Authorization denial messages to clients or URL redirection once denied?

Our client would like to setup a Internet access solution for a limited number of employees belonging to a certain AD group. I have Central web auth working and can easily grant or deny access/authorization by AD group memberships, but I want a more friendly "not authorized" message or url sent to the users whom are not in the permitted AD group. Currently, a user not in the group (not permitted) can get the portal login page, followed by the AUP page, then they get the "login successful" just as the permitted users do. This seems inappropriate when they then have no access to anything.
Note, we would like to do this without any advanced license needs on ISE. We are using ISE solely for hosting our guest portals and then both local and external (AD) user authentication/authorization.
David

Step by step, how did you arrive at seeing this agreement?

Similar Messages

ACE port redirection message to client

Hi,
I need to configure a new VIP so that if the requests come on port 80 it sends a redirection message to clients saying to try on port HTTPS://*:9443, is the configuration below correct?
rserver host server1
description host1
ip address 1.1.1.1
probe probe-http
inservice
rserver host server2
description host2
ip address 1.1.1.2
probe probe-http
inservice
serverfarm host sfarm1
rserver server1
    inservice
rserver server2
    inservice
rserver redirect sfarm1_redirect_9443
webhost-redirection https://%h:9443%p 301
inservice
serverfarm redirect sfarm_redirect_9443
rserver sfarm1_redirect_9443
    inservice
class-map match-all VIP_HTTP
description Match HTTP
2 match virtual-address 2.2.2.2 tcp eq www
class-map match-all VIP_HTTPS
description Match HTTPS
2 match virtual-address 2.2.2.2 tcp eq 9443
policy-map type loadbalance first-match http_Redirect_Policy
class class-default
    serverfarm sfarm_redirect_9443
policy-map type loadbalance first-match https_9443
class class-default
    serverfarm sfarm1
policy-map multi-match VIPS
class VIP_HTTP
    loadbalance vip inservice
    loadbalance policy http_Redirect_Policy
    loadbalance vip icmp-reply active
class VIP_HTTPS
    loadbalance vip inservice
    loadbalance policy https_9443
    loadbalance vip icmp-reply active

Hi,
%h and %p are usually used when host and path remain same as is the case in redirection from http to https.
You can also use the actual hostname and path if the above doesn't work. I think it should work but i haven't tested it before.
You can try something like below:
webhost-redirection https://test.com:9443 301
Let me know how it goes.
Regards,
Kanwal

SSL VPN message "This (client) machine does not have the web access privilege."

