Привет!
Вот такая странная проблема.
Настраиваю WebAuth.
На WLC:
Настраиваю 2 радиус сервера (авторизация и аккаунтинг)
Создаю интерфейс
Создаю WLAN с включенным макфильтерингом, AAA override, DHCP REQ и ISE NAC
Создаю 2 ACL
1. Redirect - не редиректим только DNS и ISE
2. INETONLY - разрешаем все кроме локальных сетей.
На ISE:
1. Политика аторизации для регистрации - указываю куда и ACL REDIRECT
2 Политика для прошедших регистрацию - ACL INETONLY
Политики:
WiFi pre - выбираю тольок тех, кто приходит от SID GUEST
До этого моментта все нормально, переход на создание, создаем пользователя, получаем пароль по SMS
WiFi GUEST
Выбираем SID Guest + GuestWorkFlow
А вот дальше засада, пользователь как был , так и остается в политики PRE. Список доступа не меняется на INETONLY.
Вот дебаг радиуса. Смущает уже самая первая строчка. И куда копать - не очень понимаю. И на самоv WLC пользователь неизвестет и неавторизован.
Код:
*aaaQueueReader: Oct 13 09:55:23.332: Unable to find requested user entry for f8c39e2171d3
*aaaQueueReader: Oct 13 09:55:23.332: ReProcessAuthentication previous proto 8, next proto 40000001
*aaaQueueReader: Oct 13 09:55:23.332: AuthenticationRequest: 0x1bee2558
*aaaQueueReader: Oct 13 09:55:23.332: Callback.....................................0x106a38c0
*aaaQueueReader: Oct 13 09:55:23.332: protocolType.................................0x40000001
*aaaQueueReader: Oct 13 09:55:23.332: proxyState...................................F8:C3:9E:21:71:D3-00:00
*aaaQueueReader: Oct 13 09:55:23.332: Packet contains 16 AVPs (not shown)
*aaaQueueReader: Oct 13 09:55:23.332: f8:c3:9e:21:71:d3 NAI-Realm not enabled on Wlan, radius servers will be selected as usual
*radiusTransportThread: Oct 13 09:55:23.341: f8:c3:9e:21:71:d3 *** Counted VSA 9 AVP of length 205, code 1 atrlen 199)
*radiusTransportThread: Oct 13 09:55:23.341: f8:c3:9e:21:71:d3 *** Counted VSA 9 AVP of length 33, code 1 atrlen 27)
*radiusTransportThread: Oct 13 09:55:23.341: f8:c3:9e:21:71:d3 *** Counted VSA 9 AVP of length 196, code 1 atrlen 190)
*radiusTransportThread: Oct 13 09:55:23.341: f8:c3:9e:21:71:d3 Counted 9 AVPs (processed 587 bytes, left 0)
*radiusTransportThread: Oct 13 09:55:23.341: f8:c3:9e:21:71:d3 AVP: VendorId: 9, vendorType: 1, vendorLen: 199
*radiusTransportThread: Oct 13 09:55:23.341: f8:c3:9e:21:71:d3 Processed VSA 9, type 1, raw bytes 199, copied 184 bytes
*radiusTransportThread: Oct 13 09:55:23.341: f8:c3:9e:21:71:d3 AVP: VendorId: 9, vendorType: 1, vendorLen: 27
*radiusTransportThread: Oct 13 09:55:23.341: f8:c3:9e:21:71:d3 Processed VSA 9, type 1, raw bytes 27, copied 8 bytes
*radiusTransportThread: Oct 13 09:55:23.341: f8:c3:9e:21:71:d3 AVP: VendorId: 9, vendorType: 1, vendorLen: 190
*radiusTransportThread: Oct 13 09:55:23.341: f8:c3:9e:21:71:d3 Processed VSA 9, type 1, raw bytes 190, copied 175 bytes
*radiusTransportThread: Oct 13 09:55:23.341: f8:c3:9e:21:71:d3 AVP: VendorId: 9, vendorType: 1, vendorLen: 22
*radiusTransportThread: Oct 13 09:55:23.341: f8:c3:9e:21:71:d3 Processed VSA 9, type 1, raw bytes 22, copied 0 bytes
*radiusTransportThread: Oct 13 09:55:23.341: AuthorizationResponse: 0x166ab570
*radiusTransportThread: Oct 13 09:55:23.341: structureSize................................698
*radiusTransportThread: Oct 13 09:55:23.341: resultCode...................................0
