Anticisco http://www.anticisco.ru/forum/ |
|
ISE 2.6 и WLC 8.3 не работет гостевой портал . http://www.anticisco.ru/forum/viewtopic.php?f=2&t=11142 |
Страница 1 из 1 |
Автор: | AlexNiko [ 13 окт 2019, 13:00 ] |
Заголовок сообщения: | ISE 2.6 и WLC 8.3 не работет гостевой портал . |
Привет! Вот такая странная проблема. Настраиваю WebAuth. На WLC: Настраиваю 2 радиус сервера (авторизация и аккаунтинг) Создаю интерфейс Создаю WLAN с включенным макфильтерингом, AAA override, DHCP REQ и ISE NAC Создаю 2 ACL 1. Redirect - не редиректим только DNS и ISE 2. INETONLY - разрешаем все кроме локальных сетей. На ISE: 1. Политика аторизации для регистрации - указываю куда и ACL REDIRECT 2 Политика для прошедших регистрацию - ACL INETONLY Политики: WiFi pre - выбираю тольок тех, кто приходит от SID GUEST До этого моментта все нормально, переход на создание, создаем пользователя, получаем пароль по SMS WiFi GUEST Выбираем SID Guest + GuestWorkFlow А вот дальше засада, пользователь как был , так и остается в политики PRE. Список доступа не меняется на INETONLY. Вот дебаг радиуса. Смущает уже самая первая строчка. И куда копать - не очень понимаю. И на самоv WLC пользователь неизвестет и неавторизован. Код: *aaaQueueReader: Oct 13 09:55:23.332: Unable to find requested user entry for f8c39e2171d3 *aaaQueueReader: Oct 13 09:55:23.332: ReProcessAuthentication previous proto 8, next proto 40000001 *aaaQueueReader: Oct 13 09:55:23.332: AuthenticationRequest: 0x1bee2558 *aaaQueueReader: Oct 13 09:55:23.332: Callback.....................................0x106a38c0 *aaaQueueReader: Oct 13 09:55:23.332: protocolType.................................0x40000001 *aaaQueueReader: Oct 13 09:55:23.332: proxyState...................................F8:C3:9E:21:71:D3-00:00 *aaaQueueReader: Oct 13 09:55:23.332: Packet contains 16 AVPs (not shown) *aaaQueueReader: Oct 13 09:55:23.332: f8:c3:9e:21:71:d3 NAI-Realm not enabled on Wlan, radius servers will be selected as usual *radiusTransportThread: Oct 13 09:55:23.341: f8:c3:9e:21:71:d3 *** Counted VSA 9 AVP of length 205, code 1 atrlen 199) *radiusTransportThread: Oct 13 09:55:23.341: f8:c3:9e:21:71:d3 *** Counted VSA 9 AVP of length 33, code 1 atrlen 27) *radiusTransportThread: Oct 13 09:55:23.341: f8:c3:9e:21:71:d3 *** Counted VSA 9 AVP of length 196, code 1 atrlen 190) *radiusTransportThread: Oct 13 09:55:23.341: f8:c3:9e:21:71:d3 Counted 9 AVPs (processed 587 bytes, left 0) *radiusTransportThread: Oct 13 09:55:23.341: f8:c3:9e:21:71:d3 AVP: VendorId: 9, vendorType: 1, vendorLen: 199 *radiusTransportThread: Oct 13 09:55:23.341: f8:c3:9e:21:71:d3 Processed VSA 9, type 1, raw bytes 199, copied 184 bytes *radiusTransportThread: Oct 13 09:55:23.341: f8:c3:9e:21:71:d3 AVP: VendorId: 9, vendorType: 1, vendorLen: 27 *radiusTransportThread: Oct 13 09:55:23.341: f8:c3:9e:21:71:d3 Processed VSA 9, type 1, raw bytes 27, copied 8 bytes *radiusTransportThread: Oct 13 09:55:23.341: f8:c3:9e:21:71:d3 AVP: VendorId: 9, vendorType: 1, vendorLen: 190 *radiusTransportThread: Oct 13 09:55:23.341: f8:c3:9e:21:71:d3 Processed VSA 9, type 1, raw bytes 190, copied 175 bytes *radiusTransportThread: Oct 13 09:55:23.341: f8:c3:9e:21:71:d3 AVP: VendorId: 9, vendorType: 1, vendorLen: 22 *radiusTransportThread: Oct 13 09:55:23.341: f8:c3:9e:21:71:d3 Processed VSA 9, type 1, raw bytes 