Hello!
I am trying to configure the SSL VPN (WebVPN) and I am almost done but when clicking on the URL's I configured in the bookmarks, I get the message "This (client) machine does not have the web access privilege. Please contact your SSLVPN provider for assistance." I looked through the many tutorials and guides in existence and none talks about such error and the fix for it. In fact, if I search the net for this error message I get only one match, in the Cisco website, where is say that "The client computer does not meet the security criteria of having web access functionality through the SSL VPN gateway." and as fix it gave this tip "Check the URL to the gateway or contact the administrator if it persists." So, nothing on the website about what this issue is and how to fix it. I will provide my IOS configuration and hopefully someone will spot the issue. Here it goes:
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R1
boot-start-marker
boot-end-marker
logging message-counter syslog
no logging buffered
enable secret 5 $1$1LLX$u7aTc8XfNqPZhPVGwEF/J0
enable password xxxxxxxx
aaa new-model
aaa authentication login userAuthen local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization network groupauthor local
aaa session-id common
crypto pki trustpoint TP-self-signed-1279712955
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1279712955
revocation-check none
rsakeypair TP-self-signed-1279712955
crypto pki certificate chain TP-self-signed-1279712955
certificate self-signed 01
3082023A 308201A3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31323739 37313239 3535301E 170D3130 30333233 31313030
33375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 32373937
31323935 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A8EF 34E3E792 36660498 9801F934 E8A41865 3599EA35 B073AC91 D7A53AF4
A4390D2F CB3DB2DE 936B28F0 A25F3CE1 6F40FD9E E79096F2 F89620E0 B31A7B34
649BBA22 AE44CB55 9F38BF0C 2F2770CF 8380C167 C17D760C 380E28E4 FF7D6874
9EFC310A 2AA60835 F1AA384F CD1A0173 19C98192 EBFBD531 24CB9203 EA9E7D54
B2C30203 010001A3 62306030 0F060355 1D130101 FF040530 030101FF 300D0603
551D1104 06300482 02523130 1F060355 1D230418 30168014 0D9D62EC DA77EAF3
11ABF64D 933633F9 2BA362DC 301D0603 551D0E04 1604140D 9D62ECDA 77EAF311
ABF64D93 3633F92B A362DC30 0D06092A 864886F7 0D010104 05000381 81006853
48ED4E3E 5721C653 D9A2547C 36E4F0CB A6764B29 9AFFD30A 1B382C8C C6FDAA55
265BCF6C 51023F5D 4AF6E177 C76C4560 57DE5259 40DE4254 E79B3E13 ABD0A78D
7E0B623A 0F2D9C01 E72EF37D 5BAB72FF 65A176A1 E3709758 0229A66B 510F9AA2
495CBB4B 2CD721A7 D6F6EB43 65538BE6 B45550D7 A80A4504 E529D092 73CD
   quit
dot11 syslog
ip source-route
ip dhcp excluded-address 192.168.0.1 192.168.0.10
ip dhcp pool myPOOL
   network 192.168.0.0 255.255.255.0
   default-router 192.168.0.1
   dns-server 87.216.1.65 87.216.1.66
ip cef
ip name-server 87.216.1.65
ip name-server 87.216.1.66
ip ddns update method mydyndnsupdate
HTTP
add http://username:[email protected]/nic/update?system=dyndns&hostname=<h>&myip=<a>
interval maximum 1 0 0 0
no ipv6 cef
multilink bundle-name authenticated
vpdn enable
vpdn-group pppoe
request-dialin
protocol pppoe
username cisco privilege 15 password 0 xxxxxxxx
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp fragmentation
crypto isakmp client configuration group vpnclient
key cisco123
domain selfip.net
pool ippool
acl 110
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
crypto map clientmap client authentication list userAuthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
archive
log config
hidekeys
interface Loopback0
ip address 10.11.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
interface Loopback2
description SSL VPN Website IP address
ip address 10.10.10.1 255.255.255.0
interface Loopback1
description SSL DHCP Pool Gateway Address
ip address 192.168.250.1 255.255.255.0
interface FastEthernet0
description $ES_LAN$
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
interface BRI0
no ip address
encapsulation hdlc
shutdown
interface FastEthernet1
interface FastEthernet2
switchport access vlan 2
interface FastEthernet3
interface FastEthernet4
interface FastEthernet5
interface FastEthernet6
interface FastEthernet7
interface FastEthernet8
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
bundle-enable
dsl operating-mode auto
interface Vlan1
no ip address
interface Dialer1
ip ddns update hostname myserver.selfip.net
ip ddns update mydyndnsupdate host members.dyndns.org
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip policy route-map VPN-Client
dialer pool 1
ppp chap hostname xxx
ppp chap password 0 xxxx
ppp pap sent-username xxx password 0 xxxx
crypto map clientmap
ip local pool ippool 192.168.50.100 192.168.50.200
ip local pool sslvpnpool 192.168.250.2 192.168.250.100
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http authentication local
ip http secure-server
ip nat inside source static tcp 192.168.0.2 21 interface Dialer1 790
ip nat inside source static tcp 192.168.0.15 21 interface Dialer1 789
ip nat inside source list 102 interface Dialer1 overload
ip nat inside source static tcp 10.10.10.1 443 interface Dialer1 443
ip nat inside source static tcp 10.10.10.1 80 interface Dialer1 80
access-list 102 deny   ip 192.168.0.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
access-list 110 permit ip 192.168.0.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 144 permit ip 192.168.50.0 0.0.0.255 any
route-map VPN-Client permit 10
match ip address 144
set ip next-hop 10.11.0.2
control-plane
banner motd ^C
================================================================
                UNAUTHORISED ACCESS IS PROHIBITED!!!
=================================================================
^C
line con 0
line aux 0
line vty 0 4
password mypassword
transport input telnet ssh
webvpn gateway MyGateway
ip address 10.10.10.1 port 443
http-redirect port 80
ssl trustpoint TP-self-signed-1279712955
inservice
webvpn install svc flash:/webvpn/svc_1.pkg sequence 1
webvpn install csd flash:/webvpn/sdesktop.pkg
webvpn context SecureMeContext
title "My SSL VPN Service"
secondary-color #C0C0C0
title-color #808080
ssl authenticate verify all
url-list "MyServers"
   heading "My Intranet"
   url-text "Cisco" url-value "http://192.168.0.2"
   url-text "NetGear" url-value "http://192.168.0.3"
login-message "Welcome to My VPN"
policy group MyDefaultPolicy
   url-list "MyServers"
   functions svc-enabled
   svc address-pool "sslvpnpool"
   svc keep-client-installed
default-group-policy MyDefaultPolicy
aaa authentication list userAuthen
gateway MyGateway domain testvpn
max-users 100
csd enable
inservice
end
Thank you!

Hi,
Please check SAP note:
2004579 - You cannot create a FR company from a Package
Thanks & Regards,
Nagarajan

