Re: Stuck on : Local WEBAUTH successfull but login page doesnt from jeremy co on 2013-11-19 (Ccielab archives 12/2013)

From: jeremy co <jeremy.cool14_at_gmail.com>
Date: Tue, 19 Nov 2013 01:44:07 -0800

Sadiq,

Thanks for your reply.

You are correct, I couldnt see anyhting under sh ip ad ca. Restart
everything and now it works!

Do u have any comment on how to pass user to ISE for dot1x authentication ?

if I do computer login --> host/Test-pc
if I do user login ----> test-pc/user1

I cant make this user in ISE. how can I make it work? its not integrated
with AD

On Mon, Nov 18, 2013 at 5:52 AM, Sadiq Yakasai <sadiqtanko_at_gmail.com> wrote:

> Hi Jeremy,
>
> So the authentication session display of authentication manager on the
> switches does not actually display the exact status of the WebAuth
> authentication. You need to issue a 'show ip admission cache' to see this.
> Please see below for guidance:
>
> After dot1x and MAB have timedout and WebAuth succeeds as fallback (please
> note, this does not indicate a successful WebAuth user authentication just
> yet), you should see the INIT state in the output below.
>
> 2KI2R28#sh ip ad ca
> Authentication Proxy Cache
> Total Sessions: 1 Init Sessions: 1
> Client IP 172.16.21.253 Port 0, timeout 60, state *INIT*
>
> After a successful user authentication, then you should see the ESTAB
> state.
>
> 2KI2R28#sh ip ad ca
> Authentication Proxy Cache
> Total Sessions: 1 Init Sessions: 0
> Client IP 172.16.21.253 Port 1402, timeout 60, state *ESTAB*
>
> If you issue a 'debug radius', you should be a RADIUS Access-Request for a
> PAP authentication go towards the ISE for the WebAuth user authentication.
>
> Can you confirm what you are actually seeing on your setup?
>
> HTH,
> Sadiq
>
>
> On Mon, Nov 18, 2013 at 1:32 PM, jeremy co <jeremy.cool14_at_gmail.com>wrote:
>
>> Hi,
>>
>> Please help.
>>
>> I try to setup a local webauth on a switch and cant get it to work
>>
>> Nov 18 05:24:39.200: ip_admission_fb:48f8.b32b.24a3(7.7.99.6): Dynamic
>> rule
>> WEBAUTH found on FastEthernet1/0/5
>> Nov 18 05:24:39.200: ip_admission_host_gen_hash: MAC=48f8.b32b.24a3
>> Hash=741
>> Nov 18 05:24:39.200: ip_admission_fb:HostCacheGetEntry: MAC=48f8.b32b.24a3
>> IP=7.7.99.6 Success
>> Nov 18 05:24:39.200: ip_admission_fb:48f8.b32b.24a3(7.7.99.6): Host
>> detected. Enabling host on FastEthernet1/0/5 for dynamic rule WEBAUTH
>>
>>
>>
>> According to below link I should get "activate session creation which I
>> never did"
>>
>>
>> http://blog.ipexpert.com/2012/07/17/fallback-802-1x-%E2%80%93-web-authentication/
>>
>>
>> This setup is with ISE and a pc behind a phone.
>>
>> here are some debugs
>>
>> SW6(config-if)#
>> Nov 18 05:17:57.545: %LINK-3-UPDOWN: Interface FastEthernet1/0/5, changed
>> state to up
>> Nov 18 05:17:58.552: %LINEPROTO-5-UPDOWN: Line protocol on Interface
>> FastEthernet1/0/5, changed state to up
>> SW6(config-if)#
>> Nov 18 05:18:01.236: %AUTHMGR-5-START: Starting 'mab' for client
>> (48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID
>> 07070702000000110087DEF8
>> Nov 18 05:18:01.253: %MAB-5-FAIL: Authentication failed for client
>> (48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID
>> 07070702000000110087DEF8
>> Nov 18 05:18:01.253: %AUTHMGR-7-RESULT: Authentication result
>> 'no-response'
>> from 'mab' for client (48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID
>> 07070702000000110087DEF8
>> Nov 18 05:18:01.253: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for
>> client (48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID
>> 07070702000000110087DEF8
>> Nov 18 05:18:01.253: %AUTHMGR-5-START: Starting 'dot1x' for client
>> (48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID
>> 07070702000000110087DEF8
>> Nov 18 05:18:02.008: %AUTHMGR-5-START: Starting 'mab' for client
>> (000f.2340.71cb) on Interface Fa1/0/5 AuditSessionID
>> 07070702000000120087F811
