Central Web Authentication on Cisco Catalyst Switch (3560 or 3750-X - 12.2(55) SE.X) and Cisco ISE version 1.2
A guest would be someone who needs temporary and restricted access to your network. This is usually a visitor or someone on contract base. The guests are usually limited to Internet access. Guest sponsor is an employee that has the rights to create guest accounts, Sponsor typically create and distribute guest username/passwords to their guests or visitors. This is a common function of the front-desk receptionist who already has the job of checking in visitors or guests. As visitors arrive, the receptionist checks them in and provides them with guest access while they are there if required.
Guest services are provided via a web authentication (auth) method that requires the guest use a browser to connect. ISE has two deployment modes available: Central Web AuthC and Local Web AuthC.
Local Web Authentication V/S Central Web Authentication
1. In Local Web Auth (LWA) web pages are delivered by the network admission device (Switch/WLC) where else in Central Web Auth (CWA) Web pages are redirected to ISE and delivered by ISE centrally.2. In Local Web Auth (LWA) the authentication is achieved from the NAD where else in case of Central Web Auth (CWA) the authentication is handled by Authentication Server (RADIUS-Server).
3. Local web authentication does not support or allow Change of authorization (CoA). Central Web authentication allows and supports CoA, Posture assessment and profiling service for guests.
4. Authorization Enforcement uses only ACLs, VLAN assignments not supported in case of Local Web Authentication, Central Web Authentication supports ACLs and VLANs for Authorization
enforcement.
5. Local Web Authentication each device has its own web portal files, customization etc. In case of Central Web Authentication web portal related settings are done within ISE i.e. centrally.
Lab: Implement Wired Central Web
Authentication for Guests
Activity Objective
In this activity, you will configure and deploy Central Web AuthC for
enterprise Guests. Central Web AuthC can provide access to users from devices
which do not have an 802.1X supplicant You will configure the MAB authentication
policy to continue if the user is not found in the local user database. You
will modify the authorization policy to enable WebAuthC for Enterprise Guests.
Lab objectives:
- Implement Central Web Authentication on a switch
- Configure ISE authentication and Authorization for Web Authentication
Task 1: Configure Switch for Central Web Authentication
In this task, you will prepare the SW6 to support Central Web Authentication.
You will enable CoA on the switch, configure an ACL to specify traffic for
redirection to the web authentication portal, enable the HTTP and HTTPS
services on the switch, and configure interface G1/0/20 (where the Guest-PC
attaches) for dynamic authentication and authorization.
Activity Procedure
Complete the following steps:
Step 1 On the switch, enable the Change of Authorization (CoA) feature, specifying
that it is a client to ISE. CoA will allow ISE to send an updated authorization
policy to the switch when ISE recognizes a change in status. In this case, the
initial policy will be to implement redirection of web traffic to ISE's Web
Authentication portal. After a user successfully authenticates to ISE, ISE can
use CoA to send the appropriate, user-specific profile to the switch. Use the same
key that is used for RADIUS peering (radius-key).
aaa server radius
dynamic-author
client 10.11.11.130 server-key
0 cisco123 (same key used in radius-server)
exit
!
Step 2 Configure an ACL that will be used to classify the traffic that will
be redirected to Web Authentication.
This ACL should permit all HTTP (TCP/80) and HTTPS traffic (TCP/443). All
web traffic should be redirected to the Web Authentication portal.