ISE Wired Central Web Authentication no url redirect

We are setting up ISE for wired guest accest but are having trouble with the client being redirected. The switch gets the download from ISE and shows that it should use the URL redirect with the correct ACL.
ISEtest3560#show authentication sessions interface fastEthernet 0/2
            Interface: FastEthernet0/2
          MAC Address: 001d.09cb.78bd
           IP Address: Unknown
            User-Name: 00-1D-09-CB-78-BD
               Status: Authz Success
               Domain: DATA
      Security Policy: Should Secure
      Security Status: Unsecure
       Oper host mode: multi-auth
     Oper control dir: both
        Authorized By: Authentication Server
           Vlan Group: N/A
              ACS ACL: xACSACLx-IP-ISE-Only-52434fbe
     URL Redirect ACL: ACL-WEBAUTH-REDIRECT
         URL Redirect: https://REMOVED.Domain.corp:8443/guestportal/gateway?sessionId=0A0003E600000039064485B1&action=cwa
      Session timeout: N/A
         Idle timeout: N/A
    Common Session ID: 0A0003E600000039064485B1
      Acct Session ID: 0x00000293
               Handle: 0x95000039
Runnable methods list:
       Method   State
       dot1x    Failed over
       mab      Authc Success
From the client pc I can get name resolution for anything I ping. I also can ping the ise server by name. The ACL that is downloaded it as follows:
Extended IP access list xACSACLx-IP-ISE-Only-52434fbe (per-user)
    10 permit udp any eq bootpc any eq bootps
    20 permit udp any any eq domain
    30 permit ip any host 10.4.37.91
    40 deny ip any any log
Extended IP access list ACL-WEBAUTH-REDIRECT
    10 deny udp any eq bootpc any eq bootps
    20 deny udp any any eq domain
    30 deny ip any host 10.4.37.91
    40 permit tcp any any eq www (13 matches)
    50 permit tcp any any eq 443
    51 permit tcp any any eq 8443
    60 deny ip any any
The machine passes the Authentication with MAB and hits the CWA Authorization profile, ISE shows the cient as "Pending" then the next entry above that is the log is the dACL getting pushed to the switch. Could part of the issue be that the device shows Unknown for IP address? The command ip device tracking is in the swtich:
ISEtest3560#show running-config | include tracking
ip device tracking
ISEtest3560#
We have 802.1x clients working and the IP address for those do show up..
Please advise,
Thanks,
Joe

ISEtest3560#show ip access-lists interface fastEthernet 0/2
ISEtest3560#
Doesn't appear the dacl is being applied.
interface FastEthernet0/2
switchport access vlan 11
switchport mode access
ip access-group ACL-DEFAULT in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 999
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab webauth
authentication priority dot1x mab webauth
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree guard root
Extended IP access list ACL-DEFAULT
    10 permit udp any eq bootpc any eq bootps
    20 permit udp any any eq domain
    30 permit icmp any any
    40 permit udp any any eq tftp
    41 permit ip any host 10.4.37.91
    50 deny ip any any log (1059 matches)
Could the dACL being causing the issue with the Unknown, or is the Unknow causing the issue with the dACL?
Thanks,
Joe

Cisco ISE guest portal redirect not working after successful authentiation and URL redirect.

Hi to all,
I am having difficulties with an ISE deployment which I am scratching my head over and can't fathom out why this isn't working.
I have an ISE 3315 doing a captive webportal for my guest users who are on an SSID. The users are successfully redirected by the WLC to the following URL:https://x.x.x.x:8443/guestportal/Login.action?portalname=XXX_Guest_Portal
Now when the user passes through the user authentication splash screen they get redirected to https://x.x.x.x:8443/guestportal/guest/redir.html and recieve the following error:
Error: Resource not found.
Resource: /guestportal/
Does anyone have any ideas why the portal is doing this?
Thanks
Paul

Hello,
As you are not able to get the guest portal, then you need to assure the following things:-
1) Ensure that the two Cisco av-pairs that are configured on the authorization profile should exactly match the example below. (Note: Do not replace the "IP" with the actual Cisco ISE IP address.)
–url-redirect=https://ip:8443/guestportal/gateway?...lue&action=cpp
–url-redirect-acl=ACL-WEBAUTH-REDIRECT (ensure that this ACL is also defined on the access switch)
2) Ensure that the URL redirection portion of the ACL have been applied to the session by entering the show epm session ip command on the switch. (Where the session IP is the IP address that is passed to the client machine by the DHCP server.)
Admission feature : DOT1X
AAA Policies : #ACSACL#-IP-Limitedaccess-4cb2976e
URL Redirect ACL : ACL-WEBAUTH-REDIRECT
URL Redirect :
https://node250.cisco.com:8443/guestportal/gateway?sessionId=0A000A72
0000A45A2444BFC2&action=cpp
3) Ensure that the preposture assessment DACL that is enforced from the Cisco ISE authorization profile contains the following command lines:
remark Allow DHCP
permit udp any eq bootpc any eq bootps
remark Allow DNS
permit udp any any eq domain
remark ping
permit icmp any any
permit tcp any host 80.0.80.2 eq 443 --> This is for URL redirect
permit tcp any host 80.0.80.2 eq www --> Provides access to internet
permit tcp any host 80.0.80.2 eq 8443 --> This is for guest portal
port
permit tcp any host 80.0.80.2 eq 8905 --> This is for posture
communication between NAC agent and ISE (Swiss ports)
permit udp any host 80.0.80.2 eq 8905 --> This is for posture
communication between NAC agent and ISE (Swiss ports)
permit udp any host 80.0.80.2 eq 8906 --> This is for posture
communication between NAC agent and ISE (Swiss ports)
deny ip any any
Note:- Ensure that the above URL Redirect has the proper Cisco ISE FQDN.
4) Ensure that the ACL with the name "ACL-WEBAUTH_REDIRECT" exists on the switch as follows:
ip access-list extended ACL-WEBAUTH-REDIRECT
deny ip any host 80.0.80.2
permit ip any any
5) Ensure that the http and https servers are running on the switch:
ip http server
ip http secure-server
6) Ensure that, if the client machine employs any kind of personal firewall, it is disabled.
7) Ensure that the client machine browser is not configured to use any proxies.
8) Verify connectivity between the client machine and the Cisco ISE IP address.
9) If Cisco ISE is deployed in a distributed environment, make sure that the client machines are aware of the Policy Service ISE node FQDN.
10) Ensure that the Cisco ISE FQDN is resolved and reachable from the client machine.
11) Or you need to do re-image again.