>> Nov 18 05:18:02.041: %MAB-5-SUCCESS: Authentication successful for client
>> (000f.2340.71cb) on Interface Fa1/0/5 AuditSessionID
>> 07070702000000120087F811
>> Nov 18 05:18:02.041: %AUTHMGR-7-RESULT: Authentication result 'success'
>> from 'mab' for client (000f.2340.71cb) on Interface Fa1/0/5 AuditSessionID
>> 07070702000000120087F811
>> Nov 18 05:18:02.041: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 000f.2340.71cb|
>> AuditSessionID 07070702000000120087F811| AUTHTYPE DOT1X| EVENT APPLY
>> Nov 18 05:18:02.041: %EPM-6-AUTH_ACL: POLICY Auth-Default-ACL| EVENT
>> Auth-Default-ACL Attached Successfully
>> Nov 18 05:18:02.041: %EPM-6-AAA: POLICY
>> xACSACLx-IP-PERMIT_ALL_TRAFFIC-51134bb2| EVENT DOWNLOAD-REQUEST
>> Nov 18 05:18:02.083: %EPM-6-AAA: POLICY
>> xACSACLx-IP-PERMIT_ALL_TRAFFIC-51134bb2| EVENT DOWNLOAD-SUCCESS
>> Nov 18 05:18:02.083: %EPM-6-IPEVENT: IP 0.0.0.0| MAC 000f.2340.71cb|
>> AuditSessionID 07070702000000120087F811| AUTHTYPE DOT1X| EVENT IP-WAIT
>> Nov 18 05:18:03.073: %AUTHMGR-5-SUCCESS: Authorization succeeded for
>> client
>> (000f.2340.71cb) on Interface Fa1/0/5 AuditSessionID
>> 07070702000000120087F811
>> SW6(config-if)#
>> Nov 18 05:18:10.514: %DOT1X-5-FAIL: Authentication failed for client
>> (48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID
>> Nov 18 05:18:10.514: %AUTHMGR-7-RESULT: Authentication result
>> 'no-response'
>> from 'dot1x' for client (48f8.b32b.24a3) on Interface Fa1/0/5
>> AuditSessionID 07070702000000110087DEF8
>> Nov 18 05:18:10.514: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for
>> client (48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID
>> 07070702000000110087DEF8
>> Nov 18 05:18:10.514: %AUTHMGR-5-START: Starting 'webauth' for client
>> (48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID
>> 07070702000000110087DEF8
>> Nov 18 05:18:10.514: ip_admission_host_gen_hash: MAC=48f8.b32b.24a3
>> Hash=741
>> Nov 18 05:18:10.522: ip_admission_fb:HostCacheEntryAdd success for
>> MAC=48f8.b32b.24a3 IP=0.0.0.0 idb=FastEthernet1/0/5
>> Nov 18 05:18:10.522: ip_admission_fb:IP admission initiate for
>> [idb=FastEthernet1/0/5 mac=48f8.b32b.24a3 ip=7.7.99.6 profile=WEBAUTH
>> rule=WEBAUTH] success
>> Nov 18 05:18:10.522: ip_admission_fb:48f8.b32b.24a3(7.7.99.6): Dynamic
>> rule
>> WEBAUTH found on FastEthernet1/0/5
>> Nov 18 05:18:10.522: ip_admission_host_gen_hash: MAC=48f8.b32b.24a3
>> Hash=741
>> Nov 18 05:18:10.522: ip_admission_fb:HostCacheGetEntry: MAC=48f8.b32b.24a3
>> IP=7.7.99.6 Success
>> Nov 18 05:18:10.522: ip_admission_fb:48f8.b32b.24a3(7.7.99.6): Host
>> detected. Enabling host on FastEthernet1/0/5 for dynamic rule WEBAUTH
>> Nov 18 05:18:10.522: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 48f8.b32b.24a3|
>> AuditSessionID 07070702000000110087DEF8| AUTHTYPE AUTHPROXY| EVENT APPLY
>> Nov 18 05:18:10.522: %EPM-6-AAA: POLICY
>> xACSACLx-IP-PERMIT_ALL_TRAFFIC-51134bb2| EVENT DOWNLOAD-REQUEST
>> Nov 18 05:18:10.522: %EPM-6-POLICY_APP_SUCCESS: IP 7.7.99.6| MAC
>> 48f8.b32b.24a3| AuditSessionID 07070702000000110087DEF8| AUTHTYPE
>> AUTHPROXY| POLICY_TYPE Named ACL| POLICY_NAME 190| RESULT SUCCESS
>> Nov 18 05:18:10.539: %AUTHMGR-7-RESULT: Authentication result 'success'
>> from 'webauth' for client (48f8.b32b.24a3) on Interface Fa1/0/5
>> AuditSessionID 07070702000000110087DEF8
>> Nov 18 05:18:10.573: %EPM-6-AAA: POLICY
>> xACSACLx-IP-PERMIT_ALL_TRAFFIC-51134bb2| EVENT DOWNLOAD-SUCCESS
>> Nov 18 05:18:10.573: %EPM-6-IPEVENT: IP 0.0.0.0| MAC 000f.2340.71cb|
>> AuditSessionID 07070702000000120087F811| AUTHTYPE DOT1X| EVENT IP-WAIT
>> Nov 18 05:18:11.311: %AUTHMGR-5-SUCCESS: Authorization succeeded for
>> client
>> (48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID
>> 07070702000000110087DEF8
>> SW6(config-if)#
>> Nov 18 05:18:19.398: ip_admission_fb:000f.2340.71cb(7.7.9.6): Dynamic rule
>> WEBAUTH found on FastEthernet1/0/5
