3850 with ISE Guestportal no redirect in V 3.3.4

Similar Messages

• 3850 controller ACL working with ISE

  Hi all
  I was wondering if anyone can point me to the right direction. I was setting up BYOD access with ISE and Legacy controllers as follows:
  - create rule on ISE with Redirect / Airspace ACL
  - once that rule is hit ISE would send ACL name that needs to be applied on the controller (i.e. NSP-IOS )
  - controller would need to have the same ACL created locally with matching name
  - there are certain rules on old controllers allowing inbound / outbound traffic + denying traffic to be redirected
  now I want to use the same principle with 3850 controller.
  question is -> where do I configure this ACL, globally or under WLAN.... Also, what about direction - inbound / outbound that used to be the case with legacy controllers?

  The ACl should be under the WLAN

• URL is not change after successful authenticate with ISE 1.1.1

  Hi,
  I have setup Cisco Identity Service Engine (1.1.1) with Wireless LAN Controller (7.2.110)
  Everything is complete unless the URL redirect. My guest client can join the Guest SSID and also can authenticate to ISE.
  But after they success to authenticate with ISE, the URL in the browser doesn't change to the pre-configure. It still be something like https://ise-ip:8443/guestportal/redir.html . Anyway the content in the browser is changed to the URL that being configured such as http://www.google.com/
  How can I do with this situation cause everything is working fine but only the browser URL that is not change to the preconfigure one.
  Thanks,
  Pongsatorn

  Hi,
  This is the user experience when using central web authentication:
  http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080ba6514.shtml#final
  Here is the process when you use local web authentication:
  http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_guest_pol.html#wp1295223
  Hope this helps,
  Tarik Admani
  *Please rate helpful posts*

• ISE & Switch URL redirect not working

  Dear team,
  I'm setting up Guest portal for Wired user. Everything seems to be okay, the PC is get MAB authz success, ISE push URL redirect to switch. The only problem is when I open browser, it is not redirected.
  Here is some output from my 3560C:
  Cisco IOS Software, C3560C Software (C3560c405-UNIVERSALK9-M), Version 12.2(55)EX3
  SW3560C-LAB#sh auth sess int f0/3
              Interface:  FastEthernet0/3
            MAC Address:  f0de.f180.13b8
             IP Address:  10.0.93.202
              User-Name:  F0-DE-F1-80-13-B8
                 Status:  Authz Success
                 Domain:  DATA
        Security Policy:  Should Secure
        Security Status:  Unsecure
         Oper host mode:  multi-domain
       Oper control dir:  both
          Authorized By:  Authentication Server
             Vlan Group:  N/A
       URL Redirect ACL:  redirect
           URL Redirect:  https://BYODISE.byod.com:8443/guestportal/gateway?sessionId=0A005DF40000000D0010E23A&action=cwa
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  0A005DF40000000D0010E23A
        Acct Session ID:  0x00000011
                 Handle:  0xD700000D
  Runnable methods list:
         Method   State
         mab      Authc Success
  SW3560C-LAB#sh epm sess summary
  EPM Session Information
  Total sessions seen so far : 10
  Total active sessions      : 1
  Interface            IP Address   MAC Address       Audit Session Id:
  FastEthernet0/3       10.0.93.202  f0de.f180.13b8    0A005DF40000000D0010E23A
  Could you please help to explore the problem? Thank you very much.

  With switch IOS version later than 15.0 the default interface ACL is not required. For url redirection the dACL is not required as this ACL is part of traffic restrict for "guest" users.
  In my experiece some users can not get the redirect correctly because anti-spoof ACL on management Vlan or stateful firewall blocks the TCP syn ack.
  It is rare in campus network access layer switches have user SVI configured so the redirect traffic has to be sent from the netman SVI, but trickly the TCP SYN ACK from the HTTP server will be sent back from the netman Vlan without source IP changed. (The switch is spoofing the source IP in my understanding with changing only the MAC address of the packet). In most of the cases there should be a basic ACL resides on the netman SVI on the first hop router, where the TCP SYN ACK may be dropped by the ACL.
  tips:
  1. "debug epm redirect" can make sure your traffic matches the redirect url and will get intercepted by the switch
  2. It will be an ACL or firewall issue if you can see epm is redirecting your http request but can not see the SYN ACK from the requested server.
  Which can win the race: increasing bandwidth with new technologies VS QoS?

