Wired Guest Using ISE Interface
Ive scoured the forums for a solution but struck out looking for design tips. I have a centralized guest wireless using ISE with CWA on an anchor controller and it works great. Now I need to create wired guest network for my remote sites. Is this possible using an interface on my 3415 running ISE, or can the anchor controller be used some how?
The 3415 sits in my Pennsylvania data center. It has a new dedicated interface going to the internet for guest traffic. Can this interface be used as a redirect for a guest at a remote site? If so, is there documentation detailing the basic steps to implement this?
Thanks in advance!
If you are already authenticating your wireless users and anchoring them to a DMZ you can do the same with wired users as long as you have a foreign controller layer 2 adjacent to the wired guests.
http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/99470-config-wiredguest-00.html
You would just need to set the VLAN on the port for the guest users, or if you want you can use ISE wired AuthZ policy to place the guest users into the correct VLAN, or FlexAuth using guest VLANs.
Similar Messages
-
Hi
I have setup wireless guest access for a customer with a single 5508 and web authentication no problem at all. He then wanted to test wired guest access. The 5508 is currently connected to a single 3560 switch. The wired clients get a DHCP address OK but cannot reslove DNS and thus don't get redirected to teh guest login portal. I have even tried turning of all L3 security to no avail. The setup is as follows
VLAN 101 access points and 5508 management interface
VLAN 102 wired guest access dynamic ingress (L2 config only no SVI on 3560)
VLAN 103 wireless guest dynamic egress nterface L3 network with SVI on switch
VLAN 104 wired guest dynamic egress interface L3 network with SVI on switch
There are two DHCP pools setup on the WLC one for the VLAN 103 and one for the VLAN 104 subnets.
The internet router is also connected to the 3560 on a sepearte VLAN with an SVI. the 3560 has a default route to teh internet router and teh DHCP pools give the DHCP clients a default gateway of the IP address of dynamic interface 103 or 104. The Internet routre can ping the WLC on both these addresses.
LAG is enabled on teh WLC and VLANs 101-104 are trunked to it from the 3560.
I even tried making the wired guest egress interface the same one as for wireless. The wired clientys now got an IP address on the wireless range but still couldnt pass any traffic. It's like the intrenal bridging on teh WLC between VALN 102 and 104 (or 103) is broken. Tried both the lates 6.x and 7.x software on the WLC. Any ideas ? All the problems I can find with this seem to relate to not gettingas far as a DHCP address but that works fine.
Thanks
PatHi
Yes got it resolved. It turns out that the connection from the wired guest access port to the WLC must be L2. That is the switch that the wired guest acces sport is connected and WLC are connected to must be L2 only. We were using a single switch to do the testing and it was also doing the routing for the test LAN. Even though there was no L3 VLAN interface configured for the VLAN that the guest access port was on for some reason this breaks it. Absolu Didnt have chance to work out the exact limitations of this as we simply made the switch L2 only and configured an 802.1Q trunk to the Internet router and made subinterfaces on the router for the wired and wireless egress ports and it worked then. No config change was needed on the WLC at all.
The only thing I can think of is that it's something about the way the WLC joins the wired guest access ingress VLAn and egress VLAN. The WLC isn't a reall router it says so in the documentation. I think the packet coming from the wired access port is being bridged to the egress VLAn not routed and this is what screws it up (remeber with a router the source and destination MAC addresses would be changed with a bridge they aren't). Got to be something along those lines. If you have a bigger newtork with a guest anchor WLC handling this function you dont run into this as the traffic is coming over an EOIP tunnle from the remote WLC so the switch with the guest anchor WLC doesnt see the MAC address of the wired guest PC. -
How to use ISE Guest Portal for AD users
Hi there,
As subject explains all, I want to use ISE Guest Portal for my domain users. I have tried many different ways to authenticate users and finally I came to the conclusion that ISE CWA works pretty well and is very stable. WLC Webauth sucks alot, does not redirect to the login page always.
Can you please share what other ways are stable ways to authenticate AD users? I know about WPA 802.1x authentication but that requires a CA in the network which is not available at the moment. So can you please Suggect?
