Cisco ISE CWA issue

Good Day,
I have Cisco ISE 1.2 with Cisco 2960 NAD.
I configured the authorization for the employee successfully, but my issue is with the guest users the link is not redirected.
Please advise what I have put in the authentication policy default rule?? deny access ?
And on the switch I should put the guest connect to a specific ports or I have to configure specific VLAN in the authorization profile?
Appreciate your support,

In your authorization policy you are giving your Wired-Guest the same result as Wired-Webauth.
First time through you don't know he's a guest so he hits Wired-Webauth and gets redirected. Second time through, you have him in guest flow, so you know he's an authenticated guest, he hits Wired-Guest, but you send him the same permissions "Web_Auth". Create a profile that you want to give to your authenticated guests - Guest_Allowed for instance.

Similar Messages

  • Cisco ISE - CWA AD Authentication

    Hello,
    I'm using a Cisco ISE on 1.3 and have a CWA portal setup for AD Auth. When a user connects to a particular SSID (from a WLC) that is setup for mac filtering, it redirects to a CWA via the Auth Policy. the CWA is disabled, they login, the device registers, etc.. and all is well. The next policy checks to see if the device is registered, and if so, bypasses the Auth. Which also works. However, any AD account can authenticate against the CWA, not the particular AD account I want. I don't know where to put the Auth Policy or what it looks like. Any help would be appreciated. I've tried a few combinations to no avail.
    Below are my current Auth Policies, as I mention above. They work, but the CWA validates any AD credential, not the group I want. Should a NetworkAccess:UseCase=GuestFlow go between the 2 policies perhaps?

    Hi Marc, what I meant by "desired_permissions" is what your environment/situation calls for. With that being said, returning back only "access_accept" with your "authorization profile" would work but at the same time it will give the authorized users/devices full access. So unless you have an ACL to Firewall off the guest users, you would need to return some additional attributes when trying to restrict/limit guest users/devices. 
    For instance, I like to use Policy Sets and dedicate a policy set per SSID and then either a general Policy Set for Wired or one Policy Set for Corporate Wired and one for Guest Wired. If  you don't use policy sets, then you should create one "authorization rule for Guest_Wired and one for Guest_Wireless. 
    For the Guest_Wired, you will need to return "access_accept" and then a "DACL Name" that you can create locally in ISE.
    For the Guest_Wireless, you will need to return "access_accept" and then a "Airspace ACL Name" That ACL is not a DACL (WLCs do not support DACLs). Instead, that is an ACL that you configure locally on the WLC, thus, the name must match on both ends and it is case sensitive! 
    Both the DACL and the "Airspace ACL" would contain rules that fit your environment/security requirements. Typically though you would have:
    1. Permit DNS- Needed for DNS resolution
    2. Permit access to ISE - Needed for the guest pages to properly load) 
    3. Deny any private/RFC 1918 addresses - Blocks guests from accessing internal hosts
    4. Permit everything else - Needed for general internet browsing
    I hope this helps!
    Thank you for rating helpful posts!

  • Cisco ISE - CWA redirect in another way than cisco-av-pair?

    Hello.
    I'm trying to set up ISE as a CWA.
    I have made all the rules in both Authenticatin and Authorization, and I also see the clients hitting the right rules. The Authorizaton rule redirects the client to a captive web portal within ISE like this: cisco-av-pair = url-redirect=https://ip:port/portal/gateway?sessionId=SessionIdValue&portal=etc.
    But here is the problem: We use Aerohive as Accesspoints. And Aerohive does not support cisco-av-pair attributtes, since it's Cisco proprietary.
    Therefore, even if ISE says everything is fine, it's not, because Aerohive does not understand what's been sent to it.
    So the big question: Is there way to make the same redirect using standard radius attributes?
    Thank you.

    Unfortunately there isn't. I have done a project with ISE and Aerohive before and outside of basic 802.1x authentications, I was not able to deploy any of the other ISE features. There isn't an interoperability guide for ISE but just a compatibility one:
    http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/compatibility/ise_sdt.html
    If could be wrong here so if someone else has done this before pls chime in.
    Thank you for rating helpful posts! 

