[OSL | CCIE_Security] Stuck on : Local WEBAUTH successfull but login page doesnt display from PC

jeremy co Mon, 18 Nov 2013 05:33:11 -0800

Hi,

Please help.


I try to setup a local webauth on a switch and cant get it to work

Nov 18 05:24:39.200: ip_admission_fb:48f8.b32b.24a3(7.7.99.6): Dynamic rule
WEBAUTH found on FastEthernet1/0/5
Nov 18 05:24:39.200: ip_admission_host_gen_hash: MAC=48f8.b32b.24a3 Hash=741
Nov 18 05:24:39.200: ip_admission_fb:HostCacheGetEntry: MAC=48f8.b32b.24a3
IP=7.7.99.6 Success
Nov 18 05:24:39.200: ip_admission_fb:48f8.b32b.24a3(7.7.99.6): Host
detected. Enabling host on FastEthernet1/0/5 for dynamic rule WEBAUTH



According to below link I should get "activate session creation which I
never did"

http://blog.ipexpert.com/2012/07/17/fallback-802-1x-%E2%80%93-web-authentication/


This setup is with ISE and a pc behind a phone.

here are some debugs

SW6(config-if)#
Nov 18 05:17:57.545: %LINK-3-UPDOWN: Interface FastEthernet1/0/5, changed
state to up
Nov 18 05:17:58.552: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet1/0/5, changed state to up
SW6(config-if)#
Nov 18 05:18:01.236: %AUTHMGR-5-START: Starting 'mab' for client
(48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID
07070702000000110087DEF8
Nov 18 05:18:01.253: %MAB-5-FAIL: Authentication failed for client
(48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID
07070702000000110087DEF8
Nov 18 05:18:01.253: %AUTHMGR-7-RESULT: Authentication result 'no-response'
from 'mab' for client (48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID
07070702000000110087DEF8
Nov 18 05:18:01.253: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for
client (48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID
07070702000000110087DEF8
Nov 18 05:18:01.253: %AUTHMGR-5-START: Starting 'dot1x' for client
(48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID
07070702000000110087DEF8
Nov 18 05:18:02.008: %AUTHMGR-5-START: Starting 'mab' for client
(000f.2340.71cb) on Interface Fa1/0/5 AuditSessionID
07070702000000120087F811
Nov 18 05:18:02.041: %MAB-5-SUCCESS: Authentication successful for client
(000f.2340.71cb) on Interface Fa1/0/5 AuditSessionID
07070702000000120087F811
Nov 18 05:18:02.041: %AUTHMGR-7-RESULT: Authentication result 'success'
from 'mab' for client (000f.2340.71cb) on Interface Fa1/0/5 AuditSessionID
07070702000000120087F811
Nov 18 05:18:02.041: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 000f.2340.71cb|
AuditSessionID 07070702000000120087F811| AUTHTYPE DOT1X| EVENT APPLY
Nov 18 05:18:02.041: %EPM-6-AUTH_ACL: POLICY Auth-Default-ACL| EVENT
Auth-Default-ACL Attached Successfully
Nov 18 05:18:02.041: %EPM-6-AAA: POLICY
xACSACLx-IP-PERMIT_ALL_TRAFFIC-51134bb2| EVENT DOWNLOAD-REQUEST
Nov 18 05:18:02.083: %EPM-6-AAA: POLICY
xACSACLx-IP-PERMIT_ALL_TRAFFIC-51134bb2| EVENT DOWNLOAD-SUCCESS
Nov 18 05:18:02.083: %EPM-6-IPEVENT: IP 0.0.0.0| MAC 000f.2340.71cb|
AuditSessionID 07070702000000120087F811| AUTHTYPE DOT1X| EVENT IP-WAIT
Nov 18 05:18:03.073: %AUTHMGR-5-SUCCESS: Authorization succeeded for client
(000f.2340.71cb) on Interface Fa1/0/5 AuditSessionID
07070702000000120087F811
SW6(config-if)#
Nov 18 05:18:10.514: %DOT1X-5-FAIL: Authentication failed for client
(48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID
Nov 18 05:18:10.514: %AUTHMGR-7-RESULT: Authentication result 'no-response'
from 'dot1x' for client (48f8.b32b.24a3) on Interface Fa1/0/5