Otherwise, I want to use ISE Guest Portal for my AD users as well. AD is already integrated to ISE, the issue happens when I attempt to athenticate using AD user account, the user gets authenticated but the Guest Portal redirects me to Device Provissioning page and there it shows an error saying "there is not policy to register the device, contact system admin"
Am I missing something??
I am running WLC 5760 with ISE 1.2
Thanks in advance..Hi,
Can you post a screenshot of your current policies? Also for 802.1x authentication although it is best practices you do not have to have an internal CA to make this solution work. You can disable the option to "validate server certificate" or you can use a trusted CA to sign the certificate for the eap interface.
In most cases 802.1x is the method to go because it provides dynamic authentication without forcing users to redirected to a web page multiple times throughout the day, scenarios such as computers that sleep or users that are mobile will not have connectivity until they redirect to the portal if one of the scenarios exist. You also gain WPA encryption on your WLAN, if you are using strictly layer 3 web auth you run into issues where encryption is not used and rely on encryption from the application as your method of data integrity and security.
Thanks,
Tarik Admani
*Please rate helpful posts* -
ISE with CWA and wired guest access via WLC Anchor
Can an Anchor WLC (WLCa) provide a wired guest LAN service if the wlan guest access is using CWA?
We are deploying a WLAN only ISE solution (it is a full license ISE though) but they just want a few wired guest ports. I was hoping to add L2 switch to the DMZ where the WLCa is and that the L2 switch wouldnt need any other config as the WLCa just bridges the wired to the wlan vlan. This Im sure i have done before.
So now I have set wiredguest the same as i have done before ISE and my wired clients get an IP address, but when they redirect, the URL they get is different, and the redirect just doesnt work.
It comes out as:
https://my_ise_ip:8443/guestportal/Login.action?switch_url=https://my_ise_host/login.html&wlan=my_wired_guest_lan&redirect=www.google.co.uk
So does my simple L2 only switch need an ISE config on it or should the WLCa be handling or the redirection just as it would for a wlan device.The ISE never receives an auth entry, so i dont believe the redirect is working for the wired client. So even though the clients browser gets a redirect url which fails connection, the client info in the WLCa doesnt have a redirect ACL listed like a wlan client would
-
Having a heck of a time getting this to work.
First option is for the device to try and authenticate using Dot1X/EAP-TLS - for domain-connected devices only.
If that fails, they want the option to pop a CWA portal where they can enter either AD creds, or internal Guest user creds.
My challenge is the Policies and where to insert.
I'm using Policy Sets in ISE 1.2
Currently, I have these statements in the Default Policy Set:
Rule Name
Conditions
Permissions
Wired Guest Portal Auth
if Net Access:UseCase EQUALS Guest Flow
Permit Access
Wired Guest Redirect
if Wired_MAB
Wired CWA
What i figured is if they fail the .1X, they'll drop down here to Wired MAB, and that will initiate a redirect and Guest Flow.
Couple problems:
First, it does seem to try; a show auth sess shows the proper redirect URL getting sent to the switchport.
Unfortunately, my browser pop gives me a certificate not recognized error, and if i try to continue anyways, it doesn't do anything. Wireless Guest, which I copied works fine.
Second challenge is that it forces the redirect whether i have the switch (NAD) in Monitor Mode or Low Impact Mode. This is a problem because there are multiple sites, and we're cutting each over to Low Impact progressively.
Does anyone have any insight, or a document laying out in step by step terms implementing this?
thanks in advance.Hi Andrew! Yes, good job on fixing the portal issue!
And yes, the authorization rules are considered even in an open mode! And you are also correct that you will need to create different rules to account for NADs that are in production and for NADs that are in monitor mode. I have always liked using a separate Policy Set for Monitor Mode and a separate Policy Set for Production Mode. Then I used device location to match against these conditions. For each location I have two sub-groups: One for Monitor and one for Production. That way I can move a NAD from monitor mode to full production by simply changing its group.
Lastly, yes, your CWA rules should be at the bottom of your production authorization rules.
Thank you for rating helpful posts! -
ISE Wired Guest + user without supplicant and dynamic vlan change
Hi All,
I have two issues:
Is it still an issue when a wired user who is directed to the ISE CWA, is able to stay authenticated as a guest for as long as they stay connected?
This is happening on our test pilot - a guest with 2 hour access on a wired connection can maintain the guest access for as long as they desire.