We will soon refer to this ACL in an authorization profile on Cisco ISE.
ip access-list extended WEBAUTH-REDIRECT-ACL
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq 8443
exit
Step 3 Generate an RSA key pair with modulus 1024, and enable HTTP and
HTTPS service. The RSA key pair is needed to support HTTPS connections. The
switch must run the HTTP and HTTPS services to be able to redirect users to
Central Web AuthC running on the Cisco ISE.
ip domain-name
ccieacademy.com
crypto key generate rsa
general-keys modul 1024
ip http server
ip http secure-server
Step 4 This lab exercise will use the Guest-PC to demonstrate the functioning
of Web Authentication. The Guest-PC is connected to interface G1/0/20 on the
SW6.
interface G1/0/20
switchport access vlan 50
switchport mode access
authentication event fail action next-method
authentication event server alive action
reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority mab dot1x
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity 1000
authentication violation restrict
mab
dot1x pae authenticator
spanning-tree portfast
spanning-tree bpduguard enable
exit
Task 2 Configure ISE Authentication for Web Authentication
In this task, you will configure the MAB authentication policy to
continue if the user is not found in the local user database. You will also
tune the default guest portal settings: disable the self-provisioning flow.
Activity Procedure
Complete the following steps:
Step 1 Examine and tune the default guest portal settings:
a. Go to Administration > Web Portal Management > Settings > Guest
> Multi-Portal Configurations > Default Guest Portal.
b. Click the Operation tab. Disable Enable Self-Provisioning Flow and Enable require Guest user to change password at Expiration and first login then click Save.
c. Click the Authentication tab. Examine which identity store sequence is
used by default. You should see that the Guest_Portal_Sequence is the default
selection. When web traffic is later redirected to WebAuth, this source
sequence defines the user databases to consult.
Step 2 In the previous task, you
configured 802.1X and MAB on interface G1/0/20. There has been some authentication
activity since it was configured.
Examine the failed access attempts through the Gigabitethernet1/0/20
interface:
a. Go to Operations >
Authentications and view the access attempts.
b. Click the details button and
examine the failure reason. Examine the steps that are listed on the right side
of the details report. MAB fails when the Guest-PC MAC address is not found in
the internal endpoints database, and the authorization profile named Deny Access is applied. The DenyAccess profile
leads to a RADIUS Access-Reject.
Task 3: Configure ISE Authorization to Enforce Traffic Redirection
You
will start this task by creating a new dACL which will control access prior to
web authentication. You will create an authorization profile, named Central-WEBAUTH, that references the dACL and enforces traffic redirection to
the WebAuthC portal. Authorization profiles need to be referenced by
authorization policy rules. You will configure an authorization rule that
pushes the Central-WEBAUTH authorization profile after a MAB failure. This state
is recognized with the condition NetworkAccess:UseCase=Host Lookup. You will finish by
verifying the behavior from the Guest-PC. As you configured in the previous
step, when MAB fails, the process continues.
The result is passed to the authorization process which will match the
authorization rule for web authentication. The NAD is instructed to implement
redirection of HTTP and HTTPS traffic to the ISE web authentication portal.
Activity Procedure
Complete the following steps:
Step 1 Create a new dACL named Pre-WebAuth-ACL which permits basic
networking services and communications with the policy service features in ISE.
a. In ISE, navigate to Policy > Policy Elements > Results,
Authorization > Downloadable ACLs.
b. Click Add.
c. Enter Pre-WebAuth-ACL in the Name field.
d. Define the ACL entries as follows:
e. Expand the Check DACL Syntax option. If it does not report that the DACL
syntax is valid, recheck your work.
f. Click
Submit
Step 2 Create a new authorization profile (Policy > Policy Elements >
Results, Authorization > Authorization Profiles > Add).
Configure these attributes:
a. Name: Central-WEBAUTHC
b. Access Type: ACCESS_ACCEPT
c. dACL: Pre-WebAuth-ACL
Note: This ACL controls traffic allowed prior to successful authentication
of the user by WebAuth.
d. Web Redirection: Centralized, ACL: WEBAUTH-REDIRECT-ACL, Redirect:
Default
Note: This ACL does not block traffic. It specifies which of the allowed traffic is redirected to the web authentication portal.
Note: Make sure that the redirect ACL name matches exactly the ACL
configured on the switch.