• Cannot Open the URL of CWA with ISE

  Hi Folks,
  I have a problem when doing the CWA with ISE so that I can Provide the access of the network for the guests.
  Everything goes fine except the URL of the CWA: When the guests open the explorer and enter a domain after connecting the SSID, they will be redirected to the URL like "https://hostname.demo.com:8443/guestportal/..................." which starts with the hostname of the ISE and the domain-name of the ISE, but for us, we don't have any AD and LAN DNS for our network so that we cannot translate the hostname.demo.com into the IP of the ISE, so can I just change the URL into IP type like "https://10.10.10.70:8443/guestportal"?

  Screenshot of a screenshot (sorry) attached.
  Basically it's in authorization policy, allows you to use a static DNS or IP address

• LWA Guest Access with ISE and WLC

  Hi guys,
  Our Company try to implement Guest Access with ISE dan WLC with Local Web Auth Method. But there is problem that comes up with the certificate. This is the scenario :
  1. Guests try to connect wifi with SSID Guest
  2. Once it connect, guests open the browser and try to open a webpage (example: cisco.com)
  3. Because, guests didn't login, so it redirect to "ISE Guest Login Page" (url became :
  https://ise-hostname:8443/guestportal/Login.action?switch_url=https://1.1.1.1/login.html&wlan=Guest&redirect=www.cisco.com/
  4. If there is no ISE Guest Login Page installed, message Untrusted Connection message will appear, but it will be fine if they "Add Exception and install the certificate"
  5. After that the Guest Login Page will appear, and guests input their username and password.
  6. Login success and they will be redirected to www.cisco.com and there is pop up from 1.1.1.1 (WLC Virtual Interface IP) with logout button.
  The problem happen in scenario 6, after login success, the webpage with ISE IP address and message certificate error for 1.1.1.1 is appear.
  I know it happened when guests didn't have the WLC Login Page Certificate...
  My Question is, is there a way to tunneling WLC Certificate on ISE ? Or what can we do to make ISE validate WLC Certificate, so guests doesn't need to install WLC Certificate/ Root Certificate before connect to Wifi ?
  Thx 4 your answer and sorry for my bad English....

  Thx for your reply Peter, your solution is right,
  i don't choose CWA, because their DNS is not stable...
  i've found the problem...
  the third-party CA is revoked, so there is no way it will success until it fixed...
  and there is no guarantee, they will fix it soon..
  so solution that we choose is by disable "HTTPS" on WLC...
  "config network web-auth secureweb disable".
  "config network web-auth secureweb disable".
  "config network web-auth secureweb disable".
  "config network web-auth secureweb disable".
  "config network web-auth secureweb disable"
  thank you all...