I hear that this isnt an issue for wireless, but yet to try this out. Is there a workaround for this?
Secondly my testing confirms that only users with a supplicant eg anyconnect NAM can be dynamically changed into a vlan (only tested on wired).
What I'd hope to do, is create a policy that when wired guest connect in, to dynamically change their vlan to the guest vlan (same one guest WLAN users will use).
Is this possible if the guest doesnt have a supplicant?One of my tasks was to rebuild the multiportal config, and looks like there was an option there to do a VLAN dhcp release and renew. I wont know if this will work until next week but it sounds promising. It was tucked down on the screen so I had to scroll down to find it...
Still dont have an answer about the guest able being able stay authenticated, or does this feature solve this issue as well? Only time will tell.. -
Guest Anchor with web auth using ISE guest portal
Hello All,
Before launching into my exact issues, could anyone confirm if they have completed a wireless Guest anchor setup using 2504 controllers on 7.4 as the anchor (5508 is the foreign) with webauth external redirection at ISE 1.1.3 using ISE Guest Services?
I am attempting this for an internal POC and have hit a couple of issues. Firstly I am looking for correct configuration confirmation prior to going in depth with a couple of the issues. I've been using the TrustSec 2.1 how to guides to build the parts I am not strong on so if anyone has actual completed this setup, I'd love to go through it with you.
massive thanks to anyone that can assist.
JS.Thanks for the reply RikJonAtk.
so to start with, based on the trust sec documents, of the guest WLAN on the anchor I need to configure mac filtering at the layer 2 security menu as well as enable RADIUS NAC under the Advanced tab. But when I do this, I get an error message that states that mac filitering and RADIUS NAC cannot be enable at the same time.
Additionally, if I just enable the RADIUS NAC setting under the Advanced tab in the WLAN, I get another error message that states that the priority order for Web-Auth can only be set for radius, so I go to the AAA server tab and send local and LDAP to the not use column and hit apply. If I move to another menu then check the priority order again under the AAA servers tab, the local and LDAP have been moved back to the menu field to be used again. So I initially though it might be a bug, but I was hoping to find someone here that has done this already and can look at my issues and maybe walk me through their configs, which I'll mirror and see how it goes.
Thanks in Advanced,
JS -
Guest Portal Using ISE with Flexconnect Mode
Folks,
I have configured my guest web authentication using ISE with flexconnect mode like this:
http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bcb905.shtml
After done, I connect the SSID but cannot log in. I cannot get IP address and in the ISE I can see that my device has already hit my authorization profile and the status is pending. Can anyone help me with this?As Richard says, check to see if you have an IP address. If not check the AP settings for FlexConnect. Is the mode on the AP set right? Please confirm that you are using FC local switching and not centralised switching?
Is the VLAN tagging enabled on the AP, and/or the VLANs on the AP switchport set right? -
Wired Guest in 5.x 4402 - Does it Work???
Anyone get Wired Guest access working using the latest code 5.148 (or any code for that matter). In particular has anyone been sucessful using 1 WLC with ingress and egress on same controller. I have been trying for a week and does not work no matter what.
Thanks for all responses....Armonk-
See next post with attached .doc
This post was trimmed.
4402 config
-Ingress int
Create a new interface <. myguests-ingress> assign it a VLAN ID <44>
Check the box that says Guest LAN
This interface has no IP, it is Layer2 only!
If there is an IP associated with this VLAN (anywhere), create another VLAN.