  • Cisco ISE Deployment issue

    Hi dears,
    I deployed the ISE primary and secondary mode. Then I did deregister the secondary ISE at Primary ISE. Now i want to register the same second ISE as secondary mode on Primary ISE. but this error occur:
    Unable to register SecondaryISE. Node is not a Standalone node.
    I connect the secondary ISE and see deployement personas
    Administration: Secondary
    Monitoring: Secondary
    Then  I did promote to primary command after that ISE is log out but the problem is not solve.
    version 1.20.8xx of both ISE's
    How i solve this issue?
    Thanks

    try by promoting the secondary ISE which you  have  de-registered to standlone and try registering it on primary now

  • Cisco ISE - CWA Redirect

    Why are the ISE nodes needed to be defined in the web authentication redirect acl that is configured locally on the switch?
    All the documentation that I've found states this. I've setup my 2yr old ISE environment this way and was advised in the beginning to do so. But after thinking the whole authentication process through and then testing out my theories I don't understand why the ISE nodes need to be defined in the switch redirect acl. I am now testing with a simple "redirect www & 443" acl and it is working as expected.
    The client connects to the network and, for our environment, is requested to do dot1x until that times out and then it shifts to mab. At which point, I do not have an authz rule defined for my test machine and therefore matches my catch-all authz rule of CWA which sends a CWA DACL. The switch lays the acls on the interface in this order: 1. Redirect 2. DACL 3. PACL. In my DACL I have access to the ISE nodes allowed (just to be safe) and the redirection still works because my test machine is not sending any www/443 traffic to the ISE nodes that I'm aware of (CWA is 8443).
    Can someone explain (in detail) why a client machine would send www/443 traffic to the ISE nodes and therefore need to be defined in the CWA redirect acl local to the switch.

    Poonam,
    I appreciate the response. I understand the process and flow of CWA but I still don't see why the ISE nodes need to be defined (as deny statements or at all) in the redirect acl that is locally configured on the switch. Let me try to explain it better (sorry for the novel):
    1. a default PACL is statically applied to an unused interface. For my environment our PACL is a simple "permit ip any any" which allows an open fallback in case communication to ISE fails.
    2. A client plugs in and the switch begins talking dot1x to the client. During this time the PACL is the ONLY acl that is applied to the interface/client.
    3. The client does not run dot1x and therefore the switch eventually fails over to mab. At this time, the CWA authz rule comes into effect and ISE sends the DACL to the switch via radius and also references which RACL (redirect acl) to use.
    4. Not many people seem to understand this part....The switch then rebuilds the ACL that is applied to the interface/user. The switch creates an ACL that consists of ALL THREE ACLs. The first portion of this ACL is the RACL with permit statements (which are the deny RACL statements configured on the switch) and then redirect statements (which are the permit RACL statements configured on the switch) and then the DACL from ISE is the next portion of this new ACL and then the very last portion is the original static PACL that is configured on the port.
    Again, I've tested this out over and over again on several different platforms (6500, 3700, 3800) and because, during the stage where the interface is in CWA state, the ACL that is applied to the interface is ALL THREE ACLs in the order of RACL>DACL>PACL....it doesn't seem to make sense that you need to define the ISE nodes in the RACL because all you need to define is what traffic you want to redirect. You define what traffic you want allowed in the DACL which is where you state access to the ISE nodes (either complete access or only 8443 access).
    Let me give you this example. Say I have the following confgured:
    CONFIGURED SWITCH INTERFACE ACL (PACL)
      ip access-list standard ACL-ALLOW
       permit ip any any
    CONFIGURED SWITCH REDIRECT ACL (RACL)
      ip access-list extended ACL-WEBAUTH-REDIRECT
       permit tcp any any eq www 443
    CONFIGURED ISE DOWNLOADABLE ACL (DACL)
      permit tcp any host <psn01> eq 8443
      permit udp any host <dns01> eq 53
      deny ip any any
    Then the process would look like this:
    1. During dot1x negotiation the acl that is used is this:
    permit ip any any     <<<<<PACL
    2. Once CWA is in effect then the acl looks like this:
    redirect tcp host <host ip> any eq www 443             <<<<<<RACL
    permit tcp host <host ip> host <psn01 ip> eq 8443       <<<<<<DACL
    permit udp host <host ip> host <dns01 ip> eq 53       <<<<<<DACL
    deny ip any any      <<<<<<DACL
    permit ip any any      <<<<<<PACL

  • CWA using Cisco ISE issue

    Good morning everyone,
    I have some trouble to use my Cisco ISE to do Central Web Authentication. I followed this following configuration example : http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html
    But for the moment, clients can't seee the web portal. My WLC and my Cisco ISE are well configured as presented in the document, when clients connect to the AP, they are listed into the Cisco ISE with the good authorization profile but, the URL redirection doesn't work as well as I want, clients have to enter manually the IP address in the web browser to log-in trough the Cisco ISE.
    If anyone already had this problem, maybe could tell me more about that.
    Thanks in advance!

