Not Working-central web-authentication with a switch and Identity Service Engine

Similar Messages

• Central Web Auth with Anchor Controller and ISE

  Hi All
  I have a 5508 WLC on the corporate LAN and another 5508 sat in a DMZ as an anchor controller.
  I also have an ISE sat on the corporate LAN.
  Authenticate is working fine to the ISE and the client tries to re-direct to the ISE Portal but doesn't get there.
  DNS is working fine and the client can resolve the URL of the ISE to the correct IP address.
  I have a redirect ACL configured on the foreign controller which permits DNS, DHCP and traffic to and from the ISE.
  My questions are:
  1. Do I need to re-direct ACL to be present on both the foreign and anchor controllers?
  2. Since the Radius requests originate from the foreign controller do I need to configure the ISE server address on the WLAN on the anchor?
  3. Does the re-direct ACL need to be enabled on the advanced page of the WLAN on the foreign to over-ride the interface ACL - I don't believe it does.
  4. Is ICMP still blocked by the WLC until the web authentication is complete?
  Thanks.
  Regards
  Roger

  Hi Roger,
  Thanks for your brief explanation here are the answers for your queries.
  1. Do I need to re-direct ACL to be present on both the foreign and anchor controllers?
  The only catch is that since this web authentication method is Layer 2, you have to be aware that it will be the foreign WLC that does all of the RADIUS work. Only the foreign WLC contacts the ISE, and the redirection ACL must be present also on the foreign WLC.
  2. Since the Radius requests originate from the foreign controller do I need to configure the ISE server address on the WLAN on the anchor?
  Yes, you have to configure the ISE server address on the anchor WLC.
  3. Does the re-direct ACL need to be enabled on the advanced page of the WLAN on the foreign to over-ride the interface ACL
  Yes, you should override AAA under advanced tab of WLAN as ACL will be present on the foreign WLC.
  4. Yes, ICMP will work only after the sucessful web auth is complete.
  Please do go through the link below to understand the Anchor-Foreigh Scenario.
  http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html#anc11
  Regards
  Salma

• Suppress Missing Data not work in web form with formula column inside

  Dear All,
  I've a planning web form with formula column inside to calculate the variance and % variance. But missing cell can't be suppressed, although I've checked the 'Suppress Missing Blocks' and 'Suppress Missing Data' options.
  Anyone have face the same problem..?? and how to fixed it..??
  thanks.
  Regards,
  VieN

  There is a known issue that sounds like the problem you are experiencing
  10358200 - If a formula column exists in a data form, selecting the Suppress missing option does not hide rows that do not contain data.
  Cheers
  John
  http://john-goodwin.blogspot.com/

• .jar not working when building project with netbeans plugin and log4j

  hey..
  subject tells everything..if i build my project referencing log4j, i get a .jar file with 280 kb which is executable
  if i add log4j and do some logging, code still works in netbeans, but buildung produces a .jar with 80 kb and an
  attached lib-folder with the log4j.jar in it..if i uncheck copy requested libraries, i just get the 80 kb .jar file which
  is not working
  any hints?

  Are you building the jar file using the fxdeploy ant task to build the Jar? That is required to have an executable jar file.
  Also there was a change to the netbeans project structure, which may be a contributing factor.
  Things to try: Upgrade to the latest netbeans 7.1 beta build, set up a new Java platform in nb that includes JavaFX, create a new JavaFX project and build it. This should produce an executable jar.