-Egress int (if you are already using one for wireless guest access, you can skip this step and reuse that one, I did!) It will not be called âEgressâ on the wireless, just interface. If you don't have one already, you need to create it
Create a new interface , assign it a different VLAN <55> than your ingress interface
Assign IP, netmask, and gateway info < 192.168.100.10, 255.255.255.0, 192.168.100.1 > (see Router section below)
I used addresses that were NOT on my business network, so guest IPs are easily distinguished from employees
Also since this traffic is within a VLAN, I need to route this traffic at some point to access my gateway
If you want to give guests DHCP addresses, assign a Primary DHCP Server to this interface (see DHCP section below)
Since I was using the WLC for DHCP, I put the IP of my management interface (or another of your choice)
-Internal DHCP (if you are using your WLC for DHCP this needs to be configured)
Start <192.168.100.100 > (same subnet as "egress")
End <192.168.100.200>
Network <192.168.100.0>
Mask <255.255.255.0>
Lease <86400>
Default router <192.168.100.1> (same as your gateway above)
This is really just an IP to route between VLANs, it may not exist yet
Don't worry if this is on another subnet as your real gateway (it should be), this is just a gateway IP for this subnet
You can route between VLANs (that's what I did) on your router
DNS server <10.10.10.50> (this a local DNS, but you could use anything I guess, even your ISPs DNS server)
Status = Enabled
-WLAN
Create a new WLAN, select Guest LAN as the type
Ingress is a L2 VLAN
Egress is a L3 VLAN or previously configured VLAN
Security Tab, select Web Auth/Pass
Advanced Tab, specify your DHCP
Check override (required for external DHCP)
Was not able to check DHCP Addr. Assignment = Required (bug?)
General Tab, check status = Enabled
Ignore the error; this is a bug!
Core Switch configuration (these commands are in CatOS)
Since wired guest access uses the same interface (in my config,) I did not have to do this step as it was done previously.
You need to configure your core switch to allow VLAN traffic from your WLC interfaces
VTP and VTP domain were previously configured; you may need to do this if you have never done VLANs on this switch
# set vlan 44 name MYGUESTS-INBOUND - - - IOS will be different
# set vlan 55 name MYGUESTS-OUTBOUND - - - IOS will be different
If you already have a vlan for wireless guests this step is already done
Setup trunking on the port coming from the WLC to your switch (I chose mod/port =3/5, yours will be different)
# set trunk 3/5 on dot1q - - - IOS will be different
This allows VLANs to traverse from the WLC to the switch, (you could specify which VLANs only)
I have created VLAN ACLs that restrict the access of guests, but that can be done after this is up and working
Now this next step was required for my environment, but I am not sure that all setups can be done like this. I have another DHCP server on my network, so I wanted to make sure that there was not a conflict. To do this I specified a port on my core switch to accept VLAN traffic for my ingress interface
Configure a port on my core switch to accept wired guest traffic (I chose mod/port =3/6, yours will be different)
# set vlan 44 3/6 - - - IOS will be different
It's possible you may also need to allow your egress VLAN depending on your setup
Dumb switch
Plug switch into the port specified -
Cisco wired guest with one wlc
Hello my name is Ivan
I have a question:
You can configure wired guest for wired network users so that appears the cisco wlc web portal for guest user authentication? having the following:
Only one (1) cisco wlc 5508 no settings for auto anchor or foreing controller, a cisco acs v5.4, cisco switches, and access points.
I'm using 802.1x, and when the user because autententicacion policies fall into the guest vlan, the user receives full IP routing vlan guest, comes to internet through the router for guest users, but not redirected to the website of wlc .
I would like to redirect http traffic from cisco switch to the cisco wlc for wlc web portal
My deployment is to flex connect wireless authentication, and local switching center
How I can do this?
Thanks for your answers.Hi Scott, thanks for your answer:
My scenary is:
Site A Corporate
WLC 5508 Flex Connect Central Auth + Local Switching
1. int management: vlan 10 - 10.1.1.2/24
2. int virtual: 1.1.1.1
3. wired-guest: vlan 30
wlans:
1. corporate - mapped to interface management 802.1x wpa, 2pa2
2. guest - mapped to interface management web auth
3. wired-guest: web auth, ingress wired, egress management
Cisco ACS v5.4
Site B: Branch
AP Ligthweight in the vlan 10, vlans mapped 100 and 30, 100 for wlan corporate and 30 for wlan guest.
Switches Cisco,
The branch have a router of internet to users guest.
The switch cisco have a 802.1x configuration, and the method to authenticate users can not have a supplicant 802.1x is web auth.
Actually i can not redirect the traffic from the switch in the branch to cisco wlc 5508 in the corporate site. The users bypass the interception of the cisco wlc and they can goes to internet without the portal of authentication.
Please could you give and advice to resolv it?
Regards for your answers. -
Respected members of this community... :) I need help.
The last couple of days i spend implementing unified wireless at a customers site.
