Stuck on : Local WEBAUTH successfull but login page doesnt from jeremy co on 2013-11-18 (Ccielab archives 12/2013)

From: jeremy co <jeremy.cool14_at_gmail.com>
Date: Mon, 18 Nov 2013 05:32:17 -0800

Hi,

Please help.

I try to setup a local webauth on a switch and cant get it to work

Nov 18 05:24:39.200: ip_admission_fb:48f8.b32b.24a3(7.7.99.6): Dynamic rule
WEBAUTH found on FastEthernet1/0/5
Nov 18 05:24:39.200: ip_admission_host_gen_hash: MAC=48f8.b32b.24a3 Hash=741
Nov 18 05:24:39.200: ip_admission_fb:HostCacheGetEntry: MAC=48f8.b32b.24a3
IP=7.7.99.6 Success
Nov 18 05:24:39.200: ip_admission_fb:48f8.b32b.24a3(7.7.99.6): Host
detected. Enabling host on FastEthernet1/0/5 for dynamic rule WEBAUTH

According to below link I should get "activate session creation which I
never did"

http://blog.ipexpert.com/2012/07/17/fallback-802-1x-%E2%80%93-web-authentication/

This setup is with ISE and a pc behind a phone.

here are some debugs

SW6(config-if)#
Nov 18 05:17:57.545: %LINK-3-UPDOWN: Interface FastEthernet1/0/5, changed
state to up
Nov 18 05:17:58.552: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet1/0/5, changed state to up
SW6(config-if)#
Nov 18 05:18:01.236: %AUTHMGR-5-START: Starting 'mab' for client
(48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID
07070702000000110087DEF8
Nov 18 05:18:01.253: %MAB-5-FAIL: Authentication failed for client
(48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID
07070702000000110087DEF8
Nov 18 05:18:01.253: %AUTHMGR-7-RESULT: Authentication result 'no-response'
from 'mab' for client (48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID
07070702000000110087DEF8
Nov 18 05:18:01.253: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for
client (48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID
07070702000000110087DEF8
Nov 18 05:18:01.253: %AUTHMGR-5-START: Starting 'dot1x' for client
(48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID
07070702000000110087DEF8
Nov 18 05:18:02.008: %AUTHMGR-5-START: Starting 'mab' for client
(000f.2340.71cb) on Interface Fa1/0/5 AuditSessionID
07070702000000120087F811
Nov 18 05:18:02.041: %MAB-5-SUCCESS: Authentication successful for client
(000f.2340.71cb) on Interface Fa1/0/5 AuditSessionID
07070702000000120087F811
Nov 18 05:18:02.041: %AUTHMGR-7-RESULT: Authentication result 'success'
from 'mab' for client (000f.2340.71cb) on Interface Fa1/0/5 AuditSessionID
07070702000000120087F811
Nov 18 05:18:02.041: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 000f.2340.71cb|
AuditSessionID 07070702000000120087F811| AUTHTYPE DOT1X| EVENT APPLY
Nov 18 05:18:02.041: %EPM-6-AUTH_ACL: POLICY Auth-Default-ACL| EVENT
Auth-Default-ACL Attached Successfully
Nov 18 05:18:02.041: %EPM-6-AAA: POLICY
xACSACLx-IP-PERMIT_ALL_TRAFFIC-51134bb2| EVENT DOWNLOAD-REQUEST
Nov 18 05:18:02.083: %EPM-6-AAA: POLICY
xACSACLx-IP-PERMIT_ALL_TRAFFIC-51134bb2| EVENT DOWNLOAD-SUCCESS
Nov 18 05:18:02.083: %EPM-6-IPEVENT: IP 0.0.0.0| MAC 000f.2340.71cb|
AuditSessionID 07070702000000120087F811| AUTHTYPE DOT1X| EVENT IP-WAIT
Nov 18 05:18:03.073: %AUTHMGR-5-SUCCESS: Authorization succeeded for client
(000f.2340.71cb) on Interface Fa1/0/5 AuditSessionID
07070702000000120087F811
SW6(config-if)#
Nov 18 05:18:10.514: %DOT1X-5-FAIL: Authentication failed for client
(48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID
Nov 18 05:18:10.514: %AUTHMGR-7-RESULT: Authentication result 'no-response'