• Hello sir i purchased second hand iphone4s with ios 7 beta version after 2 month on 6 oct my iphone ask for a uers id that is unknown by me my new id and password also not work when i contavt with previous owner and use his id and password which he use on

  plz help me by mail me on   [email protected]

  the previos owner id and password also not work there what i do all do everything downdrade , upgrade but everytime ask for previous id and password...........i also erase find my phone from previous user id

• Ask the Expert: BYOD with Identity Services Engine

  with Cisco Expert Bernardo Gaspar
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Identity Services Engine (ISE) and its various usage scenarios and integrations such as BYOD, Active Directory, profiling, posture and radius authentication with Cisco subject matter expert Bernardo Gaspar.
  Bernardo Gaspar is Customer Support Engineer at the Technical Assistance Center at Cisco Europe especialized in wireless and authentication, authorization, and accounting (AAA). He has been troubleshooting wireless networks, wireless management tools, and security products, including Cisco Secure Access Control Server, NAC and Identity Services Engine as part of the escalation TAC team since 2007. He also focuses on filing technical and documentation bugs. Bernardo Gaspar holds a degree from the University of Porto.
  Remember to use the rating system to let Bernardo know if you have received an adequate response.
  Bernardo might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community, AAA, Identity and NAC discussion forum shortly after the event.
  This event last through Friday July 12, 2013. Visit the community often to view responses to youe questions of other community members.

  My customer is limited in his VM space. Although he would like to have a active/standby for his administration node, he doesn't need this for his logging. Is it recommended to roll this in production. With a limited HDD space, what would be the recommended space (300 GB?)
  administration  
  monitoring  
  policy service  
  Machine VM     
  primary    
  Not enabled 
  enabled 
  Machine HW     
  secondary 
  primary    
  enabled 

• Ask the Expert: BYOD with Identity Services Engine with Cisco Expert Bern

  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Identity Services Engine (ISE) and its various use scenarios and integrations such as BYOD, Active Directory, profiling, posture and radius authentication with Cisco subject matter expert Bernardo Gaspar.
  Bernardo Gaspar is Customer Support Engineer at the Technical Assistance Center at Cisco Europe especialized in wireless and authentication, authorization, and accounting (AAA). He has been troubleshooting wireless networks, wireless management tools, and security products, including Cisco Secure Access Control Server, NAC and Identity Services Engine as part of the escalation TAC team since 2007. He also focuses on filing technical and documentation bugs. Bernardo Gaspar holds a degree from the University of Porto.
  Remember to use the rating system to let Bernardo know if you have received an adequate response.
  Bernardo might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community, AAA, Identity and NAC discussion forum shortly after the event.
  This event last through Friday July 12, 2013. Visit the community often to view responses to youe questions of other community members.
  Posted by WebUser Krishnakant Dixit from Cisco Support Community App

  Feedback will be highly appreciated
  Posted by WebUser Krishnakant Dixit from Cisco Support Community App

• OSX 10.10.1 with Cisco ISE guest portal using (CWA) central web authentication issue

  We have Cisco Wireless with ISE (Identity Service Engine) to provide guest access with CWA (central web authentication). The idea is to provide guest access with open authentication, so anyone can connect. Then when the guest trying to browse the internet it will be redirected to guest protal for authentication. So only corporate guest with valid password can pass the portal authentication. This is been working fine for windows machine, android, and apple devices with earlier OS version (working on OSX 10.8.5). For clients that's been upgraded to OSX 10.10.1 or IOS 8 they can no longer load the CWA redirection page.
  Please let us know if there's any setting under the OSX to solve the issue, or plan from apple to fix the issue on the next OSX/IOS release ?
  thanks - ciscosx

  Robert,
  Manual assignment has been made available in ISE 1.2 release.
  M.

