Сообщения без ответов | Активные темы Текущее время: 17 ноя 2019, 21:33



Ответить на тему  [ Сообщений: 5 ] 
ISE 2.6 и WLC 8.3 не работет гостевой портал . 
Автор Сообщение

Зарегистрирован: 29 янв 2017, 00:39
Сообщения: 378
Привет!

Вот такая странная проблема.

Настраиваю WebAuth.

На WLC:
Настраиваю 2 радиус сервера (авторизация и аккаунтинг)
Создаю интерфейс
Создаю WLAN с включенным макфильтерингом, AAA override, DHCP REQ и ISE NAC
Создаю 2 ACL
1. Redirect - не редиректим только DNS и ISE
2. INETONLY - разрешаем все кроме локальных сетей.

На ISE:
1. Политика аторизации для регистрации - указываю куда и ACL REDIRECT
2 Политика для прошедших регистрацию - ACL INETONLY

Политики:
WiFi pre - выбираю тольок тех, кто приходит от SID GUEST
До этого моментта все нормально, переход на создание, создаем пользователя, получаем пароль по SMS

WiFi GUEST
Выбираем SID Guest + GuestWorkFlow

А вот дальше засада, пользователь как был , так и остается в политики PRE. Список доступа не меняется на INETONLY.

Вот дебаг радиуса. Смущает уже самая первая строчка. И куда копать - не очень понимаю. И на самоv WLC пользователь неизвестет и неавторизован.

Код:
*aaaQueueReader: Oct 13 09:55:23.332: Unable to find requested user entry for f8c39e2171d3
*aaaQueueReader: Oct 13 09:55:23.332: ReProcessAuthentication previous proto 8, next proto 40000001
*aaaQueueReader: Oct 13 09:55:23.332: AuthenticationRequest: 0x1bee2558


*aaaQueueReader: Oct 13 09:55:23.332:   Callback.....................................0x106a38c0

*aaaQueueReader: Oct 13 09:55:23.332:   protocolType.................................0x40000001

*aaaQueueReader: Oct 13 09:55:23.332:   proxyState...................................F8:C3:9E:21:71:D3-00:00

*aaaQueueReader: Oct 13 09:55:23.332:   Packet contains 16 AVPs (not shown)

*aaaQueueReader: Oct 13 09:55:23.332: f8:c3:9e:21:71:d3 NAI-Realm not enabled on Wlan, radius servers will be selected as usual
*radiusTransportThread: Oct 13 09:55:23.341: f8:c3:9e:21:71:d3 *** Counted VSA 9 AVP of length 205, code 1 atrlen 199)
*radiusTransportThread: Oct 13 09:55:23.341: f8:c3:9e:21:71:d3 *** Counted VSA 9 AVP of length 33, code 1 atrlen 27)
*radiusTransportThread: Oct 13 09:55:23.341: f8:c3:9e:21:71:d3 *** Counted VSA 9 AVP of length 196, code 1 atrlen 190)
*radiusTransportThread: Oct 13 09:55:23.341: f8:c3:9e:21:71:d3 Counted 9 AVPs (processed 587 bytes, left 0)
*radiusTransportThread: Oct 13 09:55:23.341: f8:c3:9e:21:71:d3 AVP: VendorId: 9, vendorType: 1, vendorLen:  199

*radiusTransportThread: Oct 13 09:55:23.341: f8:c3:9e:21:71:d3 Processed VSA 9, type 1, raw bytes 199, copied 184 bytes
*radiusTransportThread: Oct 13 09:55:23.341: f8:c3:9e:21:71:d3 AVP: VendorId: 9, vendorType: 1, vendorLen:  27

*radiusTransportThread: Oct 13 09:55:23.341: f8:c3:9e:21:71:d3 Processed VSA 9, type 1, raw bytes 27, copied 8 bytes
*radiusTransportThread: Oct 13 09:55:23.341: f8:c3:9e:21:71:d3 AVP: VendorId: 9, vendorType: 1, vendorLen:  190

*radiusTransportThread: Oct 13 09:55:23.341: f8:c3:9e:21:71:d3 Processed VSA 9, type 1, raw bytes 190, copied 175 bytes
*radiusTransportThread: Oct 13 09:55:23.341: f8:c3:9e:21:71:d3 AVP: VendorId: 9, vendorType: 1, vendorLen:  22

*radiusTransportThread: Oct 13 09:55:23.341: f8:c3:9e:21:71:d3 Processed VSA 9, type 1, raw bytes 22, copied 0 bytes
*radiusTransportThread: Oct 13 09:55:23.341: AuthorizationResponse: 0x166ab570


*radiusTransportThread: Oct 13 09:55:23.341:    structureSize................................698

*radiusTransportThread: Oct 13 09:55:23.341:    resultCode...................................0