*radiusTransportThread: Oct 13 09:55:23.341: protocolUsed.................................0x00000001
*radiusTransportThread: Oct 13 09:55:23.341: proxyState...................................F8:C3:9E:21:71:D3-00:00
*radiusTransportThread: Oct 13 09:55:23.341: AVP[01] User-Name................................nikoalex@yandex.ru (18 bytes)
*radiusTransportThread: Oct 13 09:55:23.341: AVP[02] Class....................................CACS:ac12020a0000016c5da2e6fe:ise2-1/359655448/186789 (53 bytes)
*radiusTransportThread: Oct 13 09:55:23.341: AVP[03] Session-Timeout..........................0x0001003b (65595) (4 bytes)
*radiusTransportThread: Oct 13 09:55:23.341: AVP[04] Termination-Action.......................0x00000000 (0) (4 bytes)
*radiusTransportThread: Oct 13 09:55:23.341: AVP[05] Message-Authenticator....................DATA (16 bytes)
*radiusTransportThread: Oct 13 09:55:23.341: AVP[06] Cisco / Url-Redirect.....................DATA (184 bytes)
*radiusTransportThread: Oct 13 09:55:23.341: AVP[07] Cisco / Url-Redirect-Acl.................REDIRECT (8 bytes)
*radiusTransportThread: Oct 13 09:55:23.341: AVP[08] Cisco / Url-Redirect.....................DATA (175 bytes)
*apfReceiveTask: Oct 13 09:55:23.342: f8:c3:9e:21:71:d3 Received SGT for this Client.
*apfReceiveTask: Oct 13 09:55:23.342: f8:c3:9e:21:71:d3 Redirect URL received for client from RADIUS. Client will be moved to WebAuth_Reqd state to facilitate redirection. Skip web-auth Flag = 0
*apfReceiveTask: Oct 13 09:55:23.342: f8:c3:9e:21:71:d3 Resetting web IPv4 acl from 1 to 255
*apfReceiveTask: Oct 13 09:55:23.342: f8:c3:9e:21:71:d3 override for default ap group, marking intgrp NULL
*apfReceiveTask: Oct 13 09:55:23.342: f8:c3:9e:21:71:d3 Applying Interface(fccps-guest-wifi) policy on Mobile, role Local. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 300
*apfReceiveTask: Oct 13 09:55:23.342: f8:c3:9e:21:71:d3 Re-applying interface policy for client
*apfReceiveTask: Oct 13 09:55:23.342: f8:c3:9e:21:71:d3 172.26.0.6 WEBAUTH_REQD (8) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2922)
*apfReceiveTask: Oct 13 09:55:23.342: f8:c3:9e:21:71:d3 172.26.0.6 WEBAUTH_REQD (8) Changing Url ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2942)
*apfReceiveTask: Oct 13 09:55:23.342: f8:c3:9e:21:71:d3 apfApplyWlanPolicy: Retaining (ACL [1] / Flexconnect ACL [65535]) recieved in AAA attributes on mobile
*apfReceiveTask: Oct 13 09:55:23.342: f8:c3:9e:21:71:d3 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type, Tunnel User - 0
*apfReceiveTask: Oct 13 09:55:23.342: f8:c3:9e:21:71:d3 Inserting AAA Override struct for mobile
MAC: f8:c3:9e:21:71:d3, source 2
*apfReceiveTask: Oct 13 09:55:23.342: f8:c3:9e:21:71:d3 Applying override policy from source Override Summation: with value 100
*apfReceiveTask: Oct 13 09:55:23.342: f8:c3:9e:21:71:d3 Setting session timeout 65595 on mobile f8:c3:9e:21:71:d3
*apfReceiveTask: Oct 13 09:55:23.342: f8:c3:9e:21:71:d3 Setting Session Timeout to 65595 sec - starting session timer for the mobile
*apfReceiveTask: Oct 13 09:55:23.342: f8:c3:9e:21:71:d3 apfMs1xStateDec
*apfReceiveTask: Oct 13 09:55:23.342: f8:c3:9e:21:71:d3 172.26.0.6 WEBAUTH_REQD (8) Change state to START (0) last state WEBAUTH_REQD (8)
*apfReceiveTask: Oct 13 09:55:23.342: f8:c3:9e:21:71:d3 pemApfAddMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.