• Central web authentication

  I have downloaded the new Cisco ISE, I've managed to configure 802.1x and MAB succesfully but I want to configure wired centralized web authentication, but I cannot find any documentation how to configure ISE and Cisco Catalyst (IOS) switches to use this feature (I only find (limited) documentation about local web auth on the switch).
  I want to achieve the following authentication order on a switchport:
  802.1x
  MAB
  central web authentication
  So if a guest user comes with his laptop, 802.1x is not configured on his laptop and he's not in the Mac Bypass DB, he should "failover" to web auth and get the ISE guest portal webpage with his web browser. There he enters a guest username and password (which is of course already in the ISE DB) and he should get web access.
  I've configured the switchport with the following commands
  switchport access vlan 99
  switchport mode access
  switchport voice vlan 50
  authentication event no-response action authorize vlan 32
  authentication host-mode multi-domain
  authentication order dot1x mab webauth
  authentication port-control auto
  authentication violation protect
  authentication fallback webprofile
  mab
  dot1x pae authenticator
  dot1x timeout quiet-period 2
  dot1x timeout tx-period 2
  spanning-tree portfast
  spanning-tree bpduguard enable
  the web-profile with access-list to permit DHCP traffic between the attached device and any DHCP server in the vlan 99, and communications with ISE (also in vlan 99) at the moment "fallback webprofile" is triggered (I don't know if this should be configured with central webauth?)
  SW01T#sh fallback profile webprofile
  Profile Name: webprofile
  Description : webauth profile
  IP Admission Rule : NONE
  IP Access-Group IN: 133
  FYI, the access list:
  Extended IP access list 133
  10 permit ip any host 10.175.0.29
  30 permit udp any any eq bootps
  40 permit udp any eq bootpc any
  In the ISE, I configured DOT1x and MAB. In the MAB profile, I configured "continue" if user is unknown, and then an authorization profile for the web authentication:
  (attributes of the profile):
  Access Type = ACCESS_ACCEPT
  cisco-av-pair = url-redirect-acl=webauth
  cisco-av-pair = url-redirect=https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&portal=https://10.175.0.29:8443/guestportal/gateway?sessionId=SessionIdValue&portal=http&action=cwa&action=cwa
  But it doesn't work. If I attach a device, it tries 802.1x, it tries MAB, then it fails over to "web authentication" but immediately fails with "no-response" message:
  001420: Jul 1 12:09:19: %AUTHMGR-5-START: Starting 'webauth' for client (0011.2
  5d7.6c6c) on Interface Fa1/0/3 AuditSessionID 0AAF003E000000582E866B69
  5d7.6c6c) on Interface Fa1/0/3 AuditSessionID 0AAF003E000000582E866B69
  from 'webauth' for client (0011.25d7.6c6c) on Interface Fa1/0/3 AuditSessionID 0
  AAF003E000000582E866B69
  001422: Jul 1 12:09:19: %AUTHMGR-7-FAILOVER: Failing over from 'webauth' for cl
  ient (0011.25d7.6c6c) on Interface Fa1/0/3 AuditSessionID 0AAF003E000000582E866B
  69
  001423: Jul 1 12:09:19: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication
  methods for client (0011.25d7.6c6c) on Interface Fa1/0/3 AuditSessionID 0AAF003 001420:
  Is there some configuration guide or steps available in order to make this work please?
  kind regards

  Hi Tarik,
  thank you for the fast reply.
  I've configuried the extra settings you told me (although I thought the ip admission configuration was only for local web authentication (where the switch acts as a http server).
  But it still doesn't work. The pc is getting the ip address from the dhcp server but if I open a browser session, I do not get redirected to the ISE portal in order to log me in with a Guest account.
  If I look at the authentication session of the port, it looks like the ISE has correctly sent the redirect acl and redirect url to the switchport:
  Switch# show auth sessions int fa 1/0/3
             Interface:  FastEthernet1/0/3
           MAC Address:  0011.25d7.6c6c
            IP Address:  10.175.0.229
             User-Name:  001125d76c6c
                Status:  Authz Success
                Domain:  DATA
       Security Policy:  Should Secure
       Security Status:  Unsecure
        Oper host mode:  multi-domain
      Oper control dir:  both
         Authorized By:  Authentication Server
            Vlan Group:  N/A
      URL Redirect ACL:  webauth
          URL Redirect:  https://ISE.onemrva.priv:8443/guestportal/gateway?session
  Id=0AAF003E0000175A43004FE3&action=cwa
       Session timeout:  N/A
          Idle timeout:  N/A
     Common Session ID:  0AAF003E0000175A43004FE3
       Acct Session ID:  0x000018CF
                Handle:  0xEF00075B
  Runnable methods list:
         Method   State
         dot1x    Failed over
         mab      Authc Success
         webauth  Not run
  As you can see, the "web authentication" is the result of a "succesful MAB". This is because I had to configure ISE to continue on MAB if the user was not found (I found that somewhere in documentation). Then I have configured a default authorization profile where the "web authentication" is triggered. This is where I've configured the redirect-url and so on and this is of course sent to the switch as a succesfull MAB:
  authorization profile "webauthentication" with the "centralized web authentication" settings configured (see attributes output):
  Access Type = ACCESS_ACCEPT
  cisco-av-pair = url-redirect-acl=webauth
  cisco-av-pair = url-redirect=https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cwa
  Actually, I really have no idea if I have correctly configured ISE to handle central web authentication...
  If I check the "show ip admission cache", nothing is seen in there.