Note: The goal is to push this authorization profile to the authenticating
interface on the NAD when the endpoint doesn't have a supplicant (hence, 802.1X
fails) and the endpoint MAC address is not in ISE's internal endpoint database
(hence MAB fails). In the previous task, you configured the MAB authentication
rule to continue when the user (MAC address) was not found. In the next step,
you will configure an authorization policy rule that will apply this
authorization profile under those circumstances. With this authorization
profile pushed to the NAD, when the user on the endpoint opens a browser and
generates some web traffic, the traffic will be redirected to Web Authentication.
Step 3 In the authorization policy (Policy > Authorization), add an
additional rule (GLOBAL-WEBAUTH) before the last rule (Default). It will use be
used to enforce traffic redirection to Web Authentication.
a. Click the drop down menu arrow near the Edit link of the Default rule
and choose Insert New Rule Above.
b. Change the name from Standard Rule 1 to GLOBAL-WEBAUTH. In the
Conditions field, select Create New Condition (Advanced Option).
c. Define the Expression as follows: Attribute: Network Access: Use Case,
Operator: Equals, Value: Host Lookup.
d. In the Permissions field, choose Standard > Central-WEBAUTHC
e. Click Save.
f. In the Guest-PC Open Network and Sharing and navigate to Change adapter
settings.
g. Double click on the Guest NIC and click Authentication tab and uncheck
the Enable IEEE 802.1X authentication checkbox and Click ok and close all the
windows.
Activity Verification
Step 1 View the access attempts in
Cisco ISE. In the Operations >
Authentications menu you will see a successful authentication of the
Guest-PC MAC address. The authentication method is MAB, the authentication
protocol is Lookup, and the
authorization profile is Central-WEBAUTH.
After the event of applying this policy you should see the event documenting the
download of the Pre-WebAuth-ACL.
Step 2 Click the details link for event where the Central-WEBAUTH
authorization profile is applied. Examine the steps documented on the right
hand side of the details report. The steps should be similar to what is shown
below.
Step 3 Examine the authentication and authorization of the client on the switch. You should see that the ISE sent to the switch the Pre-WebAuth-ACL dACL, the name of URL Redirect ACL and the redirect URL. The redirect URL includes the common session ID, visible in the output.
SW6#
*Mar 1 02:05:00.329: %AUTHMGR-5-START: Starting
'mab' for client
(0022.4d6a.6fc2)
on Interface Gi1/0/20 AuditSessionID
0A0B0B060000000100701997
*Mar 1 02:05:00.338: %MAB-5-FAIL: Authentication
failed for client (0022.4d6a.6fc2) on Interface Gi1/0/20 AuditSessionID
0A0B0B060000000100701997
*Mar 1 02:05:00.338: %AUTHMGR-7-RESULT:
Authentication result 'no-response' from 'mab' for client (0022.4d6a.6fc2) on
Interface Gi1/0/20 AuditSessionID 0A0B0B060 000000100701997
*Mar 1 02:05:00.338: %AUTHMGR-7-FAILOVER: Failing
over from 'mab' for client (0022.4d6a.6fc2) on Interface Gi1/0/20
AuditSessionID 0A0B0B060000000100701997
*Mar 1 02:05:00.346: %AUTHMGR-5-START: Starting
'dot1x' for client (0022.4d6a.6fc2) on Interface Gi1/0/20 AuditSessionID
0A0B0B060000000100701997
*Mar 1 02:05:48.966: %LINEPROTO-5-UPDOWN: Line
protocol on Interface GigabitEthernet1/0/20, changed state to down
*Mar 1 02:05:50.971: %LINEPROTO-5-UPDOWN: Line
protocol on Interface GigabitEthernet1/0/20, changed state to up
