Sadiq, Thanks for your reply.
You are correct, I couldnt see anyhting under sh ip ad ca. Restart everything and now it works! Do u have any comment on how to pass user to ISE for dot1x authentication ? if I do computer login --> host/Test-pc if I do user login ----> test-pc/user1 I cant make this user in ISE. how can I make it work? its not integrated with AD On Mon, Nov 18, 2013 at 5:52 AM, Sadiq Yakasai <sadiqta...@gmail.com> wrote: > Hi Jeremy, > > So the authentication session display of authentication manager on the > switches does not actually display the exact status of the WebAuth > authentication. You need to issue a 'show ip admission cache' to see this. > Please see below for guidance: > > After dot1x and MAB have timedout and WebAuth succeeds as fallback (please > note, this does not indicate a successful WebAuth user authentication just > yet), you should see the INIT state in the output below. > > 2KI2R28#sh ip ad ca > Authentication Proxy Cache > Total Sessions: 1 Init Sessions: 1 > Client IP 172.16.21.253 Port 0, timeout 60, state *INIT* > > After a successful user authentication, then you should see the ESTAB > state. > > 2KI2R28#sh ip ad ca > Authentication Proxy Cache > Total Sessions: 1 Init Sessions: 0 > Client IP 172.16.21.253 Port 1402, timeout 60, state *ESTAB* > > If you issue a 'debug radius', you should be a RADIUS Access-Request for a > PAP authentication go towards the ISE for the WebAuth user authentication. > > Can you confirm what you are actually seeing on your setup? > > HTH, > Sadiq > > > On Mon, Nov 18, 2013 at 1:32 PM, jeremy co <jeremy.coo...@gmail.com>wrote: > >> Hi, >> >> Please help. >> >> I try to setup a local webauth on a switch and cant get it to work >> >> Nov 18 05:24:39.200: ip_admission_fb:48f8.b32b.24a3(7.7.99.6): Dynamic >> rule >> WEBAUTH found on FastEthernet1/0/5 >> Nov 18 05:24:39.200: ip_admission_host_gen_hash: MAC=48f8.b32b.24a3 >> Hash=741 >> Nov 18 05:24:39.200: ip_admission_fb:HostCacheGetEntry: MAC=48f8.b32b.24a3 >> IP=7.7.99.6 Success >> Nov 18 05:24:39.200: ip_admission_fb:48f8.b32b.24a3(7.7.99.6): Host >> detected. Enabling host on FastEthernet1/0/5 for dynamic rule WEBAUTH >> >> >> >> According to below link I should get "activate session creation which I >> never did" >> >> >> http://blog.ipexpert.com/2012/07/17/fallback-802-1x-%E2%80%93-web-authentication/ >> >> >> This setup is with ISE and a pc behind a phone. >> >> here are some debugs >> >> SW6(config-if)# >> Nov 18 05:17:57.545: %LINK-3-UPDOWN: Interface FastEthernet1/0/5, changed >> state to up >> Nov 18 05:17:58.552: %LINEPROTO-5-UPDOWN: Line protocol on Interface >> FastEthernet1/0/5, changed state to up >> SW6(config-if)# >> Nov 18 05:18:01.236: %AUTHMGR-5-START: Starting 'mab' for client >> (48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID >> 07070702000000110087DEF8 >> Nov 18 05:18:01.253: %MAB-5-FAIL: Authentication failed for client >> (48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID >> 07070702000000110087DEF8 >> Nov 18 05:18:01.253: %AUTHMGR-7-RESULT: Authentication result >> 'no-response' >> from 'mab' for client (48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID >> 07070702000000110087DEF8 >> Nov 18 05:18:01.253: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for >> client (48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID >> 07070702000000110087DEF8 >> Nov 18 05:18:01.253: %AUTHMGR-5-START: Starting 'dot1x' for client >> (48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID >> 07070702000000110087DEF8 >> Nov 18 05:18:02.008: %AUTHMGR-5-START: Starting 'mab' for client >> (000f.2340.71cb) on Interface Fa1/0/5 AuditSessionID >> 07070702000000120087F811 >> Nov 18 05:18:02.041: %MAB-5-SUCCESS: Authentication successful for client >> (000f.2340.71cb) on Interface Fa1/0/5 AuditSessionID >> 07070702000000120087F811 >> Nov 18 05:18:02.041: %AUTHMGR-7-RESULT: Authentication result 'success' >> from 'mab' for client (000f.2340.71cb) on Interface Fa1/0/5 AuditSessionID >> 07070702000000120087F811 >> Nov 18 05:18:02.041: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 000f.2340.71cb| >> AuditSessionID 07070702000000120087F811| AUTHTYPE DOT1X| EVENT APPLY >> Nov 18 05:18:02.041: %EPM-6-AUTH_ACL: POLICY Auth-Default-ACL| EVENT >> Auth-Default-ACL Attached Successfully >> Nov 18 05:18:02.041: %EPM-6-AAA: POLICY >> xACSACLx-IP-PERMIT_ALL_TRAFFIC-51134bb2| EVENT DOWNLOAD-REQUEST >> Nov 18 05:18:02.083: %EPM-6-AAA: POLICY >> xACSACLx-IP-PERMIT_ALL_TRAFFIC-51134bb2| EVENT DOWNLOAD-SUCCESS >> Nov 18 05:18:02.083: %EPM-6-IPEVENT: IP 0.0.0.0| MAC 000f.2340.71cb| >> AuditSessionID 07070702000000120087F811| AUTHTYPE DOT1X| EVENT IP-WAIT >> Nov 18 05:18:03.073: %AUTHMGR-5-SUCCESS: Authorization succeeded for >> client >> (000f.2340.71cb) on Interface Fa1/0/5 AuditSessionID >> 07070702000000120087F811 >> SW6(config-if)# >> Nov 18 05:18:10.514: %DOT1X-5-FAIL: Authentication failed for client >> (48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID >> Nov 18 05:18:10.514: %AUTHMGR-7-RESULT: Authentication result >> 'no-response' >> from 'dot1x' for client (48f8.b32b.24a3) on Interface Fa1/0/5 >> AuditSessionID 07070702000000110087DEF8 >> Nov 18 05:18:10.514: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for >> client (48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID >> 07070702000000110087DEF8 >> Nov 18 05:18:10.514: %AUTHMGR-5-START: Starting 'webauth' for client >> (48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID >> 07070702000000110087DEF8 >> Nov 18 05:18:10.514: ip_admission_host_gen_hash: MAC=48f8.b32b.24a3 >> Hash=741 >> Nov 18 05:18:10.522: ip_admission_fb:HostCacheEntryAdd success for >> MAC=48f8.b32b.24a3 IP=0.0.0.0 idb=FastEthernet1/0/5 >> Nov 18 05:18:10.522: ip_admission_fb:IP admission initiate for >> [idb=FastEthernet1/0/5 mac=48f8.b32b.24a3 ip=7.7.99.6 profile=WEBAUTH >> rule=WEBAUTH] success >> Nov 18 05:18:10.522: ip_admission_fb:48f8.b32b.24a3(7.7.99.6): Dynamic >> rule >> WEBAUTH found on FastEthernet1/0/5 >> Nov 18 05:18:10.522: ip_admission_host_gen_hash: MAC=48f8.b32b.24a3 >> Hash=741 >> Nov 18 05:18:10.522: ip_admission_fb:HostCacheGetEntry: MAC=48f8.b32b.24a3 >> IP=7.7.99.6 Success >> Nov 18 05:18:10.522: ip_admission_fb:48f8.b32b.24a3(7.7.99.6): Host >> detected. Enabling host on FastEthernet1/0/5 for dynamic rule WEBAUTH >> Nov 18 05:18:10.522: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 48f8.b32b.24a3| >> AuditSessionID 07070702000000110087DEF8| AUTHTYPE AUTHPROXY| EVENT APPLY >> Nov 18 05:18:10.522: %EPM-6-AAA: POLICY >> xACSACLx-IP-PERMIT_ALL_TRAFFIC-51134bb2| EVENT DOWNLOAD-REQUEST >> Nov 18 05:18:10.522: %EPM-6-POLICY_APP_SUCCESS: IP 7.7.99.6| MAC >> 48f8.b32b.24a3| AuditSessionID 07070702000000110087DEF8| AUTHTYPE >> AUTHPROXY| POLICY_TYPE Named ACL| POLICY_NAME 190| RESULT SUCCESS >> Nov 18 05:18:10.539: %AUTHMGR-7-RESULT: Authentication result 'success' >> from 'webauth' for client (48f8.b32b.24a3) on Interface Fa1/0/5 >> AuditSessionID 07070702000000110087DEF8 >> Nov 18 05:18:10.573: %EPM-6-AAA: POLICY >> xACSACLx-IP-PERMIT_ALL_TRAFFIC-51134bb2| EVENT DOWNLOAD-SUCCESS >> Nov 18 05:18:10.573: %EPM-6-IPEVENT: IP 0.0.0.0| MAC 000f.2340.71cb| >> AuditSessionID 07070702000000120087F811| AUTHTYPE DOT1X| EVENT IP-WAIT >> Nov 18 05:18:11.311: %AUTHMGR-5-SUCCESS: Authorization succeeded for >> client >> (48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID >> 07070702000000110087DEF8 >> SW6(config-if)# >> Nov 18 05:18:19.398: ip_admission_fb:000f.2340.71cb(7.7.9.6): Dynamic rule >> WEBAUTH found on FastEthernet1/0/5 >> Nov 18 05:18:19.398: ip_admission_host_gen_hash: MAC=000f.2340.71cb >> Hash=430 >> Nov 18 05:18:19.398: ip_admission_fb:HostCacheGetEntry: MAC=000f.2340.71cb >> IP=7.7.9.6 Fails >> Nov 18 