Cisco ISE - Not use FQDN in url-redirect parameter

Hi,
I am using Cisco ISE Central Web Authentication for Guest Wireless. Clients are redirected for web authentication to: https://ip:port/guestportal/gateway?sessionId=SessionIdValue&action=cwa as it is specified by the url-redirect parameter in the Authorization Profile.
The “ip” field in the url is now replaced by the FQDN of the Cisco ISE, but I want to use the IP address instead of the FQDN. Is there any way to do that?
As far as I know in version 1.2 you can use the “ip host/no ip host” command to indicate what you want to use in the URL. However my Cisco ISE is running version 1.1.1.268.
Thank you very much.
Joana.

Available in 1.2, and available as a "bit of a bodge" in 1.1.x (read "a lot of a bodge")
If you only have one PSN then you may be able to get it to work, but after that you lose the ability to get the session to be pointed automatically at whichever PSN they hit initially so it would break.
Copy the settings that are applied when you use CWA, then create your own based on the same settings but using the ip address pasted in there instead.

ISE doesn't remove URL redirect

We have an ISE problem, in that the URL redirect sent to the access switch for guest auth is not removed even after successful authentication.
Debug shows RADIUS activity as normal, 802.1X failover to MAB, then rediect to webauth;
003064: Aug 22 17:48:08.340: %AUTHMGR-5-START: Starting 'mab' for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000007201857889
003065: Aug 22 17:48:08.365: %MAB-5-SUCCESS: Authentication successful for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000007201857889
003066: Aug 22 17:48:08.365: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000007201857889
003067: Aug 22 17:48:08.382: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007201857889| AUTHTYPE DOT1X| EVENT APPLY
003068: Aug 22 17:48:08.390: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.60.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007201857889| AUTHTYPE DOT1X| POLICY_TYPE URL Redirect| POLICY_NAME
https://ukhatfnac0001.dtukad.local:8443/guestportal/gateway?sessionId=C0A8D60D0000007201857889&action=cwa
| RESULT SUCCESS
NWS-TSL-HATB3F3-DistSW1#
003069: Aug 22 17:48:08.390: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.60.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007201857889| AUTHTYPE DOT1X| POLICY_TYPE URL Match ACL| POLICY_NAME web_guest_redirect| RESULT SUCCESS
003138: Aug 22 18:01:18.718: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000007401914245
000054: Aug 22 18:01:18.345: %AUTHMGR-5-VLANASSIGN: VLAN 1040 assigned to Interface Gi1/0/4 AuditSessionID C0A8D60D0000007401914245 (NWS-TSL-HATB3F3-DistSW1-2)
003139: Aug 22 18:01:19.490: %EPM-6-IPEVENT: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007401914245| AUTHTYPE DOT1X| EVENT IP-ASSIGNMENT
003140: Aug 22 18:01:19.490: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007401914245| AUTHTYPE DOT1X| POLICY_TYPE Named ACL| POLICY_NAME xACSACLx-IP-PERMIT_ALL_TRAFFIC-4f57e406| RESULT SUCCESS
NWS-TSL-HATB3F3-DistSW1#
003141: Aug 22 18:01:19.515: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007401914245| AUTHTYPE DOT1X| POLICY_TYPE URL Redirect| POLICY_NAME
https://ukhatfnac0001.dtukad.local:8443/guestportal/gateway?sessionId=C0A8D60D0000007401914245&action=cwa
| RESULT SUCCESS
003142: Aug 22 18:01:19.515: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007401914245| AUTHTYPE DOT1X| POLICY_TYPE URL Match ACL| POLICY_NAME web_guest_redirect| RESULT SUCCESS
003064: Aug 22 17:48:08.340: %AUTHMGR-5-START: Starting 'mab' for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000007201857889
003065: Aug 22 17:48:08.365: %MAB-5-SUCCESS: Authentication successful for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000007201857889
003066: Aug 22 17:48:08.365: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000007201857889
003067: Aug 22 17:48:08.382: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007201857889| AUTHTYPE DOT1X| EVENT APPLY
003068: Aug 22 17:48:08.390: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.60.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007201857889| AUTHTYPE DOT1X| POLICY_TYPE URL Redirect| POLICY_NAME https://ukhatfnac0001.dtukad.local:8443/guestportal/gateway?sessionId=C0A8D60D0000007201857889&action=cwa
| RESULT SUCCESS
NWS-TSL-HATB3F3-DistSW1#
003069: Aug 22 17:48:08.390: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.60.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007201857889| AUTHTYPE DOT1X| POLICY_TYPE URL Match ACL| POLICY_NAME web_guest_redirect| RESULT SUCCESS
Then after successful authentication, VLAN is moved and xACSACLx-IP-PERMIT_ALL_TRAFFIC is sent, but rediect is sent again from ISE. We've been over configs several times, but can't get to the bottom of this. Can anyone shed any light ?
003138: Aug 22 18:01:18.718: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000007401914245
000054: Aug 22 18:01:18.345: %AUTHMGR-5-VLANASSIGN: VLAN 1040 assigned to Interface Gi1/0/4 AuditSessionID C0A8D60D0000007401914245 (NWS-TSL-HATB3F3-DistSW1-2)
003139: Aug 22 18:01:19.490: %EPM-6-IPEVENT: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007401914245| AUTHTYPE DOT1X| EVENT IP-ASSIGNMENT
003140: Aug 22 18:01:19.490: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007401914245| AUTHTYPE DOT1X| POLICY_TYPE Named ACL| POLICY_NAME xACSACLx-IP-PERMIT_ALL_TRAFFIC-4f57e406| RESULT SUCCESS
NWS-TSL-HATB3F3-DistSW1#
003141: Aug 22 18:01:19.515: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007401914245| AUTHTYPE DOT1X| POLICY_TYPE URL Redirect| POLICY_NAME https://ukhatfnac0001.dtukad.local:8443/guestportal/gateway?sessionId=C0A8D60D0000007401914245&action=cwa| RESULT SUCCESS
003142: Aug 22 18:01:19.515: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007401914245| AUTHTYPE DOT1X| POLICY_TYPE URL Match ACL| POLICY_NAME web_guest_redirect| RESULT SUCCESS

