Re: Stuck on : Local WEBAUTH successfull but login page doesnt from Sadiq Yakasai on 2013-11-18 (Ccielab archives 12/2013)

From: Sadiq Yakasai <sadiqtanko_at_gmail.com>
Date: Mon, 18 Nov 2013 13:52:25 +0000

Hi Jeremy,

So the authentication session display of authentication manager on the
switches does not actually display the exact status of the WebAuth
authentication. You need to issue a 'show ip admission cache' to see this.
Please see below for guidance:

After dot1x and MAB have timedout and WebAuth succeeds as fallback (please
note, this does not indicate a successful WebAuth user authentication just
yet), you should see the INIT state in the output below.

2KI2R28#sh ip ad ca
Authentication Proxy Cache
Total Sessions: 1 Init Sessions: 1
Client IP 172.16.21.253 Port 0, timeout 60, state *INIT*

After a successful user authentication, then you should see the ESTAB state.

2KI2R28#sh ip ad ca
Authentication Proxy Cache
Total Sessions: 1 Init Sessions: 0
Client IP 172.16.21.253 Port 1402, timeout 60, state *ESTAB*

If you issue a 'debug radius', you should be a RADIUS Access-Request for a
PAP authentication go towards the ISE for the WebAuth user authentication.

Can you confirm what you are actually seeing on your setup?

HTH,
Sadiq

On Mon, Nov 18, 2013 at 1:32 PM, jeremy co <jeremy.cool14_at_gmail.com> wrote:

