Wlc flexconnect wlan local authentication and central web authentication maximum rtt
Hi
From the below link below it mentioned that "Round-trip latency must not exceed 300 milliseconds (ms) between the AP and the controller. If the 300 milliseconds round-trip latency cannot be achieved, configure the AP to perform local authentication."
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Mobility/emob73dg/emob73/ch7_HREA.html#wp1094148.
Is this limitation refer to web authentication also?
Thanks
Anyone???
Central Web Auth (CWA) works different on controllers/APs running in FlexConnect mode. Please check this guide and confirm that you have similar setup.
http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html
If so, please post screen shots with your configs (Redirect ACLs, policies in ISE and the WLC SSD settings).
Also, the version of code that you are running in ISE and your controller.
Thank you for rating helpful posts!
Similar Messages
-
ISE and central web authentication
Hello all,
I have followed the steps in this document in detail:
http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080ba6514.shtml
however, my central authentication does not work. I get to the guest portal, i get authenticated through the guest portal,
but then the "second" MAB authenticatino doesn't happen.
In the last screencapture of the document, you get a green "Dynamic Authorization" line (third line from below). On my system
this is a red line with the error message "11213 No response received from Network Access Device".
(i have a successfull guest authentication in my ise logs, but it seems ise is unable to bounce or initiate the second MAB....)
Any ideas ?
regards,
GeertBy the way, i feel the document example is a bit too general. For example, if you implement the document, ISE will do web authentication and redirection even when you are using a 802.1X client and are authenticated (and you have no other rules in your Autorization sequence table)
I managed to prevent this by adding an additional condition to the first rule "MAC not known" that has the CentralWebAuth policy. Only do webautentication if MAC not known AND Wired_MAB is being used. -
Local Web Authentication Started after Central Web Authentication
Hi everyone,
We have a DMZ based anchor WLC for a guest WLAN. I have this WLAN configured for central web authentication using ISE 1.2, this works correctly and can login using the guest portal.
However, after logging when browsing to a website everything is redirected to the local web authentication page and the policy manager state for the client goes in to a WEBAUTH_REQD state. I currently don't have any layer 3 security configured for this WLAN, so from my understanding it should just be using the central authentication provided by ISE.
Thanks for your help.
MarkHi Mark,
Thanks - that looks very similar to ours, though I'm doing the 3850 via the CLI as the web UI keeps dying when I click into things.
I've realsed that I unticked the Authentication servers box instead of the Accounting as I miss-read the WLC page, however while the LWA no-longer kicks in, I'm unable to pass anything except DNS traffic. The Anchor says that the client is in "Webauth" state so it looks like it's expecting something, but ISE says it's all ok and I can see the 3850 traffic going through the process flow.
If I attach an AP to the WLC directly and have the accounting box ticked, then it all works exactly as I'd expect - this is just, well, odd....
Warmest
Kev -
Not Working-central web-authentication with a switch and Identity Service Engine
on the followup the document "Configuration example : central web-authentication with a switch and Identity Service Engine" by Nicolas Darchis, since the redirection on the switch is not working, i'm asking for your help...
I'm using ISE Version : 1.0.4.573 and WS-C2960-24PC-L w/software 12.2(55)SE1 and image C2960-LANBASEK9-M for the access.
The interface configuration looks like this:
interface FastEthernet0/24
switchport access vlan 6
switchport mode access
switchport voice vlan 20
ip access-group webauth in
authentication event fail action next-method
authentication event server dead action authorize
authentication event server alive action reinitialize
authentication order mab
authentication priority mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
spanning-tree portfast
end
The ACL's
Extended IP access list webauth
10 permit ip any any
Extended IP access list redirect
10 deny ip any host 172.22.2.38
20 permit tcp any any eq www
30 permit tcp any any eq 443
The ISE side configuration I follow it step by step...
When I conect the XP client, e see the following Autenthication session...
swlx0x0x#show authentication sessions interface fastEthernet 0/24
Interface: FastEthernet0/24
MAC Address: 0015.c549.5c99
IP Address: 172.22.3.184
User-Name: 00-15-C5-49-5C-99
Status: Authz Success
Domain: DATA
Oper host mode: single-host
Oper control dir: both
Authorized By: Authentication Server
Vlan Group: N/A
URL Redirect ACL: redirect
URL Redirect: https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC16011F000000490AC1A9E2
Acct Session ID: 0x00000077
Handle: 0xB7000049
Runnable methods list:
Method State
mab Authc Success
But there is no redirection, and I get the the following message on switch console:
756005: Mar 28 11:40:30: epm-redirect:IP=172.22.3.184: No redirection policy for this host
756006: Mar 28 11:40:30: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_qualify ...
