Hi, Please help.
I try to setup a local webauth on a switch and cant get it to work Nov 18 05:24:39.200: ip_admission_fb:48f8.b32b.24a3(7.7.99.6): Dynamic rule WEBAUTH found on FastEthernet1/0/5 Nov 18 05:24:39.200: ip_admission_host_gen_hash: MAC=48f8.b32b.24a3 Hash=741 Nov 18 05:24:39.200: ip_admission_fb:HostCacheGetEntry: MAC=48f8.b32b.24a3 IP=7.7.99.6 Success Nov 18 05:24:39.200: ip_admission_fb:48f8.b32b.24a3(7.7.99.6): Host detected. Enabling host on FastEthernet1/0/5 for dynamic rule WEBAUTH According to below link I should get "activate session creation which I never did" http://blog.ipexpert.com/2012/07/17/fallback-802-1x-%E2%80%93-web-authentication/ This setup is with ISE and a pc behind a phone. here are some debugs SW6(config-if)# Nov 18 05:17:57.545: %LINK-3-UPDOWN: Interface FastEthernet1/0/5, changed state to up Nov 18 05:17:58.552: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/5, changed state to up SW6(config-if)# Nov 18 05:18:01.236: %AUTHMGR-5-START: Starting 'mab' for client (48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID 07070702000000110087DEF8 Nov 18 05:18:01.253: %MAB-5-FAIL: Authentication failed for client (48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID 07070702000000110087DEF8 Nov 18 05:18:01.253: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID 07070702000000110087DEF8 Nov 18 05:18:01.253: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID 07070702000000110087DEF8 Nov 18 05:18:01.253: %AUTHMGR-5-START: Starting 'dot1x' for client (48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID 07070702000000110087DEF8 Nov 18 05:18:02.008: %AUTHMGR-5-START: Starting 'mab' for client (000f.2340.71cb) on Interface Fa1/0/5 AuditSessionID 07070702000000120087F811 Nov 18 05:18:02.041: %MAB-5-SUCCESS: Authentication successful for client (000f.2340.71cb) on Interface Fa1/0/5 AuditSessionID 07070702000000120087F811 Nov 18 05:18:02.041: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (000f.2340.71cb) on Interface Fa1/0/5 AuditSessionID 07070702000000120087F811 Nov 18 05:18:02.041: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 000f.2340.71cb| AuditSessionID 07070702000000120087F811| AUTHTYPE DOT1X| EVENT APPLY Nov 18 05:18:02.041: %EPM-6-AUTH_ACL: POLICY Auth-Default-ACL| EVENT Auth-Default-ACL Attached Successfully Nov 18 05:18:02.041: %EPM-6-AAA: POLICY xACSACLx-IP-PERMIT_ALL_TRAFFIC-51134bb2| EVENT DOWNLOAD-REQUEST Nov 18 05:18:02.083: %EPM-6-AAA: POLICY xACSACLx-IP-PERMIT_ALL_TRAFFIC-51134bb2| EVENT DOWNLOAD-SUCCESS Nov 18 05:18:02.083: %EPM-6-IPEVENT: IP 0.0.0.0| MAC 000f.2340.71cb| AuditSessionID 07070702000000120087F811| AUTHTYPE DOT1X| EVENT IP-WAIT Nov 18 05:18:03.073: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (000f.2340.71cb) on Interface Fa1/0/5 AuditSessionID 07070702000000120087F811 SW6(config-if)# Nov 18 05:18:10.514: %DOT1X-5-FAIL: Authentication failed for client (48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID Nov 18 05:18:10.514: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID 07070702000000110087DEF8 Nov 18 05:18:10.514: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID 07070702000000110087DEF8 Nov 18 05:18:10.514: %AUTHMGR-5-START: Starting 'webauth' for client (48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID 07070702000000110087DEF8 Nov 18 05:18:10.514: ip_admission_host_gen_hash: MAC=48f8.b32b.24a3 Hash=741 Nov 18 05:18:10.522: ip_admission_fb:HostCacheEntryAdd success for MAC=48f8.b32b.24a3 IP=0.0.0.0 idb=FastEthernet1/0/5 Nov 18 05:18:10.522: ip_admission_fb:IP admission initiate for [idb=FastEthernet1/0/5 mac=48f8.b32b.24a3 ip=7.7.99.6 profile=WEBAUTH rule=WEBAUTH] success Nov 18 05:18:10.522: ip_admission_fb:48f8.b32b.24a3(7.7.99.6): Dynamic rule WEBAUTH found on FastEthernet1/0/5 Nov 18 05:18:10.522: ip_admission_host_gen_hash: MAC=48f8.b32b.24a3 Hash=741 Nov 18 05:18:10.522: ip_admission_fb:HostCacheGetEntry: MAC=48f8.b32b.24a3 IP=7.7.99.6 Success Nov 18 05:18:10.522: ip_admission_fb:48f8.b32b.24a3(7.7.99.6): Host detected. Enabling host on FastEthernet1/0/5 for dynamic rule WEBAUTH Nov 18 05:18:10.522: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 48f8.b32b.24a3| AuditSessionID 07070702000000110087DEF8| AUTHTYPE AUTHPROXY| EVENT APPLY Nov 18 05:18:10.522: %EPM-6-AAA: POLICY xACSACLx-IP-PERMIT_ALL_TRAFFIC-51134bb2| EVENT