> Hi,
>
> Please help.
>
> I try to setup a local webauth on a switch and cant get it to work
>
> Nov 18 05:24:39.200: ip_admission_fb:48f8.b32b.24a3(7.7.99.6): Dynamic rule
> WEBAUTH found on FastEthernet1/0/5
> Nov 18 05:24:39.200: ip_admission_host_gen_hash: MAC=48f8.b32b.24a3
> Hash=741
> Nov 18 05:24:39.200: ip_admission_fb:HostCacheGetEntry: MAC=48f8.b32b.24a3
> IP=7.7.99.6 Success
> Nov 18 05:24:39.200: ip_admission_fb:48f8.b32b.24a3(7.7.99.6): Host
> detected. Enabling host on FastEthernet1/0/5 for dynamic rule WEBAUTH
>
>
>
> According to below link I should get "activate session creation which I
> never did"
>
>
> http://blog.ipexpert.com/2012/07/17/fallback-802-1x-%E2%80%93-web-authentication/
>
>
> This setup is with ISE and a pc behind a phone.
>
> here are some debugs
>
> SW6(config-if)#
> Nov 18 05:17:57.545: %LINK-3-UPDOWN: Interface FastEthernet1/0/5, changed
> state to up
> Nov 18 05:17:58.552: %LINEPROTO-5-UPDOWN: Line protocol on Interface
> FastEthernet1/0/5, changed state to up
> SW6(config-if)#
> Nov 18 05:18:01.236: %AUTHMGR-5-START: Starting 'mab' for client
> (48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID
> 07070702000000110087DEF8
> Nov 18 05:18:01.253: %MAB-5-FAIL: Authentication failed for client
> (48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID
> 07070702000000110087DEF8
> Nov 18 05:18:01.253: %AUTHMGR-7-RESULT: Authentication result 'no-response'
> from 'mab' for client (48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID
> 07070702000000110087DEF8
> Nov 18 05:18:01.253: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for
> client (48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID
> 07070702000000110087DEF8
> Nov 18 05:18:01.253: %AUTHMGR-5-START: Starting 'dot1x' for client
> (48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID
> 07070702000000110087DEF8
> Nov 18 05:18:02.008: %AUTHMGR-5-START: Starting 'mab' for client
> (000f.2340.71cb) on Interface Fa1/0/5 AuditSessionID
> 07070702000000120087F811
> Nov 18 05:18:02.041: %MAB-5-SUCCESS: Authentication successful for client
> (000f.2340.71cb) on Interface Fa1/0/5 AuditSessionID
> 07070702000000120087F811
> Nov 18 05:18:02.041: %AUTHMGR-7-RESULT: Authentication result 'success'
> from 'mab' for client (000f.2340.71cb) on Interface Fa1/0/5 AuditSessionID
> 07070702000000120087F811
> Nov 18 05:18:02.041: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 000f.2340.71cb|
> AuditSessionID 07070702000000120087F811| AUTHTYPE DOT1X| EVENT APPLY
> Nov 18 05:18:02.041: %EPM-6-AUTH_ACL: POLICY Auth-Default-ACL| EVENT
> Auth-Default-ACL Attached Successfully
> Nov 18 05:18:02.041: %EPM-6-AAA: POLICY
> xACSACLx-IP-PERMIT_ALL_TRAFFIC-51134bb2| EVENT DOWNLOAD-REQUEST
> Nov 18 05:18:02.083: %EPM-6-AAA: POLICY
> xACSACLx-IP-PERMIT_ALL_TRAFFIC-51134bb2| EVENT DOWNLOAD-SUCCESS
> Nov 18 05:18:02.083: %EPM-6-IPEVENT: IP 0.0.0.0| MAC 000f.2340.71cb|
> AuditSessionID 07070702000000120087F811| AUTHTYPE DOT1X| EVENT IP-WAIT
> Nov 18 05:18:03.073: %AUTHMGR-5-SUCCESS: Authorization succeeded for client
> (000f.2340.71cb) on Interface Fa1/0/5 AuditSessionID
> 07070702000000120087F811
> SW6(config-if)#
> Nov 18 05:18:10.514: %DOT1X-5-FAIL: Authentication failed for client
> (48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID
> Nov 18 05:18:10.514: %AUTHMGR-7-RESULT: Authentication result 'no-response'
> from 'dot1x' for client (48f8.b32b.24a3) on Interface Fa1/0/5
> AuditSessionID 07070702000000110087DEF8
> Nov 18 05:18:10.514: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for
> client (48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID
> 07070702000000110087DEF8
> Nov 18 05:18:10.514: %AUTHMGR-5-START: Starting 'webauth' for client
> (48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID
> 07070702000000110087DEF8
> Nov 18 05:18:10.514: ip_admission_host_gen_hash: MAC=48f8.b32b.24a3
> Hash=741
> Nov 18 05:18:10.522: ip_admission_fb:HostCacheEntryAdd success for
> MAC=48f8.b32b.24a3 IP=0.0.0.0 idb=FastEthernet1/0/5
> Nov 18 05:18:10.522: ip_admission_fb:IP admission initiate for
> [idb=FastEthernet1/0/5 mac=48f8.b32b.24a3 ip=7.7.99.6 profile=WEBAUTH
> rule=WEBAUTH] success
> Nov 18 05:18:10.522: ip_admission_fb:48f8.b32b.24a3(7.7.99.6): Dynamic rule
> WEBAUTH found on FastEthernet1/0/5
> Nov 18 05:18:10.522: ip_admission_host_gen_hash: MAC=48f8.b32b.24a3
> Hash=741
> Nov 18 05:18:10.522: ip_admission_fb:HostCacheGetEntry: MAC=48f8.b32b.24a3
> IP=7.7.99.6 Success
> Nov 18 05:18:10.522: ip_admission_fb:48f8.b32b.24a3(7.7.99.6): Host
> detected. Enabling host on FastEthernet1/0/5 for dynamic rule WEBAUTH
> Nov 18 05:18:10.522: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 48f8.b32b.24a3|
> AuditSessionID 07070702000000110087DEF8| AUTHTYPE AUTHPROXY| EVENT APPLY