from 'dot1x' for client (48f8.b32b.24a3) on Interface Fa1/0/5
AuditSessionID 07070702000000110087DEF8
Nov 18 05:18:10.514: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for
client (48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID
07070702000000110087DEF8
Nov 18 05:18:10.514: %AUTHMGR-5-START: Starting 'webauth' for client
(48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID
07070702000000110087DEF8
Nov 18 05:18:10.514: ip_admission_host_gen_hash: MAC=48f8.b32b.24a3 Hash=741
Nov 18 05:18:10.522: ip_admission_fb:HostCacheEntryAdd success for
MAC=48f8.b32b.24a3 IP=0.0.0.0 idb=FastEthernet1/0/5
Nov 18 05:18:10.522: ip_admission_fb:IP admission initiate for
[idb=FastEthernet1/0/5 mac=48f8.b32b.24a3 ip=7.7.99.6 profile=WEBAUTH
rule=WEBAUTH] success
Nov 18 05:18:10.522: ip_admission_fb:48f8.b32b.24a3(7.7.99.6): Dynamic rule
WEBAUTH found on FastEthernet1/0/5
Nov 18 05:18:10.522: ip_admission_host_gen_hash: MAC=48f8.b32b.24a3 Hash=741
Nov 18 05:18:10.522: ip_admission_fb:HostCacheGetEntry: MAC=48f8.b32b.24a3
IP=7.7.99.6 Success
Nov 18 05:18:10.522: ip_admission_fb:48f8.b32b.24a3(7.7.99.6): Host
detected. Enabling host on FastEthernet1/0/5 for dynamic rule WEBAUTH
Nov 18 05:18:10.522: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 48f8.b32b.24a3|
AuditSessionID 07070702000000110087DEF8| AUTHTYPE AUTHPROXY| EVENT APPLY
Nov 18 05:18:10.522: %EPM-6-AAA: POLICY
xACSACLx-IP-PERMIT_ALL_TRAFFIC-51134bb2| EVENT DOWNLOAD-REQUEST
Nov 18 05:18:10.522: %EPM-6-POLICY_APP_SUCCESS: IP 7.7.99.6| MAC
48f8.b32b.24a3| AuditSessionID 07070702000000110087DEF8| AUTHTYPE
AUTHPROXY| POLICY_TYPE Named ACL| POLICY_NAME 190| RESULT SUCCESS
Nov 18 05:18:10.539: %AUTHMGR-7-RESULT: Authentication result 'success'
from 'webauth' for client (48f8.b32b.24a3) on Interface Fa1/0/5
AuditSessionID 07070702000000110087DEF8
Nov 18 05:18:10.573: %EPM-6-AAA: POLICY
xACSACLx-IP-PERMIT_ALL_TRAFFIC-51134bb2| EVENT DOWNLOAD-SUCCESS
Nov 18 05:18:10.573: %EPM-6-IPEVENT: IP 0.0.0.0| MAC 000f.2340.71cb|
AuditSessionID 07070702000000120087F811| AUTHTYPE DOT1X| EVENT IP-WAIT
Nov 18 05:18:11.311: %AUTHMGR-5-SUCCESS: Authorization succeeded for client
(48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID
07070702000000110087DEF8
SW6(config-if)#
Nov 18 05:18:19.398: ip_admission_fb:000f.2340.71cb(7.7.9.6): Dynamic rule
WEBAUTH found on FastEthernet1/0/5
Nov 18 05:18:19.398: ip_admission_host_gen_hash: MAC=000f.2340.71cb Hash=430
Nov 18 05:18:19.398: ip_admission_fb:HostCacheGetEntry: MAC=000f.2340.71cb
IP=7.7.9.6 Fails
Nov 18 05:18:19.398: ip_admission_fb:000f.2340.71cb(7.7.9.6): Dynamic rule
WEBAUTH found on FastEthernet1/0/5
Nov 18 05:18:19.398: ip_admission_host_gen_hash: MAC=000f.2340.71cb Hash=430
Nov 18 05:18:19.398: ip_admission_fb:HostCacheGetEntry: MAC=000f.2340.71cb
IP=7.7.9.6 Fails
Nov 18 05:18:19.398: %EPM-6-IPEVENT: IP 7.7.9.6| MAC 000f.2340.71cb|
AuditSessionID 07070702000000120087F811| AUTHTYPE DOT1X| EVENT IP-ASSIGNMENT
Nov 18 05:18:19.398: %EPM-6-POLICY_APP_SUCCESS: IP 7.7.9.6| MAC
000f.2340.71cb| AuditSessionID 07070702000000120087F811| AUTHTYPE DOT1X|
POLICY_TYPE Named ACL| POLICY_NAME xACSACLx-IP-PERMIT_ALL_TRAFFIC-51134bb2|
RESULT SUCCESS
Nov 18 05:18:19.406: %EPM-6-IPEVENT: IP 7.7.9.6| MAC 000f.2340.71cb|
AuditSessionID 07070702000000120087F811| AUTHTYPE DOT1X| EVENT IP-RELEASE
Nov 18 05:18:19.414: %EPM-6-IPEVENT: IP 7.7.9.6| MAC 000f.2340.71cb|
AuditSessionID 07070702000000120087F811| AUTHTYPE DOT1X| EVENT