We used the latest versions of the controller and WCS software.
This new software offers a new feature, wired guest.
Since we already implemented 802.1x with a guest VLAN on the wired network last year, we wanted to offer the guest access functionality on the wired LAN as well.
So first we implemented wireless guest access, which worked fairly quickly.
Then we added another interface on the controllers, which matched the already existing wired guest VLAN. First we wanted to use that VLAN for wireless guests as well as wired, but we found out that is not possible (so we created a new wireless guest VLAN). Then we added a new WLAN wich we marked for wired guest.
Anyway, we followed the documentation and...could not get it to work.
The network is a layer 3 routed network with 40 or so VLANs. The controllers are connected to the core switch (with nicely configured trunks), which does all the routing.
DHCP is the first thing that didn't work. The interfaces we created on the controllers have the guest lan checkbox checked, ingress interface is the guest VLAN, egress interface is the mngt interface.
The DHCP relay function did not work.
DHCP will work with IP-helper configured on the VLAN interface on the core router, but this al goes outside of the controllers.
This is by the way the major thing i do not understand. With wireless, all traffic goes via de controller through the LWAPP tunel. But with wired, my layer 2 VLAN ends on the core switch, not on the controller.
So what should the default gateway be for that VLAN? The interface VLAN of the coreswitch or one of the controller IP adresses?
Traffic should be directed to the controllers (i guess?) to enable them to catch HTTP and send the redirect to the webauth page.
But if you set the default gateway to the controllers, DNS does not work because the controllers do not forward traffic untill after authentication, but for this to work, you need DNS for the client to start the HTTP session.
Is there anyone out there who has this working, including DHCP?
The customers network is flexible, we can build almost anything we want there, so iw we need to change something, we can.
Wireless guest was no problem at all, and de data WLAN, including 802.1x, auth on AD and dynamic VLAN assignment worked perfectly. So we did get something to work actually... :)Does this help?
<http://www.cisco.com/warp/public/102/wired_guest_access.pdf>
Also keep in mind that the clients and the controller needs L2 adjacency (i.e. the Guest-VLANs would need to be trunked directly to the controller where you define the Guest-WLAN).
I assume you have already deployed an anchor controller for wireless Guest traffic. So, the idea is to leverage the same EoIP tunnel infrastructure also for wired guest traffic. DHCP/DNS traffic should be blindly tunneled across this infrastructure, so your network services should be deployed in the anchor controller location (i.e. DMZ). Keep in mind again, that this design implements a logical L2 connection from the endpoints to the anchor controller.
Hope this helps, -
Wired guest access on WLC 4400 with SW 7.0.240.0
Hello,
after we upgrade our Wlan-controller 4400 from software 7.0.116.0 to 7.0.240.0
wired guest access don't work anymore.
All other things works fine, incl. WLAN guest access!
When we try wired guest access, we get the web-authentication page and can log in.
On the controller we can see that the Policy Manager State changes from WEBAUTH_REQD
to RUN.
But then there is no access to the internet.
We tried also SW 7.0.250.0, same problem!
Log Analysis on the WCS:
Time :03/12/2014 14:21:23 MEZ Severity :INFO Controller IP :10.101.200.11 Message :The WLAN to which client is connecting does not require 802 1x authentication.
Time :03/12/2014 14:21:23 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client does not have an IP address yet.
Time :03/12/2014 14:21:23 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client L3 authentication is required
Time :03/12/2014 14:21:23 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client Moved to DHCP Required State.
Time :03/12/2014 14:21:26 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Mobility role update request. from Unassociated to Local Peer = 0.0.0.0, Old Anchor = 0.0.0.0, New Anchor = 10.101.200.11
Time :03/12/2014 14:21:26 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Mobility role changed. State Update from Mobility-Incomplete to Mobility-Complete, mobility role=Local, client state=APF_MS_STATE_ASSOCIATED
Time :03/12/2014 14:21:26 MEZ Severity :INFO Controller IP :10.101.200.11 Message :DHCP successful.
Time :03/12/2014 14:21:26 MEZ Severity :ERROR Controller IP :10.101.200.11 Message :Client got an IP address successfully and the WLAN requires Web Auth or Web Auth pass through.
Time :03/12/2014 14:21:26 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client IP address is assigned.