    Good news!
    I have resolved my problem 15 minutes ago. For people who have the same problem, I have just changed my static route in my WLC. The issue was that I broadcast the same VLAN used for the management interface and in adding the network allowing admin to reach service-port, all traffic of my broadcasted VLAN was sent to the service-port. A simple netmask modification resolved the problem.
    I have still a problem with CoA which doesn't work properly and I have to disconnect/reconnect to the SSID to have a complete access but I'm going to continue my research for that.
    Thanks all for your help !!!!

  • Cisco ISE Guest Portal - DNS Issue - External Zone

    Hello,
    I have a customer that has the following sceanrio :
    In a wireless deployment and a Cisco ISE 1.1.3 deployment with CWA, when the wireless guest receives the redictect  URL  from ISE (URL to access the ISE Guest Portal), this URL is based on  the  ISE DNS name, not on its IP address; so, the PC can't resolve  this via DNS name since there is no DNS in the External zone (for guets) or by using the ISP DNS servers addresses provided  by the  DHCP server, and, so, it can't access the Guest Portal at all ;
    I know that in trying to manually code the IP address - this does not work (ie in the CWA Authorization profile, the equivalent URL redirect via the CISCO av-pair as follows :
    cisco-av-pair=url-redirect=https://10.10.10.10:8443/guestportal/gateway?sessionId=sessionIdValue&action=cwa, )
    since the sessionIdValue variable is not replaced by its real value when sent to the wireless client)
    My question is : Has this issue been addressed in version Cisco ISE 1.2 - has anyone tried it if has been addressed? If not in Cisco 1.2 - does anyone know iof this feature will become available?
    Thank-you in advance for your replies.
    Robert C.

    Robert,
    Manual assignment has been made available in ISE 1.2 release.
    M.

  • Cisco ISE 1.2.1 deplyomet issue with Anyconnect and Profiling

    Hi All,
    We are running cisco ise box in 1.2.1 version wherein I am facing below issue while deployment. We are having two ISE boxes where One box act as Primary Admin,Secondary MNT and Policy Service and Second Box act as Secondary Admin,Primary MNT and Policy Service
    1) Profiling of Endpoints - HP Laster jet printer 55XX series and scanner profiling are not happing in Cisco ISE 1.2.1 wherein I have enabled below probes in ISE for profiling 
    RADIUS Probe 
    SNMP Probe                                                                                                                                                                                                                                                  SNMP Trap                                                                                                                                                                                                                                                     HTTP Prob and DNS
    2) Any-connect issue - We are using any-connect supplicant 3.0.11042 for wired and wireless user profile in windows 7 enterprises 32 bit machine
     - Yellow mark issue  -  Once authentication , posturing completed we are getting yellow mark on network  drive but still we are able to connect to network
    - Network Map Drive issue  -  Once authentication , posturing completed we are getting red cross mark on Network map drive and if we double click on that drive then its get accessible and red mark turns in to green.
    For that we have already allowed Ip level access to all domain in before logon dacl ( Machine authentication ) 
    That would be really great if any one can help me on the same.
    Thanks & Regards
    Pranav

    Hi Pablo ,
    Please find below solutions 
    Yellow mark issue  -  - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet. This Service is by default disabled on Windows XP and Widows 8.X operating system. This is only enabled by default on Windows 7 and Windows Vista operating system.
    Network Map Drive issue   - Create logon script and deploy it using group policy. Script will check full network connectivity and then map network drives
    Regards
    Pranav

  • Coa issue with Cisco ISE 1.2

    Hi, i am currently implementing webauth with Cisco ISE for self register, but i am having issue coa. I was able to get non-windows machine to work but with windows i can't push out the url redirection through coa.  I have enabled debug and i can see ISE trying to push out the url redirection to the port,  however the url was not show when i issue a show authentication session interface gi 1/0/x command.  The only issue i can see from the debugging is that the interface failed authorization first then a success authorization right after.  Again, the url redirection work on non-windows machine, i have even go as far as disable dot1x supplicant on windows and it still didnt fix the issue.
    please see attachment for the debugging i had mention above.  If anyone know or had this issue before please let me know how i can resolve this.

    finally figured it out.  redirection acl was mess up. 

  • Cisco ISE 1.3 Active Directory issue

    Hi Folks
    I am having an issue with our Cisco ISE and would love some feedback or a solution. I have to ISE configured to use our Active Directory setup and so far it appears to be functional. I could connect to AD retrieve groups and use AD for authentication. The issue I am experiencing is that when I try to go to the 'Administration >  Identity Management > External Sources page and select our AD instance from the left hand side window the screen locks up and refuses to load.  Any advice?

    hi
    i also had this issue (and one of my collegue also) when using Firefox (version 34 and 35)
    i managed to create the AD server using IE 10 for example, and after it appears correctly with Firefox
    it was before ise1.3patch 1, but i have seen no corrected issue in patch1 release note for this problem
    guillaume