SW6#sh authentication sessions int fa1/0/5
            Interface: FastEthernet1/0/5
          MAC Address: 48f8.b32b.24a3
           IP Address: 7.7.99.6
            User-Name: 48f8b32b24a3
               Status: Authz Success
               Domain: DATA
      Security Policy: Should Secure
      Security Status: Unsecure
       Oper host mode: multi-auth
     Oper control dir: both
        Authorized By: Authentication Server
           Vlan Group: N/A
      Session timeout: N/A
         Idle timeout: N/A
    Common Session ID: 07070702000000110087DEF8
      Acct Session ID: 0x00000013
               Handle: 0xD3000011

Runnable methods list:
       Method State
       mab Failed over
       dot1x Failed over
       webauth Authc Success

----------------------------------------
            Interface: FastEthernet1/0/5
          MAC Address: 000f.2340.71cb
           IP Address: 7.7.9.6
            User-Name: 00-0F-23-40-71-CB
               Status: Authz Success
               Domain: VOICE
      Security Policy: Should Secure
      Security Status: Unsecure
       Oper host mode: multi-auth
     Oper control dir: both
        Authorized By: Authentication Server
              ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-51134bb2
      Session timeout: 3600s (local), Remaining: 2807s
       Timeout action: Reauthenticate
         Idle timeout: N/A
    Common Session ID: 07070702000000120087F811
      Acct Session ID: 0x00000014
               Handle: 0x77000012

Runnable methods list:
Method State

       mab Authc Success
       dot1x Not run
       webauth Not run

---------------------------------------------------------------------------------------------------------------------

interface FastEthernet1/0/5
switchport access vlan 99
switchport mode access
switchport voice vlan 9
authentication event fail action next-method
authentication host-mode multi-auth
authentication order mab dot1x webauth
authentication priority mab dot1x webauth
authentication port-control auto
authentication periodic
authentication fallback WEBAUTH
mab
dot1x pae authenticator
dot1x timeout tx-period 3
spanning-tree portfast
end

!
!
fallback profile WEBAUTH
ip access-group 190 in
ip admission WEBAUTH

ip access-list extended WEB
permit icmp any any
permit udp any any eq domain
permit tcp any any eq www
permit tcp any any eq 443

access-list 190 permit udp any any eq bootps
access-list 190 permit udp any any eq domain

on ISE, I have filter with WEB ACL on authorization policy and webauth
enabled. allow for any device with this auth profile.

Blogs and organic groups at http://www.ccie.net
Received on Mon Nov 18 2013 - 05:32:17 ART

This archive was generated by hypermail 2.2.0 : Wed Jan 01 2014 - 20:26:19 ART