AuditSessionID 07070702000000110087DEF8
Nov 18 05:18:10.514: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for
client (48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID
07070702000000110087DEF8
Nov 18 05:18:10.514: %AUTHMGR-5-START: Starting 'webauth' for client
(48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID
07070702000000110087DEF8
Nov 18 05:18:10.514: ip_admission_host_gen_hash: MAC=48f8.b32b.24a3 Hash=741
Nov 18 05:18:10.522: ip_admission_fb:HostCacheEntryAdd success for
MAC=48f8.b32b.24a3 IP=0.0.0.0 idb=FastEthernet1/0/5
Nov 18 05:18:10.522: ip_admission_fb:IP admission initiate for
[idb=FastEthernet1/0/5 mac=48f8.b32b.24a3 ip=7.7.99.6 profile=WEBAUTH
rule=WEBAUTH] success
Nov 18 05:18:10.522: ip_admission_fb:48f8.b32b.24a3(7.7.99.6): Dynamic rule
WEBAUTH found on FastEthernet1/0/5
Nov 18 05:18:10.522: ip_admission_host_gen_hash: MAC=48f8.b32b.24a3 Hash=741
Nov 18 05:18:10.522: ip_admission_fb:HostCacheGetEntry: MAC=48f8.b32b.24a3
IP=7.7.99.6 Success
Nov 18 05:18:10.522: ip_admission_fb:48f8.b32b.24a3(7.7.99.6): Host
detected. Enabling host on FastEthernet1/0/5 for dynamic rule WEBAUTH
Nov 18 05:18:10.522: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 48f8.b32b.24a3|
AuditSessionID 07070702000000110087DEF8| AUTHTYPE AUTHPROXY| EVENT APPLY
Nov 18 05:18:10.522: %EPM-6-AAA: POLICY
xACSACLx-IP-PERMIT_ALL_TRAFFIC-51134bb2| EVENT DOWNLOAD-REQUEST
Nov 18 05:18:10.522: %EPM-6-POLICY_APP_SUCCESS: IP 7.7.99.6| MAC
48f8.b32b.24a3| AuditSessionID 07070702000000110087DEF8| AUTHTYPE
AUTHPROXY| POLICY_TYPE Named ACL| POLICY_NAME 190| RESULT SUCCESS
Nov 18 05:18:10.539: %AUTHMGR-7-RESULT: Authentication result 'success'
from 'webauth' for client (48f8.b32b.24a3) on Interface Fa1/0/5
AuditSessionID 07070702000000110087DEF8
Nov 18 05:18:10.573: %EPM-6-AAA: POLICY
xACSACLx-IP-PERMIT_ALL_TRAFFIC-51134bb2| EVENT DOWNLOAD-SUCCESS
Nov 18 05:18:10.573: %EPM-6-IPEVENT: IP 0.0.0.0| MAC 000f.2340.71cb|
AuditSessionID 07070702000000120087F811| AUTHTYPE DOT1X| EVENT IP-WAIT
Nov 18 05:18:11.311: %AUTHMGR-5-SUCCESS: Authorization succeeded for client
(48f8.b32b.24a3) on Interface Fa1/0/5 AuditSessionID
07070702000000110087DEF8
SW6(config-if)#
Nov 18 05:18:19.398: ip_admission_fb:000f.2340.71cb(7.7.9.6): Dynamic rule
WEBAUTH found on FastEthernet1/0/5
Nov 18 05:18:19.398: ip_admission_host_gen_hash: MAC=000f.2340.71cb Hash=430
Nov 18 05:18:19.398: ip_admission_fb:HostCacheGetEntry: MAC=000f.2340.71cb
IP=7.7.9.6 Fails
Nov 18 05:18:19.398: ip_admission_fb:000f.2340.71cb(7.7.9.6): Dynamic rule
WEBAUTH found on FastEthernet1/0/5
Nov 18 05:18:19.398: ip_admission_host_gen_hash: MAC=000f.2340.71cb Hash=430
Nov 18 05:18:19.398: ip_admission_fb:HostCacheGetEntry: MAC=000f.2340.71cb
IP=7.7.9.6 Fails
Nov 18 05:18:19.398: %EPM-6-IPEVENT: IP 7.7.9.6| MAC 000f.2340.71cb|
AuditSessionID 07070702000000120087F811| AUTHTYPE DOT1X| EVENT IP-ASSIGNMENT
Nov 18 05:18:19.398: %EPM-6-POLICY_APP_SUCCESS: IP 7.7.9.6| MAC
000f.2340.71cb| AuditSessionID 07070702000000120087F811| AUTHTYPE DOT1X|
POLICY_TYPE Named ACL| POLICY_NAME xACSACLx-IP-PERMIT_ALL_TRAFFIC-51134bb2|
RESULT SUCCESS
Nov 18 05:18:19.406: %EPM-6-IPEVENT: IP 7.7.9.6| MAC 000f.2340.71cb|
AuditSessionID 07070702000000120087F811| AUTHTYPE DOT1X| EVENT IP-RELEASE
Nov 18 05:18:19.414: %EPM-6-IPEVENT: IP 7.7.9.6| MAC 000f.2340.71cb|
AuditSessionID 07070702000000120087F811| AUTHTYPE DOT1X| EVENT