I have to mention I'm using an http proxy on port 8080...
Any Ideas on what is going wrong?
Regards
NunoOK, so I upgraded the IOS to version
SW Version: 12.2(55)SE5, SW Image: C2960-LANBASEK9-M
I tweak with ACL's to the following:
Extended IP access list redirect
10 permit ip any any (13 matches)
and created a DACL that is downloaded along with the authentication
Extended IP access list xACSACLx-IP-redirect-4f743d58 (per-user)
10 permit ip any any
I can see the epm session
swlx0x0x#show epm session ip 172.22.3.74
Admission feature: DOT1X
ACS ACL: xACSACLx-IP-redirect-4f743d58
URL Redirect ACL: redirect
URL Redirect: https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
And authentication
swlx0x0x#show authentication sessions interface fastEthernet 0/24
Interface: FastEthernet0/24
MAC Address: 0015.c549.5c99
IP Address: 172.22.3.74
User-Name: 00-15-C5-49-5C-99
Status: Authz Success
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Group: N/A
ACS ACL: xACSACLx-IP-redirect-4f743d58
URL Redirect ACL: redirect
URL Redirect: https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC16011F000000160042BD98
Acct Session ID: 0x0000001B
Handle: 0x90000016
Runnable methods list:
Method State
mab Authc Success
on the logging, I get the following messages...
017857: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_qualify ...
017858: Mar 29 11:27:04: epm-redirect:epm_redirect_cache_gen_hash: IP=172.22.3.74 Hash=271
017859: Mar 29 11:27:04: epm-redirect:IP=172.22.3.74: CacheEntryGet Success
017860: Mar 29 11:27:04: epm-redirect:IP=172.22.3.74: Ingress packet on [idb= FastEthernet0/24] matched with [acl=redirect]
017861: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: Enqueue the packet with if_input=FastEthernet0/24
017862: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_process ...
017863: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: Not an HTTP(s) packet
What I'm I missing? -
Cisco vWLC and Central Web Authetication ISE Issue
Hello!
I have an issue with Wireless Central Web Authentication. Wired CWA woking fine.
My APs woking in FlexConnect mode with local switching. When I connect to the WLAN with CWA, web page with guest portal in not opening, but I see, that redirect is working...
When I try to ping ISE, and have a strange result:
y@5733Z:~$ ping 10.10.2.47
PING 10.10.2.47 (10.10.2.47) 56(84) bytes of data.
64 bytes from 10.10.2.47: icmp_seq=5 ttl=63 time=1.45 ms
64 bytes from 10.10.2.47: icmp_seq=8 ttl=63 time=2.22 ms
64 bytes from 10.10.2.47: icmp_seq=10 ttl=63 time=1.43 ms
^C
--- 10.10.2.47 ping statistics ---
21 packets transmitted, 3 received, 85% packet loss, time 20106ms
rtt min/avg/max/mdev = 1.430/1.703/2.223/0.367 ms
When I change the security method on the WLAN to open or any other, ping to ISE working fine. Please help!Central Web Auth (CWA) works different on controllers/APs running in FlexConnect mode. Please check this guide and confirm that you have similar setup.
http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html
If so, please post screen shots with your configs (Redirect ACLs, policies in ISE and the WLC SSD settings).
Also, the version of code that you are running in ISE and your controller.
Thank you for rating helpful posts! -
I have downloaded the new Cisco ISE, I've managed to configure 802.1x and MAB succesfully but I want to configure wired centralized web authentication, but I cannot find any documentation how to configure ISE and Cisco Catalyst (IOS) switches to use this feature (I only find (limited) documentation about local web auth on the switch).
I want to achieve the following authentication order on a switchport:
802.1x
MAB
central web authentication
So if a guest user comes with his laptop, 802.1x is not configured on his laptop and he's not in the Mac Bypass DB, he should "failover" to web auth and get the ISE guest portal webpage with his web browser. There he enters a guest username and password (which is of course already in the ISE DB) and he should get web access.
