing ISE and DNS traffice.
    I have configured proper authentication and authorization policies on ISE. Now, when I try to connect my device (laptop and android mobile), I see my device gets associated with the SSID (Demo) and gets the right IP Address from DHCP and right VLAN from WLC. The log process on ISE is as follows.
    11001
    Received RADIUS Access-Request
    11017
    RADIUS created a new session
    11027
    Detected Host Lookup UseCase (Service-Type = Call Check (10))
    15049
    Evaluating Policy Group
    15008
    Evaluating Service Selection Policy
    15048
    Queried PIP
    15048
    Queried PIP
    15004
    Matched rule
    15041
    Evaluating Identity Policy
    15006
    Matched Default Rule
    15013
    Selected Identity Source - Internal Endpoints
    24210
    Looking up User in Internal Users IDStore - B8:B4:2E:A6:7D:75
    24216
    The user is not found in the internal users identity store
    24209
    Looking up Endpoint in Internal Endpoints IDStore - B8:B4:2E:A6:7D:75
    24211
    Found Endpoint in Internal Endpoints IDStore
    22037
    Authentication Passed
    15036
    Evaluating Authorization Policy
    15048
    Queried PIP
    15048
    Queried PIP
    15048
    Queried PIP
    15004
    Matched rule - Guest Redirection
    15016
    Selected Authorization Profile - Test_Profile
    11002
    Returned RADIUS Access-Accept
    I also see a redirect url in the detailed authentication logs. But the problem is that when I open my browser on my device, it doesn't get redirected to the guest portal url. Now since I can't get there, I can't continue with the rest of the process of authentication, COA and final ACL for internet access.
    Can some one please either guide me the correct steps that I need to follow, if I have mis configured something or advise if this is a bug.
    Thanks in advance.
    Jay

    The ACL is definitely used to define what traffic is re-directed to ISE and what traffic is not redirected. Having the permit-all statement at the end will break redirection. If you are using flex-connect then you will need to use flex-connect ACLs and apply those to the flex-connect APs. The links below should give you an idea of what needs to be done:
    http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-000.html
    http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html
    Thank you for rating helpful posts! 