• CWA with ISE and 5760

  Hi,
  we have an ISE 1.2 (Patch 5), two 5760 Controllers (3.3), one acting as Primary Controller (named WC7) for the APs and the other as Guest Anchor (named WC5).
  I have trouble with the CWA. The Guest is redirected and enters the correct credentials. After that, the CoA fails with error-cause(272) 4 Session Context Not Found. I have no idea why....
  aaa authentication login Webauth_ISE group ISE
  aaa authorization network cwa_macfilter group ISE
  aaa authorization network Webauth_ISE group ISE
  aaa accounting network ISE start-stop group ISE
  aaa server radius dynamic-author
  client 10.232.127.13 server-key 0 blabla
  auth-type any
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 31 send nas-port-detail mac-only
  wlan test4guests 18 test4guests
  aaa-override
  accounting-list ISE
  client vlan 1605
  no exclusionlist
  mac-filtering cwa_macfilter
  mobility anchor
  nac
  no security wpa
  no security wpa akm dot1x
  no security wpa wpa2
  no security wpa wpa2 ciphers aes
  security dot1x authentication-list Webauth_ISE
  no shutdown
  wc5# debug aaa coa
  Feb 27 12:19:08.444: COA: 10.232.127.13 request queued
  Feb 27 12:19:08.444: RADIUS:  authenticator CC 33 26 77 56 96 30 58 - BC 99 F3 1A 3C 61 DC F4
  Feb 27 12:19:08.444: RADIUS:  NAS-IP-Address      [4]   6   10.232.127.11
  Feb 27 12:19:08.444: RADIUS:  Calling-Station-Id  [31]  14  "40f308c3c53d"
  Feb 27 12:19:08.444: RADIUS:  Event-Timestamp     [55]  6   1393503547
  Feb 27 12:19:08.444: RADIUS:  Message-Authenticato[80]  18
  Feb 27 12:19:08.444: RADIUS:   22 F8 CF 1C 61 F3 F9 42 01 E4 36 77 9C 9B CC 56            [ "aB6wV]
  Feb 27 12:19:08.444: RADIUS:  Vendor, Cisco       [26]  41
  Feb 27 12:19:08.444: RADIUS:   Cisco AVpair       [1]   35  "subscriber:command=reauthenticate"
  Feb 27 12:19:08.444: RADIUS:  Vendor, Cisco       [26]  43
  Feb 27 12:19:08.444: RADIUS:   Cisco AVpair       [1]   37  "subscriber:reauthenticate-type=last"
  Feb 27 12:19:08.444: RADIUS:  Vendor, Cisco       [26]  49
  Feb 27 12:19:08.444: RADIUS:   Cisco AVpair       [1]   43  "audit-session-id=0aea2001530f2e1e000003c6"
  Feb 27 12:19:08.444: COA: Message Authenticator decode passed
  Feb 27 12:19:08.444:  ++++++ CoA Attribute List ++++++
  Feb 27 12:19:08.444: 92FB84A0 0 00000001 nas-ip-address(600) 4 10.232.127.11
  Feb 27 12:19:08.444: 92FB87EC 0 00000081 formatted-clid(37) 12 40f308c3c53d
  Feb 27 12:19:08.444: 92FB8820 0 00000001 Event-Timestamp(445) 4 1393503547(530F2D3B)
  Feb 27 12:19:08.444: 92FB8854 0 00000001 reauthenticate-type(756) 4 last
  Feb 27 12:19:08.444: 92FB8888 0 00000081 audit-session-id(819) 24 0aea2001530f2e1e000003c6
  Feb 27 12:19:08.444: 92FB88BC 0 00000081 ssg-command-code(490) 1 32
  Feb 27 12:19:08.444:
  Feb 27 12:19:08.444:  ++++++ Received CoA response Attribute List ++++++
  Feb 27 12:19:08.444: 92FB84A0 0 00000001 nas-ip-address(600) 4 10.232.127.11
  Feb 27 12:19:08.444: 92FB87EC 0 00000081 formatted-clid(37) 12 40f308c3c53d
  Feb 27 12:19:08.444: 92FB8820 0 00000001 Event-Timestamp(445) 4 1393503547(530F2D3B)
  Feb 27 12:19:08.444: 92FB8854 0 00000001 reauthenticate-type(756) 4 last
  Feb 27 12:19:08.444: 92FB8888 0 00000081 audit-session-id(819) 24 0aea2001530f2e1e000003c6
  Feb 27 12:19:08.444: 92FB88BC 0 00000081 ssg-command-code(490) 1 32
  Feb 27 12:19:08.444: 92FB88F0 0 00000002 error-cause(272) 4 Session Context Not Found
  Feb 27 12:19:08.444:
  wc5#

  Reason for this are two bugs which prevent this from working:
  https://tools.cisco.com/bugsearch/bug/CSCul83594
  https://tools.cisco.com/bugsearch/bug/CSCun38344
  This is embarrassing because this is a really common scenario. QA anyone?
  So, with ISE and 5760 CWA is not working at this time. 

• Issues with using the output redirection character with newer NXOS versions?