SW6#sh authentication sessions int fa1/0/5
            Interface:  FastEthernet1/0/5
          MAC Address:  48f8.b32b.24a3
           IP Address:  7.7.99.6
            User-Name:  48f8b32b24a3
               Status:  Authz Success
               Domain:  DATA
      Security Policy:  Should Secure
      Security Status:  Unsecure
       Oper host mode:  multi-auth
     Oper control dir:  both
        Authorized By:  Authentication Server
           Vlan Group:  N/A
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  07070702000000110087DEF8
      Acct Session ID:  0x00000013
               Handle:  0xD3000011

Runnable methods list:
       Method   State
       mab      Failed over
       dot1x    Failed over
       webauth  Authc Success


----------------------------------------
            Interface:  FastEthernet1/0/5
          MAC Address:  000f.2340.71cb
           IP Address:  7.7.9.6
            User-Name:  00-0F-23-40-71-CB
               Status:  Authz Success
               Domain:  VOICE
      Security Policy:  Should Secure
      Security Status:  Unsecure
       Oper host mode:  multi-auth
     Oper control dir:  both
        Authorized By:  Authentication Server
              ACS ACL:  xACSACLx-IP-PERMIT_ALL_TRAFFIC-51134bb2
      Session timeout:  3600s (local), Remaining: 2807s
       Timeout action:  Reauthenticate
         Idle timeout:  N/A
    Common Session ID:  07070702000000120087F811
      Acct Session ID:  0x00000014
               Handle:  0x77000012

Runnable methods list:
       Method   State

       mab      Authc Success
       dot1x    Not run
       webauth  Not run

---------------------------------------------------------------------------------------------------------------------

interface FastEthernet1/0/5
 switchport access vlan 99
 switchport mode access
 switchport voice vlan 9
 authentication event fail action next-method
 authentication host-mode multi-auth
 authentication order mab dot1x webauth
 authentication priority mab dot1x webauth
 authentication port-control auto
 authentication periodic
 authentication fallback WEBAUTH
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 3
 spanning-tree portfast
end


!
!
fallback profile WEBAUTH
 ip access-group 190 in
 ip admission WEBAUTH

ip access-list extended WEB
 permit icmp any any
 permit udp any any eq domain
 permit tcp any any eq www
 permit tcp any any eq 443

access-list 190 permit udp any any eq bootps
access-list 190 permit udp any any eq domain





on ISE, I have filter with WEB ACL on authorization policy and webauth
enabled. allow for any device with this auth profile.

_______________________________________________
Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos ::

iPexpert on YouTube: www.youtube.com/ipexpertinc

[OSL | CCIE_Security] Stuck on : Local WEBAUTH successfull but login page doesnt display from PC

Reply via email to