I've configured the switchport with the following commands
switchport access vlan 99
switchport mode access
switchport voice vlan 50
authentication event no-response action authorize vlan 32
authentication host-mode multi-domain
authentication order dot1x mab webauth
authentication port-control auto
authentication violation protect
authentication fallback webprofile
mab
dot1x pae authenticator
dot1x timeout quiet-period 2
dot1x timeout tx-period 2
spanning-tree portfast
spanning-tree bpduguard enable
the web-profile with access-list to permit DHCP traffic between the attached device and any DHCP server in the vlan 99, and communications with ISE (also in vlan 99) at the moment "fallback webprofile" is triggered (I don't know if this should be configured with central webauth?)
SW01T#sh fallback profile webprofile
Profile Name: webprofile
Description : webauth profile
IP Admission Rule : NONE
IP Access-Group IN: 133
FYI, the access list:
Extended IP access list 133
10 permit ip any host 10.175.0.29
30 permit udp any any eq bootps
40 permit udp any eq bootpc any
In the ISE, I configured DOT1x and MAB. In the MAB profile, I configured "continue" if user is unknown, and then an authorization profile for the web authentication:
(attributes of the profile):
Access Type = ACCESS_ACCEPT
cisco-av-pair = url-redirect-acl=webauth
cisco-av-pair = url-redirect=https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&portal=https://10.175.0.29:8443/guestportal/gateway?sessionId=SessionIdValue&portal=http&action=cwa&action=cwa
But it doesn't work. If I attach a device, it tries 802.1x, it tries MAB, then it fails over to "web authentication" but immediately fails with "no-response" message:
001420: Jul 1 12:09:19: %AUTHMGR-5-START: Starting 'webauth' for client (0011.2
5d7.6c6c) on Interface Fa1/0/3 AuditSessionID 0AAF003E000000582E866B69
5d7.6c6c) on Interface Fa1/0/3 AuditSessionID 0AAF003E000000582E866B69
from 'webauth' for client (0011.25d7.6c6c) on Interface Fa1/0/3 AuditSessionID 0
AAF003E000000582E866B69
001422: Jul 1 12:09:19: %AUTHMGR-7-FAILOVER: Failing over from 'webauth' for cl
ient (0011.25d7.6c6c) on Interface Fa1/0/3 AuditSessionID 0AAF003E000000582E866B
69
001423: Jul 1 12:09:19: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication
methods for client (0011.25d7.6c6c) on Interface Fa1/0/3 AuditSessionID 0AAF003 001420:
Is there some configuration guide or steps available in order to make this work please?
kind regardsHi Tarik,
thank you for the fast reply.
I've configuried the extra settings you told me (although I thought the ip admission configuration was only for local web authentication (where the switch acts as a http server).
But it still doesn't work. The pc is getting the ip address from the dhcp server but if I open a browser session, I do not get redirected to the ISE portal in order to log me in with a Guest account.
If I look at the authentication session of the port, it looks like the ISE has correctly sent the redirect acl and redirect url to the switchport:
Switch# show auth sessions int fa 1/0/3
Interface: FastEthernet1/0/3
MAC Address: 0011.25d7.6c6c
IP Address: 10.175.0.229
User-Name: 001125d76c6c
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-domain
Oper control dir: both
Authorized By: Authentication Server
Vlan Group: N/A
URL Redirect ACL: webauth
URL Redirect: https://ISE.onemrva.priv:8443/guestportal/gateway?session
Id=0AAF003E0000175A43004FE3&action=cwa
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0AAF003E0000175A43004FE3
Acct Session ID: 0x000018CF
Handle: 0xEF00075B
Runnable methods list:
Method State
dot1x Failed over
mab Authc Success
webauth Not run
As you can see, the "web authentication" is the result of a "succesful MAB". This is because I had to configure ISE to continue on MAB if the user was not found (I found that somewhere in documentation). Then I have configured a default authorization profile where the "web authentication" is triggered. This is where I've configured the redirect-url and so on and this is of course sent to the switch as a succesfull MAB:
authorization profile "webauthentication" with the "centralized web authentication" settings configured (see attributes output):
Access Type = ACCESS_ACCEPT
cisco-av-pair = url-redirect-acl=webauth
cisco-av-pair = url-redirect=https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cwa
Actually, I really have no idea if I have correctly configured ISE to handle central web authentication...