Fixed it !
Great info from Tarik above, which lead me to the issue. My authz policy for redirect didn't include the Network Access:Usecase=Host Lookup, so this policy still (incorrectly) remained =true after valid guest authentication. As this policy remained =true, ISE was correctly applying URL rediect. Once I sorted the policy, by adding ...AND Network Access:Usecase=Host Lookup, all wored as expected.
After valid guest auth we now see DACL 'PERMIT_GUEST' and move to VL1040 as expected, without the URL rediect.
003543: Aug 22 19:03:15.169: %EPM-6-POLICY_REQ: IP 192.168.60.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000008501C99767| AUTHTYPE DOT1X| EVENT APPLY
003544: Aug 22 19:03:15.186: %EPM-6-AAA: POLICY xACSACLx-IP-PERMIT_GUEST-50350e3a| EVENT DOWNLOAD-REQUEST
003545: Aug 22 19:03:15.354: %EPM-6-AAA: POLICY xACSACLx-IP-PERMIT_GUEST-50350e3a| EVENT DOWNLOAD-SUCCESS
003546: Aug 22 19:03:15.354: %EPM-6-IPEVENT: IP 0.0.0.0| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000008501C99767| AUTHTYPE DOT1X| EVENT IP-WAIT
NWS-TSL-HATB3F3-DistSW1#
003547: Aug 22 19:03:15.849: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000008501C99767
000069: Aug 22 19:03:15.241: %AUTHMGR-5-VLANASSIGN: VLAN 1040 assigned to Interface Gi1/0/4 AuditSessionID C0A8D60D0000008501C99767 (NWS-TSL-HATB3F3-DistSW1-2)
NWS-TSL-HATB3F3-DistSW1#
003548: Aug 22 19:03:17.560: %EPM-6-IPEVENT: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000008501C99767| AUTHTYPE DOT1X| EVENT IP-ASSIGNMENT
003549: Aug 22 19:03:17.560: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000008501C99767| AUTHTYPE DOT1X| POLICY_TYPE Named ACL| POLICY_NAME xACSACLx-IP-PERMIT_GUEST-50350e3a| RESULT SUCCESS
003543: Aug 22 19:03:15.169: %EPM-6-POLICY_REQ: IP 192.168.60.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000008501C99767| AUTHTYPE DOT1X| EVENT APPLY
003544: Aug 22 19:03:15.186: %EPM-6-AAA: POLICY xACSACLx-IP-PERMIT_GUEST-50350e3a| EVENT DOWNLOAD-REQUEST
003545: Aug 22 19:03:15.354: %EPM-6-AAA: POLICY xACSACLx-IP-PERMIT_GUEST-50350e3a| EVENT DOWNLOAD-SUCCESS
003546: Aug 22 19:03:15.354: %EPM-6-IPEVENT: IP 0.0.0.0| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000008501C99767| AUTHTYPE DOT1X| EVENT IP-WAIT
NWS-TSL-HATB3F3-DistSW1#
003547: Aug 22 19:03:15.849: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000008501C99767
000069: Aug 22 19:03:15.241: %AUTHMGR-5-VLANASSIGN: VLAN 1040 assigned to Interface Gi1/0/4 AuditSessionID C0A8D60D0000008501C99767 (NWS-TSL-HATB3F3-DistSW1-2)
NWS-TSL-HATB3F3-DistSW1#
003548: Aug 22 19:03:17.560: %EPM-6-IPEVENT: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000008501C99767| AUTHTYPE DOT1X| EVENT IP-ASSIGNMENT
003549: Aug 22 19:03:17.560: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000008501C99767| AUTHTYPE DOT1X| POLICY_TYPE Named ACL| POLICY_NAME xACSACLx-IP-PERMIT_GUEST-50350e3a| RESULT SUCCESS