*Mar 1 02:05:52.154: %LINEPROTO-5-UPDOWN: Line
protocol on Interface GigabitEthernet1/0/20, changed state to down
*Mar 1 02:05:53.161: %LINK-3-UPDOWN: Interface
GigabitEthernet1/0/20, changed state to down
*Mar 1 02:05:54.369: %AUTHMGR-5-START: Starting
'mab' for client (0022.4d6a.6fc2) on Interface Gi1/0/20 AuditSessionID
0A0B0B0600000003007344DC
*Mar 1 02:05:54.419: %MAB-5-SUCCESS: Authentication successful for client
(0022.4d6a.6fc2) on Interface Gi1/0/20 AuditSessionID 0A0B0B0600000003007344DC
*Mar 1 02:05:54.419: %AUTHMGR-7-RESULT: Authentication result 'success'
from 'mab' for client (0022.4d6a.6fc2) on Interface Gi1/0/20 AuditSessionID
0A0B0B0600000 003007344DC
*Mar 1 02:05:54.427: %EPM-6-POLICY_REQ: IP
0.0.0.0| MAC 0022.4d6a.6fc2| AuditSessionID 0A0B0B0600000003007344DC| AUTHTYPE
DOT1X| EVENT APPLY
*Mar 1 02:05:54.452: %EPM-6-AUTH_ACL: POLICY
Auth-Default-ACL| EVENT Auth-Default-ACL Attached Successfully
*Mar 1 02:05:54.461: %EPM-6-AAA: POLICY
xACSACLx-IP-Pre-WebAuth-ACL-5614b4fe| EVENT DOWNLOAD-REQUEST
*Mar 1 02:05:54.754: %EPM-6-AAA: POLICY xACSACLx-IP-Pre-WebAuth-ACL-5614b4fe|
EVENT DOWNLOAD-SUCCESS
*Mar 1 02:05:54.754: %EPM-6-IPEVENT: IP 0.0.0.0|
MAC 0022.4d6a.6fc2| AuditSessionID 0A0B0B0600000003007344DC| AUTHTYPE DOT1X|
EVENT IP-WAIT
*Mar 1 02:05:55.459: %AUTHMGR-5-SUCCESS:
Authorization succeeded for client (0022.4d6a.6fc2) on Interface Gi1/0/20
AuditSessionID 0A0B0B0600000003007344DC
*Mar 1 02:05:56.139: %LINK-3-UPDOWN: Interface
GigabitEthernet1/0/20, changed state to up
*Mar 1 02:05:57.145: %LINEPROTO-5-UPDOWN: Line
protocol on Interface GigabitEthernet1/0/20, changed state to up
*Mar 1 02:06:01.147: %EPM-6-IPEVENT: IP 172.50.10.1| MAC
0022.4d6a.6fc2| AuditSessionID 0A0B0B0600000003007344DC| AUTHTYPE DOT1X| EVENT
IP-ASSIGNMENT
*Mar 1 02:06:01.155: %EPM-6-POLICY_APP_SUCCESS: IP
172.50.10.1| MAC 0022.4d6a.6fc2| AuditSessionID 0A0B0B0600000003007344DC| AUTHTYPE
DOT1X| POLICY_TYPE Named ACL| POLICY_NAME xACSACLx-IP-Pre-WebAuth-ACL-5614b4fe| RESULT
SUCCESS
*Mar 1 02:06:01.172: %EPM-6-POLICY_APP_SUCCESS: IP
172.50.10.1| MAC 0022.4d6a.6fc2| AuditSessionID 0A0B0B0600000003007344DC|
AUTHTYPE DOT1X| POLICY_TYPE URL
Redirect| POLICY_NAME https://ISE.ccieacademy.com:8443/guestportal/gateway?sessionId=0A0B0B0600000003007344DC&action=cwa|
RESULT SUCCESS
*Mar 1 02:06:01.172: %EPM-6-POLICY_APP_SUCCESS: IP
172.50.10.1| MAC 0022.4d6a.6fc2| AuditSessionID 0A0B0B0600000003007344DC|
AUTHTYPE DOT1X| POLICY_TYPE URL Match ACL| POLICY_NAME WEBAUTH-REDIRECT-ACL| RESULT SUCCESS
SW6#sh
authentication sessions int g1/0/20
Interface: GigabitEthernet1/0/20
MAC Address:
0022.4d6a.6fc2
IP Address:
172.50.10.1
User-Name: 00-22-4D-6A-6F-C2
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper
host mode: multi-auth
Oper
control dir: both
Authorized
By: Authentication Server
Vlan Group: N/A
ACS ACL: xACSACLx-IP-Pre-WebAuth-ACL-5614b4fe
URL
Redirect ACL: WEBAUTH-REDIRECT-ACL
URL Redirect: https://ISE.ccieacademy.com:8443/guestportal/gateway?sessionId=0A0B0B0600000005009082BE&action=cwa
Session
timeout: N/A
Idle
timeout: 1000s (local), Remaining: 986s
Common
Session ID: 0A0B0B0600000005009082BE
Acct
Session ID: 0x0000000A
Handle:
0x06000005
Runnable
methods list:
Method
State
mab Authc
Success
dot1x
Not run
Step 4 The Web Authentication policy is in place on interface G1/0/20 for the
Guest-PC which is connected to this interface. Submit a connection request from
Internet Explorer on the Guest-PC.