22, copied 0 bytes *radiusTransportThread: Oct 13 09:55:23.341: AuthorizationResponse: 0x166ab570 *radiusTransportThread: Oct 13 09:55:23.341: structureSize................................698 *radiusTransportThread: Oct 13 09:55:23.341: resultCode...................................0 *radiusTransportThread: Oct 13 09:55:23.341: protocolUsed.................................0x00000001 *radiusTransportThread: Oct 13 09:55:23.341: proxyState...................................F8:C3:9E:21:71:D3-00:00 *radiusTransportThread: Oct 13 09:55:23.341: AVP[01] User-Name................................nikoalex@yandex.ru (18 bytes) *radiusTransportThread: Oct 13 09:55:23.341: AVP[02] Class....................................CACS:ac12020a0000016c5da2e6fe:ise2-1/359655448/186789 (53 bytes) *radiusTransportThread: Oct 13 09:55:23.341: AVP[03] Session-Timeout..........................0x0001003b (65595) (4 bytes) *radiusTransportThread: Oct 13 09:55:23.341: AVP[04] Termination-Action.......................0x00000000 (0) (4 bytes) *radiusTransportThread: Oct 13 09:55:23.341: AVP[05] Message-Authenticator....................DATA (16 bytes) *radiusTransportThread: Oct 13 09:55:23.341: AVP[06] Cisco / Url-Redirect.....................DATA (184 bytes) *radiusTransportThread: Oct 13 09:55:23.341: AVP[07] Cisco / Url-Redirect-Acl.................REDIRECT (8 bytes) *radiusTransportThread: Oct 13 09:55:23.341: AVP[08] Cisco / Url-Redirect.....................DATA (175 bytes) *apfReceiveTask: Oct 13 09:55:23.342: f8:c3:9e:21:71:d3 Received SGT for this Client. *apfReceiveTask: Oct 13 09:55:23.342: f8:c3:9e:21:71:d3 Redirect URL received for client from RADIUS. Client will be moved to WebAuth_Reqd state to facilitate redirection. Skip web-auth Flag = 0 *apfReceiveTask: Oct 13 09:55:23.342: f8:c3:9e:21:71:d3 Resetting web IPv4 acl from 1 to 255 *apfReceiveTask: Oct 13 09:55:23.342: f8:c3:9e:21:71:d3 override for default ap group, marking intgrp NULL *apfReceiveTask: Oct 13 09:55:23.342: f8:c3:9e:21:71:d3 Applying Interface(fccps-guest-wifi) policy on Mobile, role Local. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 300 *apfReceiveTask: Oct 13 09:55:23.342: f8:c3:9e:21:71:d3 Re-applying interface policy for client *apfReceiveTask: Oct 13 09:55:23.342: f8:c3:9e:21:71:d3 172.26.0.6 WEBAUTH_REQD (8) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2922) *apfReceiveTask: Oct 13 09:55:23.342: f8:c3:9e:21:71:d3 172.26.0.6 WEBAUTH_REQD (8) Changing Url ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2942) *apfReceiveTask: Oct 13 09:55:23.342: f8:c3:9e:21:71:d3 apfApplyWlanPolicy: Retaining (ACL [1] / Flexconnect ACL [65535]) recieved in AAA attributes on mobile *apfReceiveTask: Oct 13 09:55:23.342: f8:c3:9e:21:71:d3 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type, Tunnel User - 0 *apfReceiveTask: Oct 13 09:55:23.342: f8:c3:9e:21:71:d3 Inserting AAA Override struct for mobile MAC: f8:c3:9e:21:71:d3, source 2 *apfReceiveTask: Oct 13 09:55:23.342: f8:c3:9e:21:71:d3 Applying override policy from source Override Summation: with value 100 *apfReceiveTask: Oct 13 09:55:23.342: f8:c3:9e:21:71:d3 Setting session timeout 65595 on mobile f8:c3:9e:21:71:d3 *apfReceiveTask: Oct 13 09:55:23.342: f8:c3:9e:21:71:d3 Setting Session Timeout to 65595 sec - starting session timer for the mobile *apfReceiveTask: Oct 13 09:55:23.342: f8:c3:9e:21:71:d3 apfMs1xStateDec *apfReceiveTask: Oct 13 09:55:23.342: f8:c3:9e:21:71:d3 172.26.0.6 WEBAUTH_REQD (8) Change state to START (0) last state WEBAUTH_REQD (8) *apfReceiveTask: Oct 13 09:55:23.342: f8:c3:9e:21:71:d3 pemApfAddMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0. *apfReceiveTask: Oct 13 09:55:23.342: f8:c3:9e:21:71:d3 172.26.0.6 START (0) Initializing policy *apfReceiveTask: Oct 13 09:55:23.343: f8:c3:9e:21:71:d3 172.26.0.6 START (0) Change state to AUTHCHECK (2) last state START (0) *apfReceiveTask: Oct 13 09:55:23.343: f8:c3:9e:21:71:d3 apfVapSecurity=0x40040 L2=0 SkipWeb=0 *pemReceiveTask: Oct 13 09:55:23.343: f8:c3:9e:21:71:d3 172.26.0.6 Removed NPU entry. *apfReceiveTask: Oct 13 09:55:23.343: f8:c3:9e:21:71:d3 AuthenticationRequired = 1 *apfReceiveTask: Oct 13 09:55:23.343: f8:c3:9e:21:71:d3 172.26.0.6 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state AUTHCHECK (2) *apfReceiveTask: Oct 13 09:55:23.343: f8:c3:9e:21:71:d3 Not Using WMM Compliance code qosCap 00 *apfReceiveTask: Oct 13 09:55:23.343: f8:c3:9e:21:71:d3 Vlan while overriding the policy = -1 *apfReceiveTask: Oct 13 09:55:23.343: f8:c3:9e:21:71:d3 sending to spamAddMobile vlanId -1 flex aclName = , flexAclId 65535 *apfReceiveTask: Oct 13 09:55:23.343: f8:c3:9e:21:71:d3 172.26.0.6 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP dc:a5:f4:2a:ae:b0 vapId 10 apVapId 10 flex-acl-name: *apfReceiveTask: Oct 13 09:55:23.343: f8:c3:9e:21:71:d3 172.26.0.6 L2AUTHCOMPLETE (4) Change state to WEBAUTH_REQD (8) last state L2AUTHCOMPLETE (4) *apfReceiveTask: Oct 13 09:55:23.343: f8:c3:9e:21:71:d3 172.26.0.6 WEBAUTH_REQD (8) pemApfAddMobileStation2 3848, Adding TMP rule *apfReceiveTask: Oct 13 09:55:23.343: f8:c3:9e:21:71:d3 172.26.0.6 WEBAUTH_REQD (8) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206, IntfId = 15 Local Bridging Vlan = 300, Local Bridging intf id = 15 *apfReceiveTask: Oct 13 09:55:23.343: f8:c3:9e:21:71:d3 172.26.0.6 WEBAUTH_REQD (8) Fast Path rule (contd...) AVC Ratelimit: AppID = 0 ,AppAction = 0, AppToken = 15206 AverageRate = 0, BurstRate = 0 *apfReceiveTask: Oct 13 09:55:23.343: f8:c3:9e:21:71:d3 172.26.0.6 WEBAUTH_REQD (8) Fast Path rule (contd...) AVC Ratelimit: AppID = 0 ,AppAction = 0, AppToken = 15206 AverageRate = 0, BurstRate = 0 *apfReceiveTask: Oct 13 09:55:23.343: f8:c3:9e:21:71:d3 172.26.0.6 WEBAUTH_REQD (8) Fast Path rule (contd...) AVC Ratelimit: AppID = 0 ,AppAction = 0, AppToken = 15206 AverageRate = 0, BurstRate = 0 *apfReceiveTask: Oct 13 09:55:23.343: f8:c3:9e:21:71:d3 172.26.0.6 WEBAUTH_REQD (8) Successfully plumbed mobile rule (IPv4 ACL ID 1, IPv6 ACL ID 255, L2 ACL ID 255,URL ACL ID 255) *apfReceiveTask: Oct 13 09:55:23.343: f8:c3:9e:21:71:d3 172.26.0.6 WEBAUTH_REQD (8) pemApfAddMobileStation2 3957, Adding TMP rule *apfReceiveTask: Oct 13 09:55:23.343: f8:c3:9e:21:71:d3 172.26.0.6 WEBAUTH_REQD (8) Replacing Fast Path rule type = Airespace AP Client - ACL passthru on AP dc:a5:f4:2a:ae:b0, slot 1, interface = 13, QOS = 0 IPv4 ACL *apfReceiveTask: Oct 13 09:55:23.343: f8:c3:9e:21:71:d3 172.26.0.6 WEBAUTH_REQD (8) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206, IntfId = 15 Local Bridging Vlan = 300, Local Bridging intf id = 15 *apfReceiveTask: Oct 13 09:55:23.343: f8:c3:9e:21:71:d3 172.26.0.6 WEBAUTH_REQD (8) Fast Path rule (contd...) AVC Ratelimit: AppID = 0 ,AppAction = 0, AppToken = 15206 AverageRate = 0, BurstRate = 0 *apfReceiveTask: Oct 13 09:55:23.343: f8:c3:9e:21:71:d3 172.26.0.6 WEBAUTH_REQD (8) Fast Path rule (contd...) AVC Ratelimit: AppID = 0 ,AppAction = 0, AppToken = 15206 AverageRate = 0, BurstRate = 0 *apfReceiveTask: Oct 13 09:55:23.343: f8:c3:9e:21:71:d3 172.26.0.6 WEBAUTH_REQD (8) Fast Path rule (contd...) AVC Ratelimit: AppID = 0 ,AppAction = 0, AppToken = 15206 AverageRate = 0, BurstRate = 0 *apfReceiveTask: Oct 13 09:55:23.344: f8:c3:9e:21:71:d3 172.26.0.6 WEBAUTH_REQD (8) Successfully plumbed mobile rule (IPv4 ACL ID 1, IPv6 ACL ID 255, L2 ACL ID 255,URL ACL ID 255) *apfReceiveTask: Oct 13 09:55:23.344: f8:c3:9e:21:71:d3 apfMsAssoStateInc *apfReceiveTask: Oct 13 09:55:23.344: f8:c3:9e:21:71:d3 apfPemAddUser2 (apf_policy.c:416) Changing state for mobile f8:c3:9e:21:71:d3 on AP dc:a5:f4:2a:ae:b0 from AAA Pending to Associated *apfReceiveTask: Oct 13 09:55:23.344: f8:c3:9e:21:71:d3 apfPemAddUser2:session timeout forstation f8:c3:9e:21:71:d3 - Session Tout 65595, apfMsTimeOut '1800' and sessionTimerRunning flag is 1 *apfReceiveTask: Oct 13 09:55:23.344: f8:c3:9e:21:71:d3 Scheduling deletion of Mobile Station: (callerId: 49) in 65595 seconds *apfReceiveTask: Oct 13 09:55:23.344: f8:c3:9e:21:71:d3 Func: apfPemAddUser2, Ms Timeout = 1800, Session Timeout = 65595 *apfReceiveTask: Oct 13 09:55:23.344: f8:c3:9e:21:71:d3 Sending assoc-resp with status 0 station:f8:c3:9e:21:71:d3 AP:dc:a5:f4:2a:ae:b0-01 on apVapId 10 *apfReceiveTask: Oct 13 09:55:23.344: f8:c3:9e:21:71:d3 Sending Assoc Response (status: '0') to station on AP AP4c00.82bf.5b37 on BSSID dc:a5:f4:2a:ae:b6 ApVapId 10 Slot 1, mobility role 1 *apfReceiveTask: Oct 13 09:55:23.344: f8:c3:9e:21:71:d3 apfProcessRadiusAssocResp (apf_80211.c:4677) Changing state for mobile f8:c3:9e:21:71:d3 on AP dc:a5:f4:2a:ae:b0 from Associated to Associated *pemReceiveTask: Oct 13 09:55:23.344: f8:c3:9e:21:71:d3 172.26.0.6 Added NPU entry of type 2, dtlFlags 0x0 *spamApTask0: Oct 13 09:55:23.344: f8:c3:9e:21:71:d3 Successful transmission of LWAPP Add-Mobile to AP dc:a5:f4:2a:ae:b0 *pemReceiveTask: Oct 13 09:55:23.345: f8:c3:9e:21:71:d3 Sent an XID frame *pemReceiveTask: Oct 13 09:55:23.345: f8:c3:9e:21:71:d3 172.26.0.6 Added NPU entry of type 2, dtlFlags 0x0 |
Автор: | AlexNiko [ 13 окт 2019, 13:26 ] |
Заголовок сообщения: | Re: ISE 2.6 и WLC 8.3 не работет гостевой портал . |
При этом весб FLOW на ISE проходит нормально, устройство регистрируется в GuestEndpoints. Такое ощущение, что засада именно в WLC |
Автор: | AlexNiko [ 13 окт 2019, 16:30 ] |
Заголовок сообщения: | Re: ISE 2.6 и WLC 8.3 не работет гостевой портал . |
Закрыли вопрос! |
Автор: | Praporwik [ 14 окт 2019, 12:37 ] |
Заголовок сообщения: | Re: ISE 2.6 и WLC 8.3 не работет гостевой портал . |
AlexNiko писал(а): Закрыли вопрос! так напишите, как решили то - может и пригодится кому-то. |
Автор: | AlexNiko [ 14 окт 2019, 15:19 ] |
Заголовок сообщения: | Re: ISE 2.6 и WLC 8.3 не работет гостевой портал . |
Да как всегда ошибка в глупости собственной. Правила авторизации надо ставить в правильном порядке. Но до конца пока не закрыл вопрос, не работает на Apple |
Страница 1 из 1 | Часовой пояс: UTC + 3 часа |
Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/ |