*apfReceiveTask: Oct 13 09:55:23.342: f8:c3:9e:21:71:d3 172.26.0.6 START (0) Initializing policy
*apfReceiveTask: Oct 13 09:55:23.343: f8:c3:9e:21:71:d3 172.26.0.6 START (0) Change state to AUTHCHECK (2) last state START (0)
*apfReceiveTask: Oct 13 09:55:23.343: f8:c3:9e:21:71:d3 apfVapSecurity=0x40040 L2=0 SkipWeb=0
*pemReceiveTask: Oct 13 09:55:23.343: f8:c3:9e:21:71:d3 172.26.0.6 Removed NPU entry.
*apfReceiveTask: Oct 13 09:55:23.343: f8:c3:9e:21:71:d3 AuthenticationRequired = 1
*apfReceiveTask: Oct 13 09:55:23.343: f8:c3:9e:21:71:d3 172.26.0.6 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state AUTHCHECK (2)
*apfReceiveTask: Oct 13 09:55:23.343: f8:c3:9e:21:71:d3 Not Using WMM Compliance code qosCap 00
*apfReceiveTask: Oct 13 09:55:23.343: f8:c3:9e:21:71:d3 Vlan while overriding the policy = -1
*apfReceiveTask: Oct 13 09:55:23.343: f8:c3:9e:21:71:d3 sending to spamAddMobile vlanId -1 flex aclName = , flexAclId 65535
*apfReceiveTask: Oct 13 09:55:23.343: f8:c3:9e:21:71:d3 172.26.0.6 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP dc:a5:f4:2a:ae:b0 vapId 10 apVapId 10 flex-acl-name:
*apfReceiveTask: Oct 13 09:55:23.343: f8:c3:9e:21:71:d3 172.26.0.6 L2AUTHCOMPLETE (4) Change state to WEBAUTH_REQD (8) last state L2AUTHCOMPLETE (4)
*apfReceiveTask: Oct 13 09:55:23.343: f8:c3:9e:21:71:d3 172.26.0.6 WEBAUTH_REQD (8) pemApfAddMobileStation2 3848, Adding TMP rule
*apfReceiveTask: Oct 13 09:55:23.343: f8:c3:9e:21:71:d3 172.26.0.6 WEBAUTH_REQD (8) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206, IntfId = 15 Local Bridging Vlan = 300, Local Bridging intf id = 15
*apfReceiveTask: Oct 13 09:55:23.343: f8:c3:9e:21:71:d3 172.26.0.6 WEBAUTH_REQD (8) Fast Path rule (contd...) AVC Ratelimit: AppID = 0 ,AppAction = 0, AppToken = 15206 AverageRate = 0, BurstRate = 0
*apfReceiveTask: Oct 13 09:55:23.343: f8:c3:9e:21:71:d3 172.26.0.6 WEBAUTH_REQD (8) Fast Path rule (contd...) AVC Ratelimit: AppID = 0 ,AppAction = 0, AppToken = 15206 AverageRate = 0, BurstRate = 0
*apfReceiveTask: Oct 13 09:55:23.343: f8:c3:9e:21:71:d3 172.26.0.6 WEBAUTH_REQD (8) Fast Path rule (contd...) AVC Ratelimit: AppID = 0 ,AppAction = 0, AppToken = 15206 AverageRate = 0, BurstRate = 0
*apfReceiveTask: Oct 13 09:55:23.343: f8:c3:9e:21:71:d3 172.26.0.6 WEBAUTH_REQD (8) Successfully plumbed mobile rule (IPv4 ACL ID 1, IPv6 ACL ID 255, L2 ACL ID 255,URL ACL ID 255)
*apfReceiveTask: Oct 13 09:55:23.343: f8:c3:9e:21:71:d3 172.26.0.6 WEBAUTH_REQD (8) pemApfAddMobileStation2 3957, Adding TMP rule
*apfReceiveTask: Oct 13 09:55:23.343: f8:c3:9e:21:71:d3 172.26.0.6 WEBAUTH_REQD (8) Replacing Fast Path rule
type = Airespace AP Client - ACL passthru