> Nov 18 05:18:10.522: %EPM-6-AAA: POLICY
> xACSACLx-IP-PERMIT_ALL_TRAFFIC-51134bb2| EVENT DOWNLOAD-REQUEST
> Nov 18 05:18:10.522: %EPM-6-POLICY_APP_SUCCESS: IP 7.7.99.6| MAC
> 48f8.b32b.24a3| AuditSessionID 07070702000000110087DEF8| AUTHTYPE
> AUTHPROXY| POLICY_TYPE Named ACL| POLICY_NAME 190| RESULT SUCCESS
> Nov 18 05:18:10.539: %AUTHMGR-7-RESULT: Authentication result 'success'
> from 'webauth' for client (48f8.b32b.24a3) on Interface Fa1/0/5
> AuditSessionID 07070702000000110087DEF8
> Nov 18 05:18:10.573: %EPM-6-AAA: POLICY
> xACSACLx-IP-PERMIT_ALL_TRAFFIC-51134bb2| EVENT DOWNLOAD-SUCCESS
> Nov 18 05:18:10.573: %EPM-6-IPEVENT: IP 0.0.0.0| MAC 000f.2340.71cb|
> AuditSessionID 07070702000000120087F811| AUTHTYPE DOT1X| EVENT IP-WAIT
> Nov 18 05:18:11.311: %AUTHMGR-5-SUCCESS: Authorization succeeded for client
> (48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID
> 07070702000000110087DEF8
> SW6(config-if)#
> Nov 18 05:18:19.398: ip_admission_fb:000f.2340.71cb(7.7.9.6): Dynamic rule
> WEBAUTH found on FastEthernet1/0/5
> Nov 18 05:18:19.398: ip_admission_host_gen_hash: MAC=000f.2340.71cb
> Hash=430
> Nov 18 05:18:19.398: ip_admission_fb:HostCacheGetEntry: MAC=000f.2340.71cb
> IP=7.7.9.6 Fails
> Nov 18 05:18:19.398: ip_admission_fb:000f.2340.71cb(7.7.9.6): Dynamic rule
> WEBAUTH found on FastEthernet1/0/5
> Nov 18 05:18:19.398: ip_admission_host_gen_hash: MAC=000f.2340.71cb
> Hash=430
> Nov 18 05:18:19.398: ip_admission_fb:HostCacheGetEntry: MAC=000f.2340.71cb
> IP=7.7.9.6 Fails
> Nov 18 05:18:19.398: %EPM-6-IPEVENT: IP 7.7.9.6| MAC 000f.2340.71cb|
> AuditSessionID 07070702000000120087F811| AUTHTYPE DOT1X| EVENT
> IP-ASSIGNMENT
> Nov 18 05:18:19.398: %EPM-6-POLICY_APP_SUCCESS: IP 7.7.9.6| MAC
> 000f.2340.71cb| AuditSessionID 07070702000000120087F811| AUTHTYPE DOT1X|
> POLICY_TYPE Named ACL| POLICY_NAME xACSACLx-IP-PERMIT_ALL_TRAFFIC-51134bb2|
> RESULT SUCCESS
> Nov 18 05:18:19.406: %EPM-6-IPEVENT: IP 7.7.9.6| MAC 000f.2340.71cb|
> AuditSessionID 07070702000000120087F811| AUTHTYPE DOT1X| EVENT IP-RELEASE
> Nov 18 05:18:19.414: %EPM-6-IPEVENT: IP 7.7.9.6| MAC 000f.2340.71cb|
> AuditSessionID 07070702000000120087F811| AUTHTYPE DOT1X| EVENT
>
>
> SW6#sh authentication sessions int fa1/0/5
> Interface: FastEthernet1/0/5
> MAC Address: 48f8.b32b.24a3
> IP Address: 7.7.99.6
> User-Name: 48f8b32b24a3
> Status: Authz Success
> Domain: DATA
> Security Policy: Should Secure
> Security Status: Unsecure
> Oper host mode: multi-auth
> Oper control dir: both
> Authorized By: Authentication Server
> Vlan Group: N/A
> Session timeout: N/A
> Idle timeout: N/A
> Common Session ID: 07070702000000110087DEF8
> Acct Session ID: 0x00000013
> Handle: 0xD3000011
>
> Runnable methods list:
> Method State
> mab Failed over
> dot1x Failed over
> webauth Authc Success
>
>
> ----------------------------------------
> Interface: FastEthernet1/0/5
> MAC Address: 000f.2340.71cb
> IP Address: 7.7.9.6
> User-Name: 00-0F-23-40-71-CB
> Status: Authz Success
> Domain: VOICE
> Security Policy: Should Secure
> Security Status: Unsecure
> Oper host mode: multi-auth
> Oper control dir: both
> Authorized By: Authentication Server
> ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-51134bb2
> Session timeout: 3600s (local), Remaining: 2807s
> Timeout action: Reauthenticate
> Idle timeout: N/A
> Common Session ID: 07070702000000120087F811
> Acct Session ID: 0x00000014
> Handle: 0x77000012
>
> Runnable methods list:
> Method State
>
> mab Authc Success
> dot1x Not run
> webauth Not run
>
>
> ---------------------------------------------------------------------------------------------------------------------
>
> interface FastEthernet1/0/5
> switchport access vlan 99
> switchport mode access
> switchport voice vlan 9
> authentication event fail action next-method
> authentication host-mode multi-auth
> authentication order mab dot1x webauth
> authentication priority mab dot1x webauth
> authentication port-control auto
> authentication periodic
> authentication fallback WEBAUTH
> mab
> dot1x pae authenticator
> dot1x timeout tx-period 3
> spanning-tree portfast
> end
>
>
> !
> !
> fallback profile WEBAUTH
> ip access-group 190 in
> ip admission WEBAUTH
>
> ip access-list extended WEB
> permit icmp any any
> permit udp any any eq domain
> permit tcp any any eq www
> permit tcp any any eq 443
>
> access-list 190 permit udp any any eq bootps
> access-list 190 permit udp any any eq domain
>
>
>
>
>
> on ISE, I have filter with WEB ACL on authorization policy and webauth
> enabled. allow for any device with this auth profile.
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
CCIEx2 (R&S|Sec) #19963
Blogs and organic groups at http://www.ccie.net

Received on Mon Nov 18 2013 - 13:52:25 ART

This archive was generated by hypermail 2.2.0 : Wed Jan 01 2014 - 20:26:19 ART