  Has anyone seen any issues with using the output redirection character with newer NXOS versions?
  Am receiving "Error 0x40870004 while copying."
  Simply copying a file from bootflash to tftp is ok.
  This occurs for both 3CDaemon and Tftpd32 softwares.
  Have tried it on multiple switches - same issue.
  Any known bugs?
  thanks!
  The following is an example of bad (NXOS4.1.1b) and good (SANOS3.2.1a)
  MDS2# sho ver | inc system
    system:    version 4.1(1b)
    system image file is:    bootflash:///m9200-s2ek9-mz.4.1.1b.bin
    system compile time:     10/7/2008 13:00:00 [10/11/2008 09:52:55]
  MDS2# sh int br > tftp://10.73.54.194
  Trying to connect to tftp server......
  Connection to server Established. Copying Started.....
  TFTP put operation failed:Access violation
  Error 0x40870004 while copying tftp://10.73.54.194/
  MDS2# copy bootflash:cpu_logfile tftp://10.73.54.194
  Trying to connect to tftp server......
  Connection to server Established. Copying Started.....
  |
  TFTP put operation was successful
  MDS2#
  ck-ci9216-001# sho ver | inc system
    system:    version 3.2(1a)
    system image file is:    bootflash:/m9200-ek9-mz.3.2.1a.bin
    system compile time:     9/25/2007 18:00:00 [10/06/2007 06:46:51]
  ck-ci9216-001# sh int br > tftp://10.73.54.194
  Trying to connect to tftp server......
  |
  TFTP put operation was successful

  Please check with new version of TFTPD 32 server. The error may be due to older version of TFPT server, the new version available solved this error. Files are getting uploaded with no issues.
  1. Download tftpd32b.zip from:
  http://tftpd32.jounin.net/tftpd32_download.html
  2. Copy the tftpd32b.zip file into an empty directory and extract it.
  3. Copy the file you want to transver into the directory containing tftpd32.exe.
  4. Run tftpd32.exe from that directory. The "Base Directory" field should show the path to the directory containing the file you want to transfer.
  At this point, the tftpserver is ready to begin serving files. As devices request files, the main tftpd32 window will log the requests.
  Best Regards...

• TS1702 I purchased 2 packages of gems for skylanders and only received 1 package. Got email receipts and tried to report problem on ipad2 and it keeps coming up with to many https redirects. Can anyone help? Just want my gems :).

  I purchased 2 packages of gems for skylanders and only received 1 package. Got email receipts and tried to report problem with link in email on my ipad2 and it keeps coming up with to many https redirects. Can anyone help? Just want my gems :).

  Contact iTunes Customer Service and request assistance
  Use this Link  >  Apple  Support  iTunes Store  Contact

• Limit the number of session per user in the Wired dot1x environment with ISE 1.2

  Hello,
  I need to check if there is any configuration/workaround to limit the number of sessions/access per user in the Wired dot1x configuration.
  I need to check if this feature is available or not to solve the following scenario:
  I have 2 SW ports configured to use dot1x authentication with ISE 1.2 server.
  If user A connects to the 1st port and authenticated then he will placed on a VLAN based on the authorization profile.
  The case, that I need to deny the same user to connect on a different machine with the same credentials.
  The ISE itself does not have this feature currently,  the only feature available is to limit the number of sessions for the guest user.
  Is there any workaround on the Cisco switches to solve this? Cisco WLC has this feature and for the VPN we can limit the number of sessions also from the ASA itself.
  Thanks.

  limit number of session per user using wired dot1x is not available in 1.3

• SNMP integration with ISE 1.2

  Hi Guys,
  Did anyone have a hard time integrating ISE 1.2 with SNMP server for polling system parameters? I'm trying to add ISE 1.2.1 to solarwinds SNMP server but when adding the required parameters like IP address and community string and doing an SNMP test connection it returns a failure message. SNMP configuration on ISE is quit simple. Only two commands are needed which are the SNMP server IP and community string values. Searching on the web, i saw a bug CSCun42967  that documents SNMP problems with ISE 1.2. Could that be the problem? or if there is any limitations for this integration?
  Thanks,
  Mohammad

  Here is the helpful link :
  https://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_sw_cnfg.pdf

• Unsupported Browser on iPhone / iPad with ISE 1.3

  I'm playing around with ISE 1.3 and the self provisioning flow.  I'm able to provision a Windows client, but an iPhone or iPad with IOS 7.1.2 gives me an "unsupported browser" error when I try to sign on.  I have an IOS client provisioning profile set up.  Is IOS 7 no longer supported with ISE 1.3?
  Thanks!

  After issuing the command:
  config network web-auth captive-bypass enable
  The iOS devices can on board. The registration page does not pop up now. It requires you to open a web browser and it appears that chrome for IOS will not work as it still gives an unsupported error but if you open in safari, which I never use, it does work. 