Time :03/12/2014 14:22:01 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Webauth user logged in to the network. manni
Time :03/12/2014 14:22:01 MEZ Severity :INFO Controller IP :10.101.200.11 Message :AAA response message sent.
Time :03/12/2014 14:22:01 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client has completed Web Auth successfully.
Time :03/12/2014 14:22:01 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client has completed Web Auth successfully.
Trying http://www.google.de .... doesnt work. No Log Entries. Next entries while logging out.
Time :03/12/2014 14:36:20 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Web auth is being triggered again.
Time :03/12/2014 14:36:20 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client L2 authentication has been completed successfully.
Time :03/12/2014 14:36:20 MEZ Severity :INFO Controller IP :10.101.200.11 Message :Client Moved to DHCP Required State.
Time :03/12/2014 14:36:20 MEZ Severity :INFO Controller IP :10.101.200.11 Message :WebAuth user Logged out from network.
Has someone a idea how to solve this problem?
Regards
ManfredHi
Yes got it resolved. It turns out that the connection from the wired guest access port to the WLC must be L2. That is the switch that the wired guest acces sport is connected and WLC are connected to must be L2 only. We were using a single switch to do the testing and it was also doing the routing for the test LAN. Even though there was no L3 VLAN interface configured for the VLAN that the guest access port was on for some reason this breaks it. Absolu Didnt have chance to work out the exact limitations of this as we simply made the switch L2 only and configured an 802.1Q trunk to the Internet router and made subinterfaces on the router for the wired and wireless egress ports and it worked then. No config change was needed on the WLC at all.
The only thing I can think of is that it's something about the way the WLC joins the wired guest access ingress VLAn and egress VLAN. The WLC isn't a reall router it says so in the documentation. I think the packet coming from the wired access port is being bridged to the egress VLAn not routed and this is what screws it up (remeber with a router the source and destination MAC addresses would be changed with a bridge they aren't). Got to be something along those lines. If you have a bigger newtork with a guest anchor WLC handling this function you dont run into this as the traffic is coming over an EOIP tunnle from the remote WLC so the switch with the guest anchor WLC doesnt see the MAC address of the wired guest PC. -
To the forum,
I am trying to create a guest wired network using my WLC 4402 (5.2.193.0). I have attached a diagram of basic lay out. I am using this document - http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00808ed026.shtml - as a guide. The problem is I have a single WLC and not anchor in the DMZ. When I try to configure a ingress interface for the "WLAN" my only option is none.
My plan is trunk the layer 2 link that terminates on my perimeter firewall with both VLAN 199 (Guest wireless) and VLAN 198 (Guest Wired).
I would greatly appreciate any input or suggestions.
DougDoug,
You must create a "guest LAN" layer 2 interface on the WLC. This will be the ingress interface on the L2 vlan the wired guest will be in. Then the egress interface is going to be the L3 network those clients will actually have their IPs in.
Lee -
Wired guest lan authentication through NGS
Hello Guys,
We have 5508 controller running ver 7.2.110.0.We have configured wireless guest and wired guest WLAN profiles and assosicated necessary dynamic interfaces to it. The authentication for both wireless and wired guest is through Cisco NGS[NAC]. I have configured Webauth and added the server in the security tab for authentication. I have guest user accounts created in NGS, if I use wirless guest the auth works perfect. But the same credentials is not working with wired guest. Any advice on this issue would be really helpful
Regards
KrishnaHey Scott,
Yes NGS is working as Radius. However I haven't checked on WLC neither NGS log to see if there is any but let me look into that. No other names also doesn't work. I did run a debug on WLC while the user was authenticating below is the output
Output of debug for wireless user where I am getting Accept message for auth at the end
User IP ADDR - 172.22.207.157
*aaaQueueReader: Aug 20 09:44:29.940: 00:23:14:ec:3d:38 Successful transmission of Authentication Packet (id 190) to 194.156.169.111:1812, proxy state 00:23:14:ec:3d:38-00:01
*aaaQueueReader: Aug 20 09:44:29.940: 00000000: 01 be 00 a2 cd 8f 91 44 a2 4f 85 f1 04 f7 14 9a .......D.O......