05:18:19.398: ip_admission_fb:000f.2340.71cb(7.7.9.6): Dynamic rule >> WEBAUTH found on FastEthernet1/0/5 >> Nov 18 05:18:19.398: ip_admission_host_gen_hash: MAC=000f.2340.71cb >> Hash=430 >> Nov 18 05:18:19.398: ip_admission_fb:HostCacheGetEntry: MAC=000f.2340.71cb >> IP=7.7.9.6 Fails >> Nov 18 05:18:19.398: %EPM-6-IPEVENT: IP 7.7.9.6| MAC 000f.2340.71cb| >> AuditSessionID 07070702000000120087F811| AUTHTYPE DOT1X| EVENT >> IP-ASSIGNMENT >> Nov 18 05:18:19.398: %EPM-6-POLICY_APP_SUCCESS: IP 7.7.9.6| MAC >> 000f.2340.71cb| AuditSessionID 07070702000000120087F811| AUTHTYPE DOT1X| >> POLICY_TYPE Named ACL| POLICY_NAME >> xACSACLx-IP-PERMIT_ALL_TRAFFIC-51134bb2| >> RESULT SUCCESS >> Nov 18 05:18:19.406: %EPM-6-IPEVENT: IP 7.7.9.6| MAC 000f.2340.71cb| >> AuditSessionID 07070702000000120087F811| AUTHTYPE DOT1X| EVENT IP-RELEASE >> Nov 18 05:18:19.414: %EPM-6-IPEVENT: IP 7.7.9.6| MAC 000f.2340.71cb| >> AuditSessionID 07070702000000120087F811| AUTHTYPE DOT1X| EVENT >> >> >> SW6#sh authentication sessions int fa1/0/5 >> Interface: FastEthernet1/0/5 >> MAC Address: 48f8.b32b.24a3 >> IP Address: 7.7.99.6 >> User-Name: 48f8b32b24a3 >> Status: Authz Success >> Domain: DATA >> Security Policy: Should Secure >> Security Status: Unsecure >> Oper host mode: multi-auth >> Oper control dir: both >> Authorized By: Authentication Server >> Vlan Group: N/A >> Session timeout: N/A >> Idle timeout: N/A >> Common Session ID: 07070702000000110087DEF8 >> Acct Session ID: 0x00000013 >> Handle: 0xD3000011 >> >> Runnable methods list: >> Method State >> mab Failed over >> dot1x Failed over >> webauth Authc Success >> >> >> ---------------------------------------- >> Interface: FastEthernet1/0/5 >> MAC Address: 000f.2340.71cb >> IP Address: 7.7.9.6 >> User-Name: 00-0F-23-40-71-CB >> Status: Authz Success >> Domain: VOICE >> Security Policy: Should Secure >> Security Status: Unsecure >> Oper host mode: multi-auth >> Oper control dir: both >> Authorized By: Authentication Server >> ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-51134bb2 >> Session timeout: 3600s (local), Remaining: 2807s >> Timeout action: Reauthenticate >> Idle timeout: N/A >> Common Session ID: 07070702000000120087F811 >> Acct Session ID: 0x00000014 >> Handle: 0x77000012 >> >> Runnable methods list: >> Method State >> >> mab Authc Success >> dot1x Not run >> webauth Not run >> >> >> --------------------------------------------------------------------------------------------------------------------- >> >> interface FastEthernet1/0/5 >> switchport access vlan 99 >> switchport mode access >> switchport voice vlan 9 >> authentication event fail action next-method >> authentication host-mode multi-auth >> authentication order mab dot1x webauth >> authentication priority mab dot1x webauth >> authentication port-control auto >> authentication periodic >> authentication fallback WEBAUTH >> mab >> dot1x pae authenticator >> dot1x timeout tx-period 3 >> spanning-tree portfast >> end >> >> >> ! >> ! >> fallback profile WEBAUTH >> ip access-group 190 in >> ip admission WEBAUTH >> >> ip access-list extended WEB >> permit icmp any any >> permit udp any any eq domain >> permit tcp any any eq www >> permit tcp any any eq 443 >> >> access-list 190 permit udp any any eq bootps >> access-list 190 permit udp any any eq domain >> >> >> >> >> >> on ISE, I have filter with WEB ACL on authorization policy and webauth >> enabled. allow for any device with this auth profile. >> >> >> Blogs and organic groups at http://www.ccie.net >> >> _______________________________________________________________________ >> Subscription information may be found at: >> http://www.groupstudy.com/list/CCIELab.html >> >> >> >> >> >> >> >> > > > -- > CCIEx2 (R&S|Sec) #19963 >
_______________________________________________ Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: iPexpert on YouTube: www.youtube.com/ipexpertinc