*radiusTransportThread: Oct 13 09:55:23.341:    protocolUsed.................................0x00000001

*radiusTransportThread: Oct 13 09:55:23.341:    proxyState...................................F8:C3:9E:21:71:D3-00:00

*radiusTransportThread: Oct 13 09:55:23.341:        AVP[01] User-Name................................nikoalex@yandex.ru (18 bytes)

*radiusTransportThread: Oct 13 09:55:23.341:        AVP[02] Class....................................CACS:ac12020a0000016c5da2e6fe:ise2-1/359655448/186789 (53 bytes)

*radiusTransportThread: Oct 13 09:55:23.341:        AVP[03] Session-Timeout..........................0x0001003b (65595) (4 bytes)

*radiusTransportThread: Oct 13 09:55:23.341:        AVP[04] Termination-Action.......................0x00000000 (0) (4 bytes)

*radiusTransportThread: Oct 13 09:55:23.341:        AVP[05] Message-Authenticator....................DATA (16 bytes)

*radiusTransportThread: Oct 13 09:55:23.341:        AVP[06] Cisco / Url-Redirect.....................DATA (184 bytes)

*radiusTransportThread: Oct 13 09:55:23.341:        AVP[07] Cisco / Url-Redirect-Acl.................REDIRECT (8 bytes)

*radiusTransportThread: Oct 13 09:55:23.341:        AVP[08] Cisco / Url-Redirect.....................DATA (175 bytes)

*apfReceiveTask: Oct 13 09:55:23.342: f8:c3:9e:21:71:d3 Received SGT for this Client.
*apfReceiveTask: Oct 13 09:55:23.342: f8:c3:9e:21:71:d3 Redirect URL received for client from RADIUS. Client will be moved to WebAuth_Reqd state to facilitate redirection. Skip web-auth Flag = 0
*apfReceiveTask: Oct 13 09:55:23.342: f8:c3:9e:21:71:d3 Resetting web IPv4 acl from 1 to 255

*apfReceiveTask: Oct 13 09:55:23.342: f8:c3:9e:21:71:d3 override for default ap group, marking intgrp NULL
*apfReceiveTask: Oct 13 09:55:23.342: f8:c3:9e:21:71:d3 Applying Interface(fccps-guest-wifi) policy on Mobile, role Local. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 300

*apfReceiveTask: Oct 13 09:55:23.342: f8:c3:9e:21:71:d3 Re-applying interface policy for client

*apfReceiveTask: Oct 13 09:55:23.342: f8:c3:9e:21:71:d3 172.26.0.6 WEBAUTH_REQD (8) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2922)
*apfReceiveTask: Oct 13 09:55:23.342: f8:c3:9e:21:71:d3 172.26.0.6 WEBAUTH_REQD (8) Changing Url ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2942)
*apfReceiveTask: Oct 13 09:55:23.342: f8:c3:9e:21:71:d3 apfApplyWlanPolicy: Retaining (ACL [1] / Flexconnect ACL [65535]) recieved in AAA attributes on mobile
*apfReceiveTask: Oct 13 09:55:23.342: f8:c3:9e:21:71:d3 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type, Tunnel User - 0
*apfReceiveTask: Oct 13 09:55:23.342: f8:c3:9e:21:71:d3 Inserting AAA Override struct for mobile
        MAC: f8:c3:9e:21:71:d3, source 2

*apfReceiveTask: Oct 13 09:55:23.342: f8:c3:9e:21:71:d3 Applying override policy from source Override Summation: with value 100

*apfReceiveTask: Oct 13 09:55:23.342: f8:c3:9e:21:71:d3 Setting session timeout 65595 on mobile f8:c3:9e:21:71:d3
*apfReceiveTask: Oct 13 09:55:23.342: f8:c3:9e:21:71:d3 Setting Session Timeout to 65595 sec - starting session timer for the mobile
*apfReceiveTask: Oct 13 09:55:23.342: f8:c3:9e:21:71:d3 apfMs1xStateDec
*apfReceiveTask: Oct 13 09:55:23.342: f8:c3:9e:21:71:d3 172.26.0.6 WEBAUTH_REQD (8) Change state to START (0) last state WEBAUTH_REQD (8)

*apfReceiveTask: Oct 13 09:55:23.342: f8:c3:9e:21:71:d3 pemApfAddMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.
*apfReceiveTask: Oct 13 09:55:23.342: f8:c3:9e:21:71:d3 172.26.0.6 START (0) Initializing policy
*apfReceiveTask: Oct 13 09:55:23.343: f8:c3:9e:21:71:d3 172.26.0.6 START (0) Change state to AUTHCHECK (2) last state START (0)