If I check the "show ip admission cache", nothing is seen in there. -
We have Cisco Wireless with ISE (Identity Service Engine) to provide guest access with CWA (central web authentication). The idea is to provide guest access with open authentication, so anyone can connect. Then when the guest trying to browse the internet it will be redirected to guest protal for authentication. So only corporate guest with valid password can pass the portal authentication. This is been working fine for windows machine, android, and apple devices with earlier OS version (working on OSX 10.8.5). For clients that's been upgraded to OSX 10.10.1 or IOS 8 they can no longer load the CWA redirection page.
Please let us know if there's any setting under the OSX to solve the issue, or plan from apple to fix the issue on the next OSX/IOS release ?
thanks - ciscosxRobert,
Manual assignment has been made available in ISE 1.2 release.
M. -
Same wlan both locally switched and centrally switched
Scenario:
1 virtual wireless controller
50 access points, some of them some local to the controller (same site), other on remote sites, all in flexconnect mode.
Is there a way for a wlan to be locally switched for a group of ap's, essentialy those local to the controller, and centrally switched for other groups of ap's, in fact those placed on remote sites?
I've tried configuring flexconnect groups, and ap groups, but no luck, I've found no way to override the globally configured flag "flexconnec local switching".
I've also tried to create two identical wlans, one locally switched and the second globally switched, but the wlc refuses to activate the second one since it has the same ssid of the first one.
Regards,
Massimo.Since you have vWLC all AP needs to be in FlexConnect mode (If you got a normal WLC you can keep HQ AP in local mode & Remote AP in Flex mode to achieve this)
I think in your case you have to either choose "Central Switching" or "local switching" for your APs.
Regards
Rasika
**** Pls rate all useful responses **** -
WiSM and GUEST web authentication
I have a WiSM and we use Cisco open web
authentication with a user email address.
When performing this command via CLI:
>config network secureweb disable
>save config
> reset system
Will this make the web authentication come up HTTP instead of HTTPS ?That command is in order that you manage the unit.
However there used to be a workaround that when you disable HTTPS and SSH and you reboot the WLC the web authentication will be showed as http and no https.
Let me know if it works for you -
ISE Wired Central Web Authentication no url redirect
We are setting up ISE for wired guest accest but are having trouble with the client being redirected. The switch gets the download from ISE and shows that it should use the URL redirect with the correct ACL.
ISEtest3560#show authentication sessions interface fastEthernet 0/2
Interface: FastEthernet0/2
MAC Address: 001d.09cb.78bd
IP Address: Unknown
User-Name: 00-1D-09-CB-78-BD
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Group: N/A
ACS ACL: xACSACLx-IP-ISE-Only-52434fbe
URL Redirect ACL: ACL-WEBAUTH-REDIRECT
URL Redirect: https://REMOVED.Domain.corp:8443/guestportal/gateway?sessionId=0A0003E600000039064485B1&action=cwa
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A0003E600000039064485B1
Acct Session ID: 0x00000293
Handle: 0x95000039
Runnable methods list:
Method State
dot1x Failed over
mab Authc Success
From the client pc I can get name resolution for anything I ping. I also can ping the ise server by name. The ACL that is downloaded it as follows:
Extended IP access list xACSACLx-IP-ISE-Only-52434fbe (per-user)
10 permit udp any eq bootpc any eq bootps
20 permit udp any any eq domain
30 permit ip any host 10.4.37.91
40 deny ip any any log
Extended IP access list ACL-WEBAUTH-REDIRECT
10 deny udp any eq bootpc any eq bootps
20 deny udp any any eq domain
30 deny ip any host 10.4.37.91
40 permit tcp any any eq www (13 matches)
50 permit tcp any any eq 443
51 permit tcp any any eq 8443
60 deny ip any any
The machine passes the Authentication with MAB and hits the CWA Authorization profile, ISE shows the cient as "Pending" then the next entry above that is the log is the dACL getting pushed to the switch. Could part of the issue be that the device shows Unknown for IP address? The command ip device tracking is in the swtich:
ISEtest3560#show running-config | include tracking
ip device tracking
ISEtest3560#
We have 802.1x clients working and the IP address for those do show up..
Please advise,
Thanks,
JoeISEtest3560#show ip access-lists interface fastEthernet 0/2
ISEtest3560#
Doesn't appear the dacl is being applied.
interface FastEthernet0/2
switchport access vlan 11
switchport mode access
ip access-group ACL-DEFAULT in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 999
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab webauth
authentication priority dot1x mab webauth
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree guard root
Extended IP access list ACL-DEFAULT
10 permit udp any eq bootpc any eq bootps
20 permit udp any any eq domain
30 permit icmp any any
40 permit udp any any eq tftp
41 permit ip any host 10.4.37.91
50 deny ip any any log (1059 matches)
Could the dACL being causing the issue with the Unknown, or is the Unknow causing the issue with the dACL?