a. Connect to the Guest-PC. If needed, log in as administrator with the
password Cisc0123.
b. Open Internet Explorer and connect to the SW6 http server (http://10.11.11.6/).
You should be redirected to the guest portal.
Note: The specification of any valid HTTP URL would suffice. In fact, with
most browsers today, entering any string into the URL entry field leads to a
search engine query for that string. In such cases, the search engine query
would still be intercepted and a connection to the web authentication portal
would result.
c. Before authenticating, examine the redirection URL. Note that the URL
ends with the session ID.
Note: The common session ID is what keeps ISE and the switch in sync with
operations. The session ID embedded in the URL is identical to the common
session ID that was documented on the switch. Because it is carried in the URL,
the ISE web portal can identify that the user is trying to authenticate for
this particular session ID amongst any other WebAuth sessions that may be
running in parallel.
Step 5 Authenticate to the guest portal as test-guest1 with the password Cisc0123.
Accept the AUP.
Step 6 You should be notified of a success and instructed to retry the
original request.
Step 7 Attempt to connect to (http://10.11.11.6)
again. This will take you to the guest portal again, because you have not yet
configured an authorization rule for Guest authenticated via WebAuth. This will
be completed in the next task.
Step 8 Before configuring an authorization rule for Guests authenticated
via WebAuth, examine the status of ISE's live authentications at Operations
> Authentications. You should see that after the application of the –
Central-WEBAUTH profile that the user test-guest1 did indeed pass Guest
Authentication.
But then authorization failed. There were no authorization policies that
matched the guest authenticated user, so the default rule applied. Then the Central-WEBAUTH
profile was again applied.
Task 4: Configure ISE Authorization Rule for Employees Authenticated via WebAuth
In this task, you will add an authorization policy rule for Guests to
authenticate via WebAuth.
This rule will need to be placed above the current WebAuth rule. The rule
will require that the user is in the Guest group in Internal Identity Store.
This condition is met when a user has successfully authenticated via WebAuth,
and the switch port is set again for a new MAB.
Activity Procedure
Complete the following steps:
Step 1 Create a new dACL named
Pre-WebAuth-ACL which permits basic networking services and communications with
the policy service features in ISE.
a. In ISE, navigate to Policy > Policy Elements > Results,
Authorization > Downloadable ACLs.
b. Click Add.
c. Enter CWA-Guest-ACL in the Name field.
d. Define the ACL entries as follows:
e. Expand the Check DACL Syntax option. If it does not report that the DACL syntax is valid, recheck your work.
f. Click Submit.
Step 2 Create a new authorization profile (Policy > Policy Elements >
Results, Authorization > Authorization Profiles > Add).