Ise: Url redirection not working

everything should be ok on ise and switch
the switch is configured with its own ip on the vlan (22)
PS is on vlan (44)
and ise is configured for web authentication policy to occurr on the logon vlan (33)
the service is reachable by inputting the policy service ip address on port 8443, authentication is successful, acl downloaded and redirect url pushed properly to the switch but redirect never occurrs,
instead a blank page (host not reachable) is displayed
the clients on vlan 33 can resolve dns without problems
the firewall has been set to make the vlan 44 and 33 talk each other on port 80,443,8443
it looks like the switch's http/s-server is not making any difference maybe because it is on another vlan though it is routed
can someone help me?
i would really appreciate a flow chart on how web redirect works in ise and tge role of the http server
ps the switch does not support the ip route command

however not everithing is working as it should, sometimes the acl are not pushed properly and the redirect acl does not show any hit (often), sometimes the centralwebauth acl is not pushed properly and the show ip access list interface results in blank output
interface GigabitEthernet1/0/10
description Porte dot1x - voip ISE
switchport access vlan 300
switchport mode access
switchport voice vlan 818
ip access-group ACL-ALLOW in
srr-queue bandwidth share 1 30 35 5
queue-set 2
priority-queue out
authentication event fail action next-method
authentication event server dead action authorize vlan 300
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
mls qos trust cos
dot1x pae authenticator
dot1x timeout tx-period 10
auto qos trust
spanning-tree portfast
spanning-tree bpduguard enable
end
the show auth sessiond for the interface is
            Interface: GigabitEthernet1/0/10
          MAC Address: 20cf.3017.645b
           IP Address: 172.31.105.132
            User-Name: 20-CF-30-17-64-5B
               Status: Authz Success
               Domain: DATA
       Oper host mode: multi-domain
     Oper control dir: both
        Authorized By: Authentication Server
          Vlan Policy: 300
              ACS ACL: xACSACLx-IP-CentralWebAuth-5062f332
     URL Redirect ACL: redirect
         URL Redirect: https://ISEC3395.omitted.omitted:8443/guestportal/gateway?sessionId=AC1F552F0000000A001A6FD2&action=cwa
      Session timeout: N/A
         Idle timeout: N/A
    Common Session ID: AC1F552F0000000A001A6FD2
      Acct Session ID: 0x0000000D
               Handle: 0x7C00000A

ISE url-redirect CWA to Gig1

Hello,
say I want to have five ISE 1.3 nodes behind load balancer, I want only only G0 behind LB, and G1 interfaces will be dedicated for certain things. Specifically I want to use G1 interface for Redirected Web Portal access (could be CWA, device registration, NSP, etc). RADIUS auth will happen through LB on G0 of some specific PSN, and that PSN will url-redirect user to the CWA URL.
How do I tell ISE to use specifically Gig1's IP address or Gig2's IP address? When I check result authorization profile, there is no option there, it's just ip:port. Obviously, that's not the right place, because which PSN is used to processed the policy is unpredictable.
So then I go to guest portal, and specifically Self-Registered Guest Portal that I'm using. So here I see Gig0, Gig1, Gig2, and Gig3 listed. My guess is that if I only leave Gig1 selected then I will achieve my goal, is that correct?
But then, why does it let me choose multiple interfaces, what happens if I select all of them?
Am I missing another spot in ISE admin where I can control this?
Additional question. I know that in ISE 1.2 you could configure "ip host" in ISE's CLI, which would force URL-redirect response to be translated to FQDN:port. Is that still the right method in ISE 1.3?
Thanks!

Take a look at the following document:
http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/installation_guide/b_ise_InstallationGuide13.pdf
Towards the end of the document you will find a section called: "Cisco ISE Infrastructure" and there you will see the following:
• Cisco ISE management is restricted to Gigabit Ethernet 0.
• RADIUS listens on all network interface cards (NICs).
• All NICs can be configured with IP addresses.
So, you can take an interface, give it an IP address and then assign it to the web portal that you are working with.
I hope this helps!
Thank you for rating helpful posts!

Report field substibution on URL Redirect

I am using ApEx 2.0
I have a page with two report regions based on SQL queries, joined by a common column. The master region is read only and in detail region, I changed the attribute of one field to display as text.
So, for example, the Master region has two columns:
M_COL1, M_COL2
The detail region has 3 columns:
M_COL1, D_COL1, D_COL2
The regions as joined on M_COL1 and D_COL2 is the Text field.
Next, i added a button to this detail region. When clicked I want this button to launch a URL whose parameters are sourced from some of the existing report column/fields on this page.
I cannot seem to get the substitution to work in the URL Redirect field of the button definition.
I want something to the effect of :
http://someserver:port/some_path/something?param1=&M_COL1&param2=&D_COL2
I tried putting #M_COL1#, :M_COL1 etc. but it doesn't work.
Any ideas/pointers?
Thanks,
Manish