Thanks,
Joe -
Hi,
Can we still change Local SLD to Central SLD after the installation has been done?
Rgds,
Hapizorr Rozi AliasHello Rozi/Naveen,
Yes u can change the SLD configuration from central to local or a vice versa...
Please check the following SAP Note for u r ready reference
Note 720717 - Reduce the number of System Landscape Directories (SLD)
If usefull then give reward point..
Thanks -
WLC 7.5 Sleeping clients with ISE and Central WEB Auth(CWA)
Hi there,
Is it possibe to use sleeping clients when using ISE and CWA?
I was thinking of enabling layer3 auth with web auth on mac auth failure, but will that work with CWA?
Or is the only solution to use LWA?Controller-> General-> User Idle Timeout (seconds) = 50 000 sec.
And your users will be connected all this time even if they going in sleepmode
be carefull with CPU loading -
Central Web Authentication Fail - This device has not been registered.
Dear All,
I have problem when apply the cwa. i have wlc and ise,
I want all user (all type device) that want access to my network by Wifi, will authenticated by AD.
but user cant connect to network evenly only authenticate.
My ISE Authorization rule:
if
(Wireless_MAB AND AD1:ExternalGroups EQUALS example.com/Users/Domain Users)
Anyone, have experience like this before, please share..
nb : my ise licese is Base Package
Thanks!!I had follow the configuration guide from here:
http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml
but, my authentication always fail with redirect to device registration,
when user connect the ssid and input the username and password based on active directory,
then browser will show up like this :
1. Access with Windows :
Device Registration
This device has not been registered.
You need to manually configure your device. Contact your system administrator for assistance.
Your device configuration is not supported by the setup wizard.
Device ID : my-workstation-mac-address-
Description :
2. Access with Android
Device Registration
This device has not been registered.
You need to manually configure your device. Contact your system administrator for assistance.
Unsopported operating system type encountered.
Device ID : my-android-mac-address-
Description :
Thanks, -
Diffrence Between Local IE And Central IE
Hi All,
What is the difference between the local Integration Engine And the Central Integration Engine ???
Please Explain me
Regards
VamsiThe systems on which SAP WAS is installed has Integration Engine as one of its components. Now for PI/XI also WAS is a must. Therefore PI/XI also has an Integration Engine called as Integration Server.
Now talking in terms of PI/XI, Integration Server has Adapter Engine, Integration engine (for pipeline steps) and Business Process Engine. This Integration Server is the central Integration Engine.
The Integration Engine of other systems is termed as local Integration Engine
Regards,
Prateek -
Cisco Ise Central Web authentication not working
Hello Guys,
CWA is not working. It says that authentication suceeded but posture status is pending. No error in my Monitor--authentication. Checking it in my Windows 7, it does not shows the CWA portal.
What might be the possible problem of this.?
thanksKindly review the below links:
http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080ba6514.shtml
http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml
Maybe you are looking for
-
Windows 8, problems to show cameras in a flash application
I have a flash application that shows at screen the cameras that the operating system detects, and works fine on windows 7 but now, in windows 8, i have troubles with several cameras. For example firewire cámeras or screen capture driver. I made a si
-
Adding a column in infotype(table control)
i want to add a column in table control of infotype 0591. i need to add age for every nominee. i cant edit standard sap mp prog. so i thouhgt of copying it into zprogram, and now i have to assign it to that standard infotype so that this infotype wil
-
Max (date) in sub-query
I have an issue with a big view and several queries running on it where the max (date) is required in the sub-select (example below). When I run traces and explain, the perf problem is when the where cluase is evaluated, the view is pulled second tim
-
Auditioning samples in the media browser?
The media browser in Logic is great, the answer to a lot of my problems. However, when auditioning samples in an already busy project, it plays the sample through a random channel, providing no evidence as to which one, and applies all the effects of
-
Hi all have a question concerning iTunes Match: in my family everybody has is own mac with his own iTunes library. We all buy music, apps, books with the same store account. How should we handle iTunes match, so that everybody keeps his own iTunes li