Configure these attributes:
a. Name: Global-CWA
b. Access Type: ACCESS_ACCEPT
c. dACL: CWA-Guest-ACL
d. VLAN Tag: 50
Step 3 Add a new rule, named CWA For Guests, to the authorization policy to define the access privileges for Guests authenticating via WebAuth.
a. In ISE, navigate to Policy > Authorization.
b. Place the rule directly after the Global-Pre-WEBAUTH Access rule. Click
the arrow near the Edit button of the Global-Pre-WEBAUTH Access rule and choose
Insert New Rule Below.
c. Change the name from Standard Rule 1 to CWA For Guests.
d. In the Conditions field, select Identity Group name as Guest
e. In the Permissions field of the new authorization rule, choose Standard
>Global-CWA.
f. Click
Done and Save the changes
Activity Verification
Step 1 View the access attempts in
Cisco ISE. In the Operations >
Authentications menu you will see a successful authentication of the
Guest-PC MAC address. The authentication method is MAB, the authentication
protocol is Lookup, and the
authorization profile is Central-WEBAUTH.
After the event of applying this policy you should see the event documenting the
download of the Pre-WebAuth-ACL.
Step 2 Examine the authentication and authorization of the client on the
switch. You should see that the ISE sent to the switch the Pre-WebAuth-ACL dACL, the name of URL Redirect ACL and the redirect
URL. The redirect URL includes the common session ID, visible in the output.
SW6#
*Mar 1 02:05:00.329: %AUTHMGR-5-START: Starting
'mab' for client
(0022.4d6a.6fc2)
on Interface Gi1/0/20 AuditSessionID
0A0B0B060000000100701997
*Mar 1 02:05:00.338: %MAB-5-FAIL: Authentication
failed for client (0022.4d6a.6fc2) on Interface Gi1/0/20 AuditSessionID
0A0B0B060000000100701997
*Mar 1 02:05:00.338: %AUTHMGR-7-RESULT:
Authentication result 'no-response' from 'mab' for client (0022.4d6a.6fc2) on
Interface Gi1/0/20 AuditSessionID 0A0B0B060 000000100701997
*Mar 1 02:05:00.338: %AUTHMGR-7-FAILOVER: Failing
over from 'mab' for client (0022.4d6a.6fc2) on Interface Gi1/0/20
AuditSessionID 0A0B0B060000000100701997
*Mar 1 02:05:00.346: %AUTHMGR-5-START: Starting
'dot1x' for client (0022.4d6a.6fc2) on Interface Gi1/0/20 AuditSessionID
0A0B0B060000000100701997
*Mar 1 02:05:48.966: %LINEPROTO-5-UPDOWN: Line
protocol on Interface GigabitEthernet1/0/20, changed state to down
*Mar 1 02:05:50.971: %LINEPROTO-5-UPDOWN: Line
protocol on Interface GigabitEthernet1/0/20, changed state to up
*Mar 1 02:05:52.154: %LINEPROTO-5-UPDOWN: Line
protocol on Interface GigabitEthernet1/0/20, changed state to down
*Mar 1 02:05:53.161: %LINK-3-UPDOWN: Interface
GigabitEthernet1/0/20, changed state to down
*Mar 1 02:05:54.369: %AUTHMGR-5-START: Starting
'mab' for client (0022.4d6a.6fc2) on Interface Gi1/0/20 AuditSessionID
0A0B0B0600000003007344DC
*Mar 1 02:05:54.419: %MAB-5-SUCCESS: Authentication successful for client
(0022.4d6a.6fc2) on Interface Gi1/0/20 AuditSessionID 0A0B0B0600000003007344DC
*Mar 1 02:05:54.419: %AUTHMGR-7-RESULT: Authentication result 'success'