on AP dc:a5:f4:2a:ae:b0, slot 1, interface = 13, QOS = 0
IPv4 ACL
*apfReceiveTask: Oct 13 09:55:23.343: f8:c3:9e:21:71:d3 172.26.0.6 WEBAUTH_REQD (8) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206, IntfId = 15 Local Bridging Vlan = 300, Local Bridging intf id = 15
*apfReceiveTask: Oct 13 09:55:23.343: f8:c3:9e:21:71:d3 172.26.0.6 WEBAUTH_REQD (8) Fast Path rule (contd...) AVC Ratelimit: AppID = 0 ,AppAction = 0, AppToken = 15206 AverageRate = 0, BurstRate = 0
*apfReceiveTask: Oct 13 09:55:23.343: f8:c3:9e:21:71:d3 172.26.0.6 WEBAUTH_REQD (8) Fast Path rule (contd...) AVC Ratelimit: AppID = 0 ,AppAction = 0, AppToken = 15206 AverageRate = 0, BurstRate = 0
*apfReceiveTask: Oct 13 09:55:23.343: f8:c3:9e:21:71:d3 172.26.0.6 WEBAUTH_REQD (8) Fast Path rule (contd...) AVC Ratelimit: AppID = 0 ,AppAction = 0, AppToken = 15206 AverageRate = 0, BurstRate = 0
*apfReceiveTask: Oct 13 09:55:23.344: f8:c3:9e:21:71:d3 172.26.0.6 WEBAUTH_REQD (8) Successfully plumbed mobile rule (IPv4 ACL ID 1, IPv6 ACL ID 255, L2 ACL ID 255,URL ACL ID 255)
*apfReceiveTask: Oct 13 09:55:23.344: f8:c3:9e:21:71:d3 apfMsAssoStateInc
*apfReceiveTask: Oct 13 09:55:23.344: f8:c3:9e:21:71:d3 apfPemAddUser2 (apf_policy.c:416) Changing state for mobile f8:c3:9e:21:71:d3 on AP dc:a5:f4:2a:ae:b0 from AAA Pending to Associated
*apfReceiveTask: Oct 13 09:55:23.344: f8:c3:9e:21:71:d3 apfPemAddUser2:session timeout forstation f8:c3:9e:21:71:d3 - Session Tout 65595, apfMsTimeOut '1800' and sessionTimerRunning flag is 1
*apfReceiveTask: Oct 13 09:55:23.344: f8:c3:9e:21:71:d3 Scheduling deletion of Mobile Station: (callerId: 49) in 65595 seconds
*apfReceiveTask: Oct 13 09:55:23.344: f8:c3:9e:21:71:d3 Func: apfPemAddUser2, Ms Timeout = 1800, Session Timeout = 65595
*apfReceiveTask: Oct 13 09:55:23.344: f8:c3:9e:21:71:d3 Sending assoc-resp with status 0 station:f8:c3:9e:21:71:d3 AP:dc:a5:f4:2a:ae:b0-01 on apVapId 10
*apfReceiveTask: Oct 13 09:55:23.344: f8:c3:9e:21:71:d3 Sending Assoc Response (status: '0') to station on AP AP4c00.82bf.5b37 on BSSID dc:a5:f4:2a:ae:b6 ApVapId 10 Slot 1, mobility role 1
*apfReceiveTask: Oct 13 09:55:23.344: f8:c3:9e:21:71:d3 apfProcessRadiusAssocResp (apf_80211.c:4677) Changing state for mobile f8:c3:9e:21:71:d3 on AP dc:a5:f4:2a:ae:b0 from Associated to Associated
*pemReceiveTask: Oct 13 09:55:23.344: f8:c3:9e:21:71:d3 172.26.0.6 Added NPU entry of type 2, dtlFlags 0x0
*spamApTask0: Oct 13 09:55:23.344: f8:c3:9e:21:71:d3 Successful transmission of LWAPP Add-Mobile to AP dc:a5:f4:2a:ae:b0
*pemReceiveTask: Oct 13 09:55:23.345: f8:c3:9e:21:71:d3 Sent an XID frame
*pemReceiveTask: Oct 13 09:55:23.345: f8:c3:9e:21:71:d3 172.26.0.6 Added NPU entry of type 2, dtlFlags 0x0