• Does Cisco ISE-3315-K9 with ise version: Service Engine: 1.0.4.573 support command accouting like ACS

  Hi
  Can Anybody can update whether   ISE-3315-K9 with ise version: Service Engine: 1.0.4.573 , supports the command level accounting
  Bascially , we have integrated Cisco Switches with Cisco ISE for Device Authentication using Radius , we are able get the authentication logs on to the devices , but for any command changes or update done on Cisco devices we are not able to get the command accounting ..
  has succeed in  command level accounting on  Cisco ISE ..
  Please update
  Cisco ISE doesn't have TACACS feature ...

  Command Accounting is a TACACS+ feature so not for ISE....yet.
  However, you can do the following to send commands to syslog and not including passwords (hidekeys). I just picked 200 commands/lines to store in the local command buffer/log. increase or decrease as you have memory.  The notify syslog is what sends it via syslog.
  conf t
  archive
  log config
  logging enable
  logging size 200
  hidekeys
  notify syslog
  end
  wr mem
  Remember, syslog is clear text  :-)  log away from user traffic when possible.  Or use TLS based syslog when possible.
  I hope you find this answer useful, if it was satisfactory  for you, please mark the question as Answered.
  Please rate post you consider useful.
  -James

• Apple macosx machine authentication with ISE using EAP-TLS

  Hello,
  On a ongoing setup we are using eap-tls authentication with account validation against AD. We have our own CA (microsoft based). ISE version 1.2.1 patch 1.
  With windows machines all is working well. We are using computer authentication only.
  Now the problem is that we wish to do the same with MAC OSX machines.
  We are using casper software suite and are able to push certificates into macosx, and are doing machine authentication.
  in ISE the certificate authentication profile is being set to look at the subject alternative name - DNS name of the machines. Whenever we set it to the UPN (hostname$) windows accounts are not found in ad.
  When MAC OSX authenticate as machines (they have a computer account in AD) they present themselves with RADIUS-Username = hostname$ instead of host/hostname.
  The consequence is that by lacking the host/, ISE considers that this is a user authentication, instead of a computer one, and when it sets off to find the account, it searches in User class instead of Computer - which obviously returns no results.
  Is anybody aware of any way to force MAC OSX to present a host/hostname RADIUS-Username when authenticating?
  Any similar experiences of authenticating MAC OSX with ISE and machine/computer authentication are welcome.
  Thanks
  Gustavo Novais

  Additional information from the above question.
  I have the following setup;
  ACS 3.2(3) built 11 appliance
  -Cisco AP1200 wireless access point
  -Novell NDS to be used as an external database
  -Windows 2003 enterprise with standalone Certificate Authorithy Services Installed
  -Windows XP SP2 Client
  My Goal is to use Windows XP Native Wlan Utility to connect to AP using EAP-TLS authentication against Novell NDS.
  Tried to connect using Cisco compatible wlaN utility and authenticate using EAP-GTC against Novell NDS for for users, it works fine and perfectly.
  When connecting using EAP-TLS, I am getting an error from ACS failed attempt "Auth type Not supported by External DB". But in the ACS documentation says that it supports EAP-TLS. How true is this? Is there anybody have the same problem? Do I need to upgrade my ACS? What should I do? What other authentication type could be used to utilize native WinXP Wlan Utility?
  Please help...
  Thanks

• Flexconnect with ISE Issue

  Hi Everyone,
  I have a issue trying to deploy Flexconnect in WLC integrated with ISE.
  In the scenario, the users are working properly through the wireless network and they are able to authenticate, the NAC agent is invoked and everyone can get authorization access to the network using Radius NAC as NAC State. But when we tick the feature ""FlexConnect Local Switching"" and change the users cannot get IP Address from DHCP and the client status in WLC show POSTURE_REQD.
  We can see this in ISE that the user is able to authenticate but never get authorization and the NAC state is not showing in the PC.
  Any idea about this issue?? This is maybe any limitation or configuration error?
  Regards

  There are some documents for this type of deployment:
  http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080c090eb.shtml
  http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bcb905.shtml#anc13
  Don't stop after you've improved your network! Improve the world by lending money to the working poor:
  http://www.kiva.org/invitedby/karsteni