DOWNLOAD-REQUEST Nov 18 05:18:10.522: %EPM-6-POLICY_APP_SUCCESS: IP 7.7.99.6| MAC 48f8.b32b.24a3| AuditSessionID 07070702000000110087DEF8| AUTHTYPE AUTHPROXY| POLICY_TYPE Named ACL| POLICY_NAME 190| RESULT SUCCESS Nov 18 05:18:10.539: %AUTHMGR-7-RESULT: Authentication result 'success' from 'webauth' for client (48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID 07070702000000110087DEF8 Nov 18 05:18:10.573: %EPM-6-AAA: POLICY xACSACLx-IP-PERMIT_ALL_TRAFFIC-51134bb2| EVENT DOWNLOAD-SUCCESS Nov 18 05:18:10.573: %EPM-6-IPEVENT: IP 0.0.0.0| MAC 000f.2340.71cb| AuditSessionID 07070702000000120087F811| AUTHTYPE DOT1X| EVENT IP-WAIT Nov 18 05:18:11.311: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID 07070702000000110087DEF8 SW6(config-if)# Nov 18 05:18:19.398: ip_admission_fb:000f.2340.71cb(7.7.9.6): Dynamic rule WEBAUTH found on FastEthernet1/0/5 Nov 18 05:18:19.398: ip_admission_host_gen_hash: MAC=000f.2340.71cb Hash=430 Nov 18 05:18:19.398: ip_admission_fb:HostCacheGetEntry: MAC=000f.2340.71cb IP=7.7.9.6 Fails Nov 18 05:18:19.398: ip_admission_fb:000f.2340.71cb(7.7.9.6): Dynamic rule WEBAUTH found on FastEthernet1/0/5 Nov 18 05:18:19.398: ip_admission_host_gen_hash: MAC=000f.2340.71cb Hash=430 Nov 18 05:18:19.398: ip_admission_fb:HostCacheGetEntry: MAC=000f.2340.71cb IP=7.7.9.6 Fails Nov 18 05:18:19.398: %EPM-6-IPEVENT: IP 7.7.9.6| MAC 000f.2340.71cb| AuditSessionID 07070702000000120087F811| AUTHTYPE DOT1X| EVENT IP-ASSIGNMENT Nov 18 05:18:19.398: %EPM-6-POLICY_APP_SUCCESS: IP 7.7.9.6| MAC 000f.2340.71cb| AuditSessionID 07070702000000120087F811| AUTHTYPE DOT1X| POLICY_TYPE Named ACL| POLICY_NAME xACSACLx-IP-PERMIT_ALL_TRAFFIC-51134bb2| RESULT SUCCESS Nov 18 05:18:19.406: %EPM-6-IPEVENT: IP 7.7.9.6| MAC 000f.2340.71cb| AuditSessionID 07070702000000120087F811| AUTHTYPE DOT1X| EVENT IP-RELEASE Nov 18 05:18:19.414: %EPM-6-IPEVENT: IP 7.7.9.6| MAC 000f.2340.71cb| AuditSessionID 07070702000000120087F811| AUTHTYPE DOT1X| EVENT SW6#sh authentication sessions int fa1/0/5 Interface: FastEthernet1/0/5 MAC Address: 48f8.b32b.24a3 IP Address: 7.7.99.6 User-Name: 48f8b32b24a3 Status: Authz Success Domain: DATA Security Policy: Should Secure Security Status: Unsecure Oper host mode: multi-auth Oper control dir: both Authorized By: Authentication Server Vlan Group: N/A Session timeout: N/A Idle timeout: N/A Common Session ID: 07070702000000110087DEF8 Acct Session ID: 0x00000013 Handle: 0xD3000011 Runnable methods list: Method State mab Failed over dot1x Failed over webauth Authc Success ---------------------------------------- Interface: FastEthernet1/0/5 MAC Address: 000f.2340.71cb IP Address: 7.7.9.6 User-Name: 00-0F-23-40-71-CB Status: Authz Success Domain: VOICE Security Policy: Should Secure Security Status: Unsecure Oper host mode: multi-auth Oper control dir: both Authorized By: Authentication Server ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-51134bb2 Session timeout: 3600s (local), Remaining: 2807s Timeout action: Reauthenticate Idle timeout: N/A Common Session ID: 07070702000000120087F811 Acct Session ID: 0x00000014 Handle: 0x77000012 Runnable methods list: Method State mab Authc Success dot1x Not run webauth Not run --------------------------------------------------------------------------------------------------------------------- interface FastEthernet1/0/5 switchport access vlan 99 switchport mode access switchport voice vlan 9 authentication event fail action next-method authentication host-mode multi-auth authentication order mab dot1x webauth authentication priority mab dot1x webauth authentication port-control auto authentication periodic authentication fallback WEBAUTH mab dot1x pae authenticator dot1x timeout tx-period 3 spanning-tree portfast end ! ! fallback profile WEBAUTH ip access-group 190 in ip admission WEBAUTH ip access-list extended WEB permit icmp any any permit udp any any eq domain permit tcp any any eq www permit tcp any any eq 443 access-list 190 permit udp any any eq bootps access-list 190 permit udp any any eq domain on ISE, I have filter with WEB ACL on authorization policy and webauth enabled. allow for any device with this auth profile.
_______________________________________________ Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: iPexpert on YouTube: www.youtube.com/ipexpertinc