*aaaQueueReader: Aug 20 09:44:29.940: 00000010: d0 3e 42 94 01 1b 6d 61 68 65 62 6f 6f 62 2e 6b .>B...maheboob.k
*aaaQueueReader: Aug 20 09:44:29.940: 00000020: 68 61 6e 40 61 6d 61 64 65 75 73 2e 63 6f 6d 02 [email protected].
*aaaQueueReader: Aug 20 09:44:29.940: 00000030: 12 34 fc 96 01 47 ed 5e d3 8d 08 4e 72 ce 1d b5 .4...G.^...Nr...
*aaaQueueReader: Aug 20 09:44:29.940: 00000040: da 06 06 00 00 00 01 04 06 ac 16 cf 83 05 06 00 ................
*aaaQueueReader: Aug 20 09:44:29.940: 00000050: 00 00 0d 20 0b 42 4c 52 57 4c 43 4f 30 31 3d 06 .....BLRWLCO01=.
*aaaQueueReader: Aug 20 09:44:29.940: 00000060: 00 00 00 13 1a 0c 00 00 37 63 01 06 00 00 00 01 ........7c......
*aaaQueueReader: Aug 20 09:44:29.940: 00000070: 1f 10 31 37 32 2e 32 32 2e 32 30 37 2e 31 35 37 ..172.22.207.157
*aaaQueueReader: Aug 20 09:44:29.940: 00000080: 1e 10 31 37 32 2e 32 32 2e 32 30 37 2e 31 33 31 ..172.22.207.131
*aaaQueueReader: Aug 20 09:44:29.940: 00000090: 50 12 ef 00 53 8b 39 31 14 93 b3 82 1c f5 b5 51 P...S.91.......Q
*aaaQueueReader: Aug 20 09:44:29.940: 000000a0: 82 45 .E
*radiusTransportThread: Aug 20 09:44:30.516: 00000000: 02 be 00 1a 0c 8e d4 54 91 55 d6 ae b2 91 05 6e .......T.U.....n
*radiusTransportThread: Aug 20 09:44:30.516: 00000010: 93 f9 4b 7e 1b 06 00 21 70 70 ..K~...!pp
*radiusTransportThread: Aug 20 09:44:30.517: ****Enter processIncomingMessages: response code=2
*radiusTransportThread: Aug 20 09:44:30.517: ****Enter processRadiusResponse: response code=2
*radiusTransportThread: Aug 20 09:44:30.517: 00:23:14:ec:3d:38 Access-Accept received from RADIUS server 194.156.169.111 for mobile 00:23:14:ec:3d:38 receiveId = 0
But for wired user below is the output
User IP ADDR - 172.22.207.151
5.338: 00:26:b9:e0:36:a6 Successful transmission of Authentication Packet (id 188) to 194.156.169.111:1812, proxy state 00:26:b9:e0:36:a6-00:01
*aaaQueueReader: Aug 20 09:35:15.338: 00000000: 01 bc 00 a2 2c fe c1 97 a7 d1 25 a0 59 34 89 38 ....,.....%.Y4.8
*aaaQueueReader: Aug 20 09:35:15.338: 00000010: c1 be 59 f3 01 1b 6d 61 68 65 62 6f 6f 62 2e 6b ..Y...maheboob.k
*aaaQueueReader: Aug 20 09:35:15.338: 00000020: 68 61 6e 40 61 6d 61 64 65 75 73 2e 63 6f 6d 02 [email protected].
*aaaQueueReader: Aug 20 09:35:15.338: 00000030: 12 37 c7 5c 52 27 41 5b 0d 60 98 70 76 3b b3 ba .7.\R'A[.`.pv;..
*aaaQueueReader: Aug 20 09:35:15.338: 00000040: f5 06 06 00 00 00 01 04 06 ac 16 cd 74 05 06 00 ............t...
*aaaQueueReader: Aug 20 09:35:15.338: 00000050: 00 00 0d 20 0b 42 4c 52 57 4c 43 4f 30 31 3d 06 .....BLRWLCO01=.
*aaaQueueReader: Aug 20 09:35:15.338: 00000060: 00 00 00 0f 1a 0c 00 00 37 63 01 06 00 00 02 02 ........7c......