Hi,
5. Pop-up reports:
- Go to any report with link column to a form. It is a very common situation.
- Go to the link column Column Attributes/Column Link/Target and change it to URL.
- javascript: popupURL('f?p=&APP_ID.:205:&SESSION.::&DEBUG.::::YES','Help','scrollbars=yes,resizable=yes,width=625,height=350,left=25,top=150');
- Replace 205 (It is my page number) with the number of the page which you are working on.
- Apply/Apply/Run the page.
- One would see the printer friendly version of ones page in separate window without loosing original one.
This is a very simple, easy to use and understand example.
One can replace “205” with any report showing Address … for the client.
6. One Master and many Detail tables:
Suppose that there are relations One to Many between one master and two or more details tables.
One can use two regions on a page. One should be a form region for the master table and second one should be a report region with several links.
6.1. Create a view of those two or more details tables. That is one master and one details view.
6.2. Create a Master Details form. The details form should be one of details tables.
6.3. Go to Edit Region (Details Region) and change SQL Query (updatable query) to SQL Query.
The Details form became Details Report.
6.4. Change Report Region Source from details table query to the view query.
6.5. Duplicate columns which are links and reorder them. Replace their header names with “ ” for instance.
6.6. Into Column Attributes/Column Link/Link Text pick an icon.
6.7. Select for Attributes/Column Link/Target “URL”.
6.8. Into URL field type
javascript: popupURL('f?p=&APP_ID.:205:&SESSION.::&DEBUG.::::NO','Link','scrollbars=yes,resizable=yes,width=625,height=350,left=25,top=150');
and replace 205 with the appropriate page number.
Now the page has one form with Next and Previous buttons for the master table and one report for the Details view with two or more links. Pop-up window with an edit detail table form appears when one click on a link (icon).
Konstantin Gudjev
[email protected]

ISE CWA FLEXCONNECT - No url redirect

Hi,
I'm setting up a LAB environment for CWA with ISE(1.2.1), vWLC(8.0.100), ASA5505(9.1.X) and a 2602 AP in flexconnect mode.
Unfortunately I'm running into problems.
The AP, WLC and ISE is all running in vlan 1 which terminates in the 5505 as a inside interface.
Vlan 2 is a guest network terminating on a separate interface in the ASA.
The problem that I'm facing is that the url-redirect from the ISE dosent' work. If i check the client summery on the vWLC I can see that the client get applyes the redirect flexconnect ACL and that the URL is present. I've verified that it's not a DNS issue and I'm able to manually connect to ISE so there is no ACL blocking me. The client just dosen't get the redirect. I've tired with multiple devices (windows,ios,android) and it's all the same.
I've followed the following guides:
http://www.drchaos.com/flexconnect-local-switching-guestbyod/
http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html#anc11
Currently I'm at work but I can provide some debug output later.
Have anyone seen this behavior before?

It is possible that you are hitting the following bug:
https://tools.cisco.com/bugsearch/bug/CSCue68065
One thing this bug does not mention is that there is another resolution outside of disabling local switching. The alternative is:
1. Create a standar ACL on the controller that is named exactly as the FlexConnect ACLs
2. The standard ACL does not have to have any ACE in it
I have ran into this issue before and the above workaround has worked for me. The issue was supposed be addressed in version 8.x of the WLC but I think it is still worth giving it a try.
Thank you for rating helpful posts!

Issues getting url-redirect working with Cisco ISE

Hi,
I am currently doing a Proof of Concept using Cisco's new ISE product. I am having issues getting the url-redirect raidus attribute working. I have read the troubleshooting document and everything in it points to it should be working. By debuging the radius information on the switch I can see that its passing the url-redirect to the switch which in my case is was https://DEVLABISE01.devlab.local:8443/guestportal/gateway?sessionId=0A00020A0000001604D3F5BE&action=cwa. Now to remove DNS issues etc from the equasion if I copy and paste this URL into the client browser it takes me to the correct place, and I can login and it changes VLAN's accordingly. Now as far as I know the client should automatticaly be redirected to this URL which is not working. Below I have included one of the debugs to show that the epm is in place.
DEVLABSW01#show epm session ip 10.0.1.104
    Admission feature: DOT1X
              ACS ACL: xACSACLx-IP-PRE-POSTURE-ACL-4de86e6c
     URL Redirect ACL: ACL-WEBAUTH-REDIRECT
         URL Redirect: https://DEVLABISE01.devlab.local:8443/guestportal/gateway?sessionId=0A00020A0000001604D3F5BE&action=cwa
I have also attached my switch config. Any help would be greatly appreciated.
Dan