from 'mab' for client (0022.4d6a.6fc2) on Interface Gi1/0/20 AuditSessionID
0A0B0B0600000 003007344DC
*Mar 1 02:05:54.427: %EPM-6-POLICY_REQ: IP
0.0.0.0| MAC 0022.4d6a.6fc2| AuditSessionID 0A0B0B0600000003007344DC| AUTHTYPE
DOT1X| EVENT APPLY
*Mar 1 02:05:54.452: %EPM-6-AUTH_ACL: POLICY
Auth-Default-ACL| EVENT Auth-Default-ACL Attached Successfully
*Mar 1 02:05:54.461: %EPM-6-AAA: POLICY
xACSACLx-IP-Pre-WebAuth-ACL-5614b4fe| EVENT DOWNLOAD-REQUEST
*Mar 1 02:05:54.754: %EPM-6-AAA: POLICY xACSACLx-IP-Pre-WebAuth-ACL-5614b4fe|
EVENT DOWNLOAD-SUCCESS
*Mar 1 02:05:54.754: %EPM-6-IPEVENT: IP 0.0.0.0|
MAC 0022.4d6a.6fc2| AuditSessionID 0A0B0B0600000003007344DC| AUTHTYPE DOT1X|
EVENT IP-WAIT
*Mar 1 02:05:55.459: %AUTHMGR-5-SUCCESS:
Authorization succeeded for client (0022.4d6a.6fc2) on Interface Gi1/0/20
AuditSessionID 0A0B0B0600000003007344DC
*Mar 1 02:05:56.139: %LINK-3-UPDOWN: Interface
GigabitEthernet1/0/20, changed state to up
*Mar 1 02:05:57.145: %LINEPROTO-5-UPDOWN: Line
protocol on Interface GigabitEthernet1/0/20, changed state to up
*Mar 1 02:06:01.147: %EPM-6-IPEVENT: IP 172.50.10.1| MAC
0022.4d6a.6fc2| AuditSessionID 0A0B0B0600000003007344DC| AUTHTYPE DOT1X| EVENT
IP-ASSIGNMENT
*Mar 1 02:06:01.155: %EPM-6-POLICY_APP_SUCCESS: IP
172.50.10.1| MAC 0022.4d6a.6fc2| AuditSessionID 0A0B0B0600000003007344DC| AUTHTYPE
DOT1X| POLICY_TYPE Named ACL| POLICY_NAME xACSACLx-IP-Pre-WebAuth-ACL-5614b4fe| RESULT
SUCCESS
*Mar 1 02:06:01.172: %EPM-6-POLICY_APP_SUCCESS: IP
172.50.10.1| MAC 0022.4d6a.6fc2| AuditSessionID 0A0B0B0600000003007344DC|
AUTHTYPE DOT1X| POLICY_TYPE URL
Redirect| POLICY_NAME https://ISE.ccieacademy.com:8443/guestportal/gateway?sessionId=0A0B0B0600000003007344DC&action=cwa|
RESULT SUCCESS
*Mar 1 02:06:01.172: %EPM-6-POLICY_APP_SUCCESS: IP
172.50.10.1| MAC 0022.4d6a.6fc2| AuditSessionID 0A0B0B0600000003007344DC|
AUTHTYPE DOT1X| POLICY_TYPE URL Match ACL| POLICY_NAME WEBAUTH-REDIRECT-ACL| RESULT SUCCESS
SW6#sh
authentication sessions int g1/0/20
Interface: GigabitEthernet1/0/20
MAC Address:
0022.4d6a.6fc2
IP Address:
172.50.10.1
User-Name: 00-22-4D-6A-6F-C2
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper
host mode: multi-auth
Oper
control dir: both
Authorized
By: Authentication Server
Vlan Group: N/A
ACS ACL: xACSACLx-IP-Pre-WebAuth-ACL-5614b4fe
URL
Redirect ACL: WEBAUTH-REDIRECT-ACL
URL Redirect: https://ISE.ccieacademy.com:8443/guestportal/gateway?sessionId=0A0B0B0600000005009082BE&action=cwa
Session
timeout: N/A
Idle
timeout: 1000s (local), Remaining: 986s
Common
Session ID: 0A0B0B0600000005009082BE
Acct
Session ID: 0x0000000A
Handle:
0x06000005
Runnable
methods list:
Method
State
mab Authc
Success
dot1x
Not run
Step 3 The Web Authentication policy is in place on interface G1/0/20 for the
Guest-PC which is connected to this interface. Submit a connection request from
Internet Explorer on the Guest-PC.
a. Connect to the Guest-PC. If needed, log in as administrator with the
password Cisc0123.
b. Open Internet Explorer and connect to the SW6 http server (http://10.11.11.6).