• Wlc flexconnect wlan local authentication and central web authentication maximum rtt

  Hi
  From the below link below it mentioned that "Round-trip latency must not exceed 300 milliseconds (ms) between the AP and the controller. If the 300 milliseconds round-trip latency cannot be achieved, configure the AP to perform local authentication."
  http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Mobility/emob73dg/emob73/ch7_HREA.html#wp1094148.
  Is this limitation refer to web authentication also?
  Thanks
  Anyone???

  Central Web Auth (CWA) works different on controllers/APs running in FlexConnect mode. Please check this guide and confirm that you have similar setup. 
  http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html
  If so, please post screen shots with your configs (Redirect ACLs, policies in ISE and the WLC SSD settings). 
  Also, the version of code that you are running in ISE and your controller. 
  Thank you for rating helpful posts!

• ISE Web Authentication with Profile

     Hi,
     I'm using Web Authentication with Cisco ISE 1.2.1 without problems.
     The Cisco ISE didn't find the endpoint in my internal endpoint store and continue with Web Authentication
     But when I enable the PSN with the Profile Server, the Cisco ISE populate dynamically the internal endpoint store and I cannot use
     the Web Authentication cause the endpoint is already in the internal endpoint store.
     What's the better way to solve this problem ?
     Thanks in Advanced
     Andre Gustavo Lomonaco

      Hi Neno, let me clarify my question
      I'm already using my internal endpoints to permit authenticate via MAB my IP Phones, Access Points and Printers.  I'm using Profile to be able to populate this ISE internet database.
      Now imagine that I wanna use the Web Authentication to permit authenticate guest workstations without 802.1x.If the profile put the guest workstation mac in the endpoints database, those workstation always will be authenticate using the MAC authentication and not the Web Authentication. Remember that for the Web authentication works we need to configure the continue options if the mac are not found in the endpoints database. But when the profile is on, the news (guest workstations) macs are inserted in endpoints database before I have chance to use the Web Authentication.

• Web Authentication with MS IAS Server

  I'm trying to configure my 2106 WLC to authenticate with an MS IAS Radius Server. I had this working, but my boss did not want to do any configuration on the client side and now wants to do all authentication through Web authentication with the Radius server. The wireless client connects and is redirected to the login page like they're supposed to, but when I enter my credentials the login fails. However, if I enter the login of a local user to the controller the authentication works.
  I see in the logs the following error: AAA Authentication Failure for UserName:chevym User Type: WLAN USER. The authentication is reaching the server too, but the logs don't tell you much.
  Here is what is in the server logs: 192.168.0.77,chevym,07/29/2008,05:58:16,IAS,TESTLAB1,25,311 1 192.168.0.221 07/28/2008 17:27:10 48,4127,2,4130,TESTLAB\chevym,4129,TESTLAB\chevym,4154,Use Windows authentication for all users,4155,1,4128,Wireless LAN Controller,4116,9,4108,192.168.0.77,4136,3,4142,19
  I don't really understand any of that and I'm not really sure if I have the server itself configured correctly for what I want to do. Does anyone have instructions on how to do this?