  • [Cisco ISE 1.2 with 3850 - Trunk AP] Problem with MAB

    Hi everyone,
    After reading some documentation about using MAB in a trunk port with the 3850 I would like to know if someone has implemented ISE policies with a 3850 interface in trunk mode. My problem is that when I try using MAB in a trunk port the mac address of the AP it´s no visible in the "show mac address interface" and because of that the AP is not authenticated in ISE. The thing is that if I use a 2960 everything goes smoothly with no problems!
    Let me show you what I have,
    interface GigabitEthernet1/0/3
     description AP
     switchport trunk native vlan 999
     switchport mode trunk
     trust device cisco-phone
     authentication event fail action next-method
     authentication host-mode multi-host
     authentication order mab dot1x
     authentication priority dot1x mab
     authentication port-control auto
     mab
     snmp trap mac-notification change added
     snmp trap mac-notification change removed
     dot1x pae authenticator
     dot1x max-req 4
     auto qos voip cisco-phone
     service-policy input AutoQos-4.0-CiscoPhone-Input-Policy
     service-policy output AutoQos-4.0-Output-Policy
    ############################################# switch model - 3850 ##################################################
    SW1#sh mac address-table interface GigabitEthernet1/0/3
              Mac Address Table
    Vlan    Mac Address       Type        Ports
    SW1#sh dot1x interface Gi1/0/3
    Dot1x Info for GigabitEthernet1/0/3
    PAE                       = AUTHENTICATOR
    QuietPeriod               = 60
    ServerTimeout             = 0
    SuppTimeout               = 30
    ReAuthMax                 = 2
    MaxReq                    = 4
    TxPeriod                  = 30
    Switch Ports Model              SW Version        SW Image              Mode
    *    1 56    WS-C3850-48P       03.03.03SE        cat3k_caa-universalk9 INSTALL
    ############################################# Different switch model - 2960 ##################################################
    interface GigabitEthernet1/0/1
     description AP
     switchport trunk native vlan 999
     switchport mode trunk
     srr-queue bandwidth share 1 30 35 5
     priority-queue out
     authentication event fail action next-method
     authentication host-mode multi-host
     authentication order mab dot1x
     authentication priority dot1x mab
     authentication port-control auto
     mab
     snmp trap mac-notification change added
     snmp trap mac-notification change removed
     mls qos trust device cisco-phone
     mls qos trust cos
     dot1x pae authenticator
     dot1x max-req 4
     auto qos voip cisco-phone
     service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
     SW1#$cation sessions interface GigabitEthernet1/0/1
                Interface:  GigabitEthernet1/0/1
              MAC Address:  xxxx.xxxx.4a38
               IP Address:  172.18.1.170
                User-Name:  xx-xx-xx-xx-4A-38
                   Status:  Authz Success
                   Domain:  DATA
           Oper host mode:  multi-host
         Oper control dir:  both
            Authorized By:  Authentication Server
              Vlan Policy:  N/A
          Session timeout:  N/A
             Idle timeout:  N/A
        Common Session ID:  0A18129D000060E39DAE8A8A
          Acct Session ID:  0x0000725D
                   Handle:  0x0F00028C
    Runnable methods list:
           Method   State
           mab      Authc Success
           Switch Ports Model              SW Version            SW Image                                                                                             
         1 28    WS-C2960X-24PS-L   15.0(2)EX5            C2960X-UNIVERSALK9-M      
     SW2#sh dot1x interface Gi1/0/1
    Dot1x Info for GigabitEthernet1/0/1
    PAE                       = AUTHENTICATOR
    QuietPeriod               = 60
    ServerTimeout             = 0
    SuppTimeout               = 30
    ReAuthMax                 = 2
    MaxReq                    = 4
    TxPeriod                  = 30
    Am I doing something wrong?
    BR,

    I know what you mean and I agree with what you are saying :) Nonetheless, at the moment, the official stance from Cisco on this is that 802.1x is not supported on trunk ports. Now one can argue that MAB is different but I think we are just splitting hairs here :) 
    Like I said, I have gotten stuff to work before but always had some goofy things happening so in general I have stayed away from doing it. 
    Now in your situation, if your configuration is working fine on the 2960 but not on the 3850, then most likely the issue is with the XE code running on the 3850s. The XE code has been very problematic until recently so you are probably hitting some sort of a defect. As a result, I recommend that you upgrade the switch(es) to 3.3.5 or 3.6.1. Version 3.7.x is also out but it just came out 8 days ago so I would not recommend going to it. 
    Thank you for rating helpful posts!

Maybe you are looking for

  • How do I edit a photo already on my ipad2 in Pictures?

    how do I edit a photo that 's already in Pictures on my iPad2?

  • Organizing albums into one album

    We are new to the Mac world and have a large number of pictures to be organized, In iPhoto, are you able to create "sub-albums"? For example, if we have photos of a number of related events, like football games in a season, can we have an album "Foot

  • File copy with change of file type

    I'm currently working on what seems like a simple file-to-file scenario. A file (without an extension) on server A has to be copied to server B. The name of the file on the target server should be the same as the file on the source system. Only chang

  • K7N2 + FX 5900 + AGP 8x = BIG PROBLEM

    [size=15]This topic is not for being speaking on over clock or points in 3dmark, is for telling problems in 3D games and Benchmarks with the K7N2 and FX 5900 in AGP 8x enabled[/SIZE] [size=15]if some colleague to obtain or not to load games 3D and Be

  • Help with my Dock please

    I turned my Dock transparent when positioning is on the bottom doing the following command: I need help reverting my dock back to it's origional state: When the Dock is positioned at the bottom it dosent look transparent