You should be redirected to the guest portal.
Step 5 Authenticate to the guest portal as test-guest1 with the password Cisc0123.
Accept the AUP.
Step 6 You should be notified of a success and instructed to retry the original request.
Step 8 Verify authentication report on Cisco ISE.
Step 9 Verify the logs on console of SW6.
SW6#
*Mar 1 02:39:35.503: %MAB-5-SUCCESS:
Authentication successful for client (0022.4d6a.6fc2) on Interface Gi1/0/20
AuditSessionID 0A0B0B0600000005009082BE
*Mar 1 02:39:35.503:
%AUTHMGR-7-RESULT: Authentication
result 'success' from 'mab' for client (0022.4d6a.6fc2) on Interface Gi1/0/20
AuditSessionID 0A0B0B0600000005009082BE
*Mar 1 02:39:35.503: %AUTHMGR-5-VLANASSIGN: VLAN 50
assigned to Interface Gi1/0/20 AuditSessionID 0A0B0B0600000005009082BE
*Mar 1 02:39:35.503:
%EPM-6-POLICY_REQ: IP
172.50.10.1| MAC 0022.4d6a.6fc2| AuditSessionID
0A0B0B0600000005009082BE| AUTHTYPE DOT1X| EVENT APPLY
*Mar 1 02:39:35.528: %EPM-6-AAA:
POLICY xACSACLx-IP-CWA-Guest-ACL-5614c353|
EVENT DOWNLOAD-REQUEST
*Mar 1 02:39:35.671: %EPM-6-AAA:
POLICY xACSACLx-IP-CWA-Guest-ACL-5614c353| EVENT DOWNLOAD-SUCCESS
*Mar 1 02:39:35.671:
%EPM-6-POLICY_APP_SUCCESS: IP 172.50.10.1| MAC 0022.4d6a.6fc2| AuditSessionID
0A0B0B0600000005009082BE| AUTHTYPE DOT1X| POLICY_TYPE Named ACL| POLICY_NAME
xACSACLx-IP-CWA-Guest-ACL-5614c353 | RESULT SUCCESS
*Mar 1 02:39:36.057:
%AUTHMGR-5-SUCCESS: Authorization succeeded for client (0022.4d6a.6fc2) on
Interface Gi1/0/20 AuditSessionID 0A0B0B0600000005009082BE
SW6#
SW6#show ip access-lists interface G1/0/20
deny icmp any any
permit udp any any eq domain
deny tcp any host 172.20.10.6 eq
www
deny tcp any host 172.30.10.6 eq
www
permit tcp any any eq www
permit tcp any any eq 443
SW6#sh ip access-lists
Extended IP access list Auth-Default-ACL
10 permit udp any range bootps
65347 any range bootpc 65348 (150 matches)
20 permit udp any any range
bootps 65347 (2 matches)
30 deny ip any any
Extended IP access list WEBAUTH-REDIRECT-ACL
10 permit tcp any any eq www (78
matches)
20 permit tcp any any eq 443
30 permit tcp any any eq 8443
(406 matches)
Extended IP access list xACSACLx-IP-CWA-Guest-ACL-5614c353
(per-user)
10 deny icmp any any
20 permit udp any any eq domain
30 deny tcp any host 172.20.10.6
eq www
40 deny tcp any host 172.30.10.6
eq www
50 permit tcp any any eq www
60 permit tcp any any eq 443
No comments:
Post a Comment