  I had another thread going on this, but since it appears to be an IAS problem, I've been posting on the MS forum instead of here.
  I'm trying to set up wireless laptop-WLC-IAS authentication using PEAP.
  The machine authenticates on boot, but any login by any user results in this message in the Windows Event log on the IAS server:
  Event Type: Warning
  Event Source: IAS
  Event Category: None
  Event ID: 2
  Date: 9/3/2008
  Time: 11:00:55 PM
  User: N/A
  Computer: DC1
  Description:
  User SCOTRNCPQ003.scdl.local was denied access.
  Fully-Qualified-User-Name = SCDL\SCOTRNCPQ003.scdl.local
  NAS-IP-Address = 10.10.10.10
  NAS-Identifier = scohc0ciswlc
  Called-Station-Identifier = 00-21-55-C0-7D-70:Domain Staff
  Calling-Station-Identifier = 00-90-4B-4C-92-B7
  Client-Friendly-Name = WLAN Controller
  Client-IP-Address = 10.10.10.10
  NAS-Port-Type = Wireless - IEEE 802.11
  NAS-Port = 29
  Proxy-Policy-Name = Use Windows authentication for all users
  Authentication-Provider = Windows
  Authentication-Server =
  Policy-Name =
  Authentication-Type = EAP
  EAP-Type =
  Reason-Code = 8
  Reason = The specified user account does not exist.
  The policy is the default connection policy created when installing IAS.
  In ADUC, I've tried setting both the machine and users Dial-In properties to Allow Access or Control through policy, with the same result.
  I've gone through the policy and there isn't anything there, other than the Day-Time rule which is set to allow access for all hours of the whole day, every day.
  In the last few days, I've read about the Ignore User Dial In properties, but can't find where/how you set this.
  It sounded to me as if this had been resolved in this thread, so I wanted to know how this had been accomplished.

• LOVs not working in Webi Report for SAP BO 4.1 SP 2 Patch 3

  Hello ,
  I have developed reports and universes in SAP BO 4.0 SP 5 and i have migrated those reports to higher version of BO which is 4.1 SP2 Patch 3.
  My universe is working fine with LOVs but when i run the webi report , the LOVs arent working.
  have anyone facing the same issue. any idea why the LOVs arent working on higher version.?

  Hi Victor,
  The List of values we will assign in universe in order to get filtered data works on universe query panel
  but the same objects when i am using in report(webi report) , the List of values are not working .i.e
  they are not getting displayed in webi report.
  for ex: i have country object having country names as LOVs and state objects having state names as LOVs . Now when i select Country value , the LOVs of state objects should get filtered and shows only states which belongs to country .
  the above logic is not working in webi report , i am only able to select country and when i go for state, the state names do not get filtered.
  please let me know why this is happening in the SP2 patch 3 version and its working fine for SP2  , but the chrome issue gets solved after applying patch 3 and not if we only upgrade to SP2.
  the webi reports are not working in chrome browser if we using SAP B04.1 SP2 and lower version
  but the LOVs are not working in SAP BO 4.1 SP 2 patch 1, 2,3.
  kindly help me with the issue

• Safari will not open certain web sites with https or http

  safari will not open certain web sites with https or http,any help will be welcome,it must be a security setting,but i have not changed any settings.

  From your Safari menu bar click Safari > Preferences then select the Exensions tab.
  If there are any installed, switch the button to off, quit and relaunch Safari to test.
  If there is more than one extension insalled, uninstall one a time, quit and relaunch Safari and test.

• Javascript does not work in web browser

  Hello friends.
  I have a problem with javascript in my Captivate project.
  This script only works in preview in Captivate, but does not work in web browser (IE 9, Mozilla, Chrome).
  Anybody knows why?
  Thank you for your answers.

  Common JS interface
  That is the official documentation for JS in Captivate 8. For more information, have a look at Jim Leichliter's website: CaptivateDev.com - eLearning Development with Adobe Captivate