*apfReceiveTask: Oct 13 09:55:23.343: f8:c3:9e:21:71:d3  apfVapSecurity=0x40040 L2=0 SkipWeb=0
*pemReceiveTask: Oct 13 09:55:23.343: f8:c3:9e:21:71:d3 172.26.0.6 Removed NPU entry.
*apfReceiveTask: Oct 13 09:55:23.343: f8:c3:9e:21:71:d3  AuthenticationRequired = 1
*apfReceiveTask: Oct 13 09:55:23.343: f8:c3:9e:21:71:d3 172.26.0.6 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state AUTHCHECK (2)

*apfReceiveTask: Oct 13 09:55:23.343: f8:c3:9e:21:71:d3 Not Using WMM Compliance code qosCap 00
*apfReceiveTask: Oct 13 09:55:23.343: f8:c3:9e:21:71:d3 Vlan while overriding the policy = -1
*apfReceiveTask: Oct 13 09:55:23.343: f8:c3:9e:21:71:d3 sending to spamAddMobile vlanId -1 flex aclName = , flexAclId 65535

*apfReceiveTask: Oct 13 09:55:23.343: f8:c3:9e:21:71:d3 172.26.0.6 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP dc:a5:f4:2a:ae:b0 vapId 10 apVapId 10 flex-acl-name:
*apfReceiveTask: Oct 13 09:55:23.343: f8:c3:9e:21:71:d3 172.26.0.6 L2AUTHCOMPLETE (4) Change state to WEBAUTH_REQD (8) last state L2AUTHCOMPLETE (4)

*apfReceiveTask: Oct 13 09:55:23.343: f8:c3:9e:21:71:d3 172.26.0.6 WEBAUTH_REQD (8) pemApfAddMobileStation2 3848, Adding TMP rule
*apfReceiveTask: Oct 13 09:55:23.343: f8:c3:9e:21:71:d3 172.26.0.6 WEBAUTH_REQD (8) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206, IntfId = 15  Local Bridging Vlan = 300, Local Bridging intf id = 15
*apfReceiveTask: Oct 13 09:55:23.343: f8:c3:9e:21:71:d3 172.26.0.6 WEBAUTH_REQD (8) Fast Path rule (contd...) AVC Ratelimit:  AppID = 0 ,AppAction = 0, AppToken = 15206  AverageRate = 0, BurstRate = 0

*apfReceiveTask: Oct 13 09:55:23.343: f8:c3:9e:21:71:d3 172.26.0.6 WEBAUTH_REQD (8) Fast Path rule (contd...) AVC Ratelimit:  AppID = 0 ,AppAction = 0, AppToken = 15206  AverageRate = 0, BurstRate = 0

*apfReceiveTask: Oct 13 09:55:23.343: f8:c3:9e:21:71:d3 172.26.0.6 WEBAUTH_REQD (8) Fast Path rule (contd...) AVC Ratelimit:  AppID = 0 ,AppAction = 0, AppToken = 15206  AverageRate = 0, BurstRate = 0

*apfReceiveTask: Oct 13 09:55:23.343: f8:c3:9e:21:71:d3 172.26.0.6 WEBAUTH_REQD (8) Successfully plumbed mobile rule (IPv4 ACL ID 1, IPv6 ACL ID 255, L2 ACL ID 255,URL ACL ID 255)
*apfReceiveTask: Oct 13 09:55:23.343: f8:c3:9e:21:71:d3 172.26.0.6 WEBAUTH_REQD (8) pemApfAddMobileStation2 3957, Adding TMP rule
*apfReceiveTask: Oct 13 09:55:23.343: f8:c3:9e:21:71:d3 172.26.0.6 WEBAUTH_REQD (8) Replacing Fast Path rule
  type = Airespace AP Client - ACL passthru
  on AP dc:a5:f4:2a:ae:b0, slot 1, interface = 13, QOS = 0
  IPv4 ACL
*apfReceiveTask: Oct 13 09:55:23.343: f8:c3:9e:21:71:d3 172.26.0.6 WEBAUTH_REQD (8) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206, IntfId = 15  Local Bridging Vlan = 300, Local Bridging intf id = 15
*apfReceiveTask: Oct 13 09:55:23.343: f8:c3:9e:21:71:d3 172.26.0.6 WEBAUTH_REQD (8) Fast Path rule (contd...) AVC Ratelimit:  AppID = 0 ,AppAction = 0, AppToken = 15206  AverageRate = 0, BurstRate = 0

*apfReceiveTask: Oct 13 09:55:23.343: f8:c3:9e:21:71:d3 172.26.0.6 WEBAUTH_REQD (8) Fast Path rule (contd...) AVC Ratelimit:  AppID = 0 ,AppAction = 0, AppToken = 15206  AverageRate = 0, BurstRate = 0