*aaaQueueReader: Aug 20 09:35:15.338: 00000070: 1f 10 31 37 32 2e 32 32 2e 32 30 37 2e 31 35 31 ..172.22.207.151
*aaaQueueReader: Aug 20 09:35:15.338: 00000080: 1e 10 31 37 32 2e 32 32 2e 32 30 35 2e 31 31 36 ..172.22.205.116
*aaaQueueReader: Aug 20 09:35:15.338: 00000090: 50 12 36 60 54 47 0b 84 02 5c 0b da 19 a1 05 eb P.6`TG...\......
*aaaQueueReader: Aug 20 09:35:15.338: 000000a0: af 2b .+
*aaaQueueReader: Aug 20 09:35:17.053: AuthenticationRequest: 0x2ab12b50 -
Is it possible to run Posture using ISE 1.2 without NAC Agent provisioning?
Is it possible to run Posture using ISE 1.2 without NAC Agent provisioning?
-My customer does not want to push NAC Agent installation on BYOD type of computers (non-managed by the company computers).
-The requirement is to check for posture only company owned wired, wireless, and VPN connected Windows computers. The rest of the endpoints should be considered as posture incompliant, and limited access to the network should be allowed.
-No certificates are used.
-I’ve configured the required posture check, and it all works fine if a PC has NAC Agent manually installed (without ISE Client Provisioning). However, when I use a PC without NAC Agent, it is redirected to Client Provisioning Portal and is stuck there as Client Provisioning is deliberately not configured in ISE.
-If I remove Posture Remediation Authorization Profile that does URL redirect, the posture does not work.
-For now I'm testing it on wired endpoints.
Is there a way to configure ISE to fulfill the listed above requirements?
Any ideas would be appreciated.
Thanks,
Val RodionovEveryone who finds reads this article,
I'm answering my own quesiton "Is it possible to run Posture using ISE 1.2 without NAC Agent provisioning?"
The answer is Yes.
After doing research and configuration testing I came up with a solution, and it works fine for wired and VPN connections. I expect it to work on wireless endpoints as well.
ISE configuration:
Posture General Settings - Default Posture Status = NonCompliant
Client Provisioning Policy - no rules defined
Posture Policy - configured per requirements
Client Provisioning (under Administration > Settings) - Enable Provisioning = Enable (it was disabled in my first test)
Authorization Policies configured as regular posture policies
The result:
After successful dot1x authentication posture redirect happens. If the PC does not have NAC Agent preinstalled, the browser is redirected to Client Provisioning Portal and a default ISE message is displayed (ISE is not able to apply and access policy... wait one minute and try to connect again...). At the same time, the endpoint is assigned NonCompliant posture status and proper authorization policy is applied. This is what I wanted to achieve.
If NAC Agent was preinstalled on the PC, after successful dot1x authentication the NAC Agent pops up and performs posture check. If posture is successful, posture compliant authorization policy is applied. If posture check fails, NonCompliant posture status is assigned and posture non-compliant authorization policy is applied. Which is the expected and needed result.
The only part that is not perfect it the message displayed to the end-user when posture is about to fail. I did not find a place to change the text of that message. I might need to open TAC case, so this file can be manually found and edited from CLI (root access).
Best,
Val Rodionov
Maybe you are looking for
-
How can I organize contacts in iphone into categories? I have over 4000 contacts and need to organize them as clients, personal, etc. I used to be able to do this in Blackberry but have not found a way to do it with the iPhone.
-
How do I restore a frozen display on MacBook Pro ?
HHow do I restore a frozen display on MacBook Pro ?
-
Setting my levels in ACR - is it possible?
Hi, I'm using CS2 and ACR 3.7. Before I start I'll say that a)I'm colour blind... so I can't rely on my eyes to adjust b)my colour adjustments are not sophisticated, no profiles etc being used as I'm not certain of what I am doing yet. When I open an
-
Wierd window box all the way around my 16:9 footage
Hey, Editing my feature using Final Cut Pro 5.1. When I export a sequence ot Quicktime I get this window like boarder all around. Why is this and how can I fix this? Footage is 16:9. Chris
-
Powershell Script: Add users from an OU to an AD security Group
Hi can anybody point me to a link or have a script which I can get a list of users from an OU then put them into an AD security group Regards