So im also doing ISE for the first time and i knew it may have been a bit tough however i didnt forsee my following issue.
everything is working as expected other than every now and then (intermittent) the ISE Central Portal does not display on any device -android, windows, etc..... i checked and checked the configs, had probably about 10 TAC cases open..... this weekend i ripped out the main components, setup in the offfice and tried to replicate the issue....i could...what i noticed is that without Internet the ISE Portal didnt actually display....it sounds weird but thats what im seeing.....As soon as i plug into Internet Link into the equation, the portal page comes up.....im able to replicate it every time... Currently, i placed back into the customer network and im now looking down at the routing/firewall......
my issue is that i cant really explain why the Internet affects the Central Auth Page.... In any event. im working backwards, tomorrow im bringing in a second link and doing NAT on a cisco router to bypass the checkpoint firewall....ill know if its checkpoint or if im barking up the wrong tree....
if anyone can explain why, it would help out a great deal..
My setup BTW is
1. WLC 5760 - Not latest code but latest stable (recommended by the TAC Engineer)
2. ISE 1.2 - Doing simple Wireless only implementation
3. 3650 - Just acting like a switch - no ACLs etc - just a switch
4. Integrated into AD
Ill post back with any findings if i make any headway - BTW, i didnt like this at all as other solutions are so much simpler, BUT, i can now see how powerful this could potentially be for the right type of customer...
thanks again how i can get some feedback

How does ISE choose which IP to put in URL redirect response?

Hello,
does anyone know how does ISE choose which IP to put in URL redirect response if it has more than one interface with an IP address and all interfaces are enabled in the portal configuration?
I have a single ISE 1.3 PSN with all four interfaces configured, enabled, each on unique VLAN, and each with unique IP address.
In the CWA portal configuration, all four interfaces are enabled.
Wired clients connect to NAD, NAD sends RADIUS request to ISE, ISE responds with a RADIUS response including the URL-Redirect parameter which specifies the web redirect URL. ISE configuration uses "ip:port" in the URL.
My question is how does ISE choose which of its four interfaces to put in this URL? Is it always the same interface that RADIUS packets were received on? Or does it always choose the first portal enabled interface? Or is there another logic? Configurable or unconfigurable?
Thanks!

ISE uses the first interface enabled for that portal, so if want to use a specific interface, then only enable that interface. If interface is GE0, then default behavior is to redirect with ip value set to node's FQDN. If interface other than GE0, then default behavior is to return the IP address of the associated interface.
Aliases can be configured for each interface using the CLI 'ip host' command to associate a hostname/FQDN to the IP address of a given interface. When configured, ISE will return that value rather than IP address in redirect. This is critical if want to avoid certificate trust warning on connecting clients.
Be sure that certificate assigned to interface includes the correct FQDN or optionally wilcard value in the CN or SAN fields to avoid cert warnings.

NAC L2-IP on 6500 . URL Redirection Not working

Hi,
We are testing NAC L2-IP on a Cat 6506 running 12.2(18)SXF9.
When configuring for NAC L2-IP, the switch is able to download the required ACL
entries. The HTTP Server is enabled in the Switch, however still the HTTP
redirection is Not working.
From the Client side, I can see the SYN packets going to port 80 but no
response (Redirect etc) comes back from the switch.
This is the Port-ACL
10 permit udp any eq 21862 any
11 permit icmp any any echo-reply
20 permit udp any any eq bootps
30 permit udp any any eq domain
40 permit tcp any eq 3389 any
50 deny ip any any
This is the ACL as specified in the "url-redirect-acl" attribute
70 deny tcp any host 10.140.4.116 eq www
80 deny tcp any host 10.140.4.202 eq www
90 deny tcp any host 10.1.194.15 eq www
100 deny tcp any host 172.25.1.15 eq www
110 permit tcp any any eq www
Any ideas ?
+++++++++++++++++
show eou ip 10.192.99.27
Address : 10.192.99.27
MAC Address : 0006.5ba0.5705
Interface : FastEthernet2/47
AuthType : CLIENTLESS
Audit Session ID : 0000002C1387D1FB0000000D0AC0631B
PostureToken : -------
Age(min) : 15
URL Redirect : http://x.x.x/y
URL Redirect ACL : redirect-policy
ACL Name : #ACSACL#-IP-NAC_NoCTA_ACL-464b3186
User Name : UNKNOWN USER
Revalidation Period : 36000 Seconds
Status Query Period : 300 Seconds
Current State : CLIENTLESS
++++++++++++++++++++++++++++++++
Exactly the Same configuration and Secure ACS configuration works for a 3560 Switch.
Thanks,
Naman

Check this bug-id: CSCse02269.

Web dispatcher URL redirect

Hi ,
We have web dispatcher which is used for accessing portal and fiori using public url as below .
https://fiori.xyzcorp.com
https://portal.xyzcorp.com
But when they're trying to access via internet portal url goes to https://portal.xyzcorp.com/startPage by default it should route to irj/portal
Same for Fiori also I'm using the ICM redirect parameter still can't access
icm/HTTP/redirect_0 = PREFIX=/, FOR=portal.xyzcorp.com:*, TO=/irj/portal,
icm/HTTP/redirect_1 = PREFIX=/, FOR=Fiori.xyzcorp.com:*, TO=/sap/bc/ui5_ui5/ui2/ushell/shells/abap/FioriLaunchpad.html?sap-client=800&sap-language=EN,
Could you please share you thoughts?

Hi Krishna,
Please go through below doc
SAP webdispatcher and URL redirect?
icm/HTTP/redirect_<xx> (SAP Library - SAP Web Dispatcher)
BR
Atul

Authorization denial messages to clients or URL redirection once denied?

Similar Messages

Maybe you are looking for