*apfReceiveTask: Oct 13 09:55:23.343: f8:c3:9e:21:71:d3 172.26.0.6 WEBAUTH_REQD (8) Fast Path rule (contd...) AVC Ratelimit:  AppID = 0 ,AppAction = 0, AppToken = 15206  AverageRate = 0, BurstRate = 0

*apfReceiveTask: Oct 13 09:55:23.344: f8:c3:9e:21:71:d3 172.26.0.6 WEBAUTH_REQD (8) Successfully plumbed mobile rule (IPv4 ACL ID 1, IPv6 ACL ID 255, L2 ACL ID 255,URL ACL ID 255)
*apfReceiveTask: Oct 13 09:55:23.344: f8:c3:9e:21:71:d3 apfMsAssoStateInc
*apfReceiveTask: Oct 13 09:55:23.344: f8:c3:9e:21:71:d3 apfPemAddUser2 (apf_policy.c:416) Changing state for mobile f8:c3:9e:21:71:d3 on AP dc:a5:f4:2a:ae:b0 from AAA Pending to Associated

*apfReceiveTask: Oct 13 09:55:23.344: f8:c3:9e:21:71:d3 apfPemAddUser2:session timeout forstation f8:c3:9e:21:71:d3 - Session Tout 65595, apfMsTimeOut '1800' and sessionTimerRunning flag is  1
*apfReceiveTask: Oct 13 09:55:23.344: f8:c3:9e:21:71:d3 Scheduling deletion of Mobile Station:  (callerId: 49) in 65595 seconds
*apfReceiveTask: Oct 13 09:55:23.344: f8:c3:9e:21:71:d3 Func: apfPemAddUser2, Ms Timeout = 1800, Session Timeout = 65595

*apfReceiveTask: Oct 13 09:55:23.344: f8:c3:9e:21:71:d3 Sending assoc-resp with status 0 station:f8:c3:9e:21:71:d3 AP:dc:a5:f4:2a:ae:b0-01 on apVapId 10
*apfReceiveTask: Oct 13 09:55:23.344: f8:c3:9e:21:71:d3 Sending Assoc Response (status: '0') to station on AP AP4c00.82bf.5b37 on BSSID dc:a5:f4:2a:ae:b6 ApVapId 10 Slot 1, mobility role 1
*apfReceiveTask: Oct 13 09:55:23.344: f8:c3:9e:21:71:d3 apfProcessRadiusAssocResp (apf_80211.c:4677) Changing state for mobile f8:c3:9e:21:71:d3 on AP dc:a5:f4:2a:ae:b0 from Associated to Associated

*pemReceiveTask: Oct 13 09:55:23.344: f8:c3:9e:21:71:d3 172.26.0.6 Added NPU entry of type 2, dtlFlags 0x0
*spamApTask0: Oct 13 09:55:23.344: f8:c3:9e:21:71:d3 Successful transmission of LWAPP Add-Mobile to AP dc:a5:f4:2a:ae:b0
*pemReceiveTask: Oct 13 09:55:23.345: f8:c3:9e:21:71:d3 Sent an XID frame
*pemReceiveTask: Oct 13 09:55:23.345: f8:c3:9e:21:71:d3 172.26.0.6 Added NPU entry of type 2, dtlFlags 0x0




13 окт 2019, 13:00
Профиль

Зарегистрирован: 29 янв 2017, 00:39
Сообщения: 378
При этом весб FLOW на ISE проходит нормально, устройство регистрируется в GuestEndpoints. Такое ощущение, что засада именно в WLC


13 окт 2019, 13:26
Профиль

Зарегистрирован: 29 янв 2017, 00:39
Сообщения: 378
Закрыли вопрос!


13 окт 2019, 16:30
Профиль

Зарегистрирован: 10 июл 2019, 18:21
Сообщения: 59
AlexNiko писал(а):
Закрыли вопрос!


так напишите, как решили то - может и пригодится кому-то.


14 окт 2019, 12:37
Профиль

Зарегистрирован: 29 янв 2017, 00:39
Сообщения: 378
Да как всегда ошибка в глупости собственной. Правила авторизации надо ставить в правильном порядке. Но до конца пока не закрыл вопрос, не работает на Apple


14 окт 2019, 15:19
Профиль
Показать сообщения за:  Поле сортировки  
Ответить на тему   [ Сообщений: 5 ] 

Кто сейчас на конференции

Сейчас этот форум просматривают: нет зарегистрированных пользователей и гости: 10


Вы не можете начинать темы
Вы не можете отвечать на сообщения
Вы не можете редактировать свои сообщения
Вы не можете удалять свои сообщения
Вы не можете добавлять вложения

Найти:
Перейти:  
Создано на основе phpBB® Forum Software © phpBB Group
Designed by ST Software for PTF.
Русская поддержка phpBB