>> Nov 18 05:18:19.398: ip_admission_host_gen_hash: MAC=000f.2340.71cb
>> Hash=430
>> Nov 18 05:18:19.398: ip_admission_fb:HostCacheGetEntry: MAC=000f.2340.71cb
>> IP=7.7.9.6 Fails
>> Nov 18 05:18:19.398: ip_admission_fb:000f.2340.71cb(7.7.9.6): Dynamic rule
>> WEBAUTH found on FastEthernet1/0/5
>> Nov 18 05:18:19.398: ip_admission_host_gen_hash: MAC=000f.2340.71cb
>> Hash=430
>> Nov 18 05:18:19.398: ip_admission_fb:HostCacheGetEntry: MAC=000f.2340.71cb
>> IP=7.7.9.6 Fails
>> Nov 18 05:18:19.398: %EPM-6-IPEVENT: IP 7.7.9.6| MAC 000f.2340.71cb|
>> AuditSessionID 07070702000000120087F811| AUTHTYPE DOT1X| EVENT
>> IP-ASSIGNMENT
>> Nov 18 05:18:19.398: %EPM-6-POLICY_APP_SUCCESS: IP 7.7.9.6| MAC
>> 000f.2340.71cb| AuditSessionID 07070702000000120087F811| AUTHTYPE DOT1X|
>> POLICY_TYPE Named ACL| POLICY_NAME
>> xACSACLx-IP-PERMIT_ALL_TRAFFIC-51134bb2|
>> RESULT SUCCESS
>> Nov 18 05:18:19.406: %EPM-6-IPEVENT: IP 7.7.9.6| MAC 000f.2340.71cb|
>> AuditSessionID 07070702000000120087F811| AUTHTYPE DOT1X| EVENT IP-RELEASE
>> Nov 18 05:18:19.414: %EPM-6-IPEVENT: IP 7.7.9.6| MAC 000f.2340.71cb|
>> AuditSessionID 07070702000000120087F811| AUTHTYPE DOT1X| EVENT
>>
>>
>> SW6#sh authentication sessions int fa1/0/5
>> Interface: FastEthernet1/0/5
>> MAC Address: 48f8.b32b.24a3
>> IP Address: 7.7.99.6
>> User-Name: 48f8b32b24a3
>> Status: Authz Success
>> Domain: DATA
>> Security Policy: Should Secure
>> Security Status: Unsecure
>> Oper host mode: multi-auth
>> Oper control dir: both
>> Authorized By: Authentication Server
>> Vlan Group: N/A
>> Session timeout: N/A
>> Idle timeout: N/A
>> Common Session ID: 07070702000000110087DEF8
>> Acct Session ID: 0x00000013
>> Handle: 0xD3000011
>>
>> Runnable methods list:
>> Method State
>> mab Failed over
>> dot1x Failed over
>> webauth Authc Success
>>
>>
>> ----------------------------------------
>> Interface: FastEthernet1/0/5
>> MAC Address: 000f.2340.71cb
>> IP Address: 7.7.9.6
>> User-Name: 00-0F-23-40-71-CB
>> Status: Authz Success
>> Domain: VOICE
>> Security Policy: Should Secure
>> Security Status: Unsecure
>> Oper host mode: multi-auth
>> Oper control dir: both
>> Authorized By: Authentication Server
>> ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-51134bb2
>> Session timeout: 3600s (local), Remaining: 2807s
>> Timeout action: Reauthenticate
>> Idle timeout: N/A
>> Common Session ID: 07070702000000120087F811
>> Acct Session ID: 0x00000014
>> Handle: 0x77000012
>>
>> Runnable methods list:
>> Method State
>>
>> mab Authc Success
>> dot1x Not run
>> webauth Not run
>>
>>
>> ---------------------------------------------------------------------------------------------------------------------
>>
>> interface FastEthernet1/0/5
>> switchport access vlan 99
>> switchport mode access
>> switchport voice vlan 9
>> authentication event fail action next-method
>> authentication host-mode multi-auth
>> authentication order mab dot1x webauth
>> authentication priority mab dot1x webauth
>> authentication port-control auto
>> authentication periodic
>> authentication fallback WEBAUTH
>> mab
>> dot1x pae authenticator
>> dot1x timeout tx-period 3
>> spanning-tree portfast
>> end
>>
>>
>> !
>> !
>> fallback profile WEBAUTH
>> ip access-group 190 in
>> ip admission WEBAUTH
>>
>> ip access-list extended WEB
>> permit icmp any any
>> permit udp any any eq domain
>> permit tcp any any eq www
>> permit tcp any any eq 443
>>
>> access-list 190 permit udp any any eq bootps
>> access-list 190 permit udp any any eq domain
>>
>>
>>
>>
>>
>> on ISE, I have filter with WEB ACL on authorization policy and webauth
>> enabled. allow for any device with this auth profile.
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> --
> CCIEx2 (R&S|Sec) #19963

Blogs and organic groups at http://www.ccie.net
Received on Tue Nov 19 2013 - 01:44:07 ART

This archive was generated by hypermail 2.2.0 : Wed Jan 01 2014 - 20:26:19 ART