  • CISCO ISE ISSUE 24206 User disabled

    Hi there,
        We have here an issue with Cisco ISE. When I create a guest account with the sponsor portal We can´t access the Wlan. On tne Cisco ISE Operations \ Authentications returns the error message  Event "Authentication"  Faulure Reason "24206 User Disabled"  Auth Method "PAP_ASCII"  Authentication Protocol "PAP_ASCII"
      In order to fix this issue, what can I do?  I don´t understand why because I can create the user withou error message.
      At the sponsor portal the user that I have created doens´t show at the list... 
      Any help??
     Regards
     Adriano

    Select the affected account and click Reinstate.
    It is possible, that your sponsor account does not have the permission to Reinstate/Suspend accounts. Check/change this in your ISE admin page:
    - Go to Administration > Guest Management > Sponsor Groups.
    - Click the Sponsor Group your sponsor account is a member of to edit.
    - Select tab Authorization Levels: view/modify the permission listed for the option Suspend/reinstate Accounts.
    ref: https://supportforums.cisco.com/discussion/11431386/ise-guest-user-problem

  • Facing issue in integrating with Cisco ISE

    We are trying to integrate our product(Cisco Prime Infrastructure) with Cisco ISE for Authentication and Authorizations. We already support PAP/CHAP, and not trying to add support for EAP-TLS.
    Currently during our integration, facing TLS payload errors. We are using jradius library for talk to Cisco ISE for authentication and facing the below TLS error in ISE logs. Tried with Cisco ISE 1.2 and 1.3 versions.
    Event                                    5400 Authentication failed         
    Failure Reason                  11500 Invalid or unexpected EAP payload received        
    DetailedInfo                      TLS packet parsing failed: total accumulated size plus this last fragment size is greater than expected total TLS message size
    Any pointers to resolve this problem or any other free java based client library instead of jradius which is tried out successfully with Cisco ISE would also be great.
    Regards
    Chandrakumar

    DECLARE
    CURSOR s_cur
    IS
    SELECT eno FROM emp;
    TYPE fetch_array IS TABLE OF s_cur%ROWTYPE;
    s_array fetch_array;
    BEGIN
    OPEN s_cur;
    FETCH s_cur
    BULK COLLECT INTO s_array;
    CLOSE s_cur;
    FORALL i IN 1 .. s_array.COUNT
    INSERT INTO (select eno from emp_temp)
    VALUES s_array (i);
    END;
    Its working, but not understood the concept.
    INSERT INTO  (select eno from emp_temp)
    VALUES s_array (i);
    How it works?

  • Cisco ISE some Radius issues

    Dear guys,
         I deployed Cisco ISE for Network Access Control. My topology as described as attached image. I configured Cisco ISE as Radius Server for Client Access Control. But, I got some problems such as:
    No Accounting Start. (I have configured accouting on Switch 2960).
    Radius Request Dropped (attached image). These NAS IP Address are Servers on same subnet with Cisco ISE.
    I would greatly appreciate any help you can give me in working this problem.
    Have a nice day,
    Thanks and Regrads,

    Sorry for late reply.
    Here is my switch config.
    Current configuration : 8630 bytes
    version 12.2
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname Switch
    boot-start-marker
    boot-end-marker
    no logging console
    enable password ******************
    aaa new-model
    aaa authentication dot1x default group radius
    aaa authorization network default group radius
    aaa authorization auth-proxy default group radius
    aaa accounting delay-start all
    aaa accounting auth-proxy default start-stop group radius
    aaa accounting dot1x default start-stop group radius
    aaa accounting network default start-stop group radius
    aaa server radius dynamic-author
     client A.B.C.D server-key keystrings
    aaa session-id common
    system mtu routing 1500
    vtp mode transparent
    ip dhcp snooping
    ip device tracking
    crypto pki trustpoint TP-self-signed-447922560
     enrollment selfsigned
     subject-name cn=IOS-Self-Signed-Certificate-447922560
     revocation-check none
     rsakeypair TP-self-signed-447922560
    crypto pki certificate chain TP-self-signed-447922560
     certificate self-signed 01
      xxxxx
    dot1x system-auth-control
    spanning-tree mode pvst
    spanning-tree extend system-id
    vlan internal allocation policy ascending
    vlan 139,153,401-402,999,1501-1502
    interface FastEthernet0/11
     switchport access vlan 139
     switchport mode access
     authentication host-mode multi-auth
     authentication open
     authentication port-control auto
     authentication periodic
     authentication timer inactivity 180
     authentication violation restrict
     mab
    interface FastEthernet0/12
     switchport access vlan 139
     switchport mode access
     ip access-group ACL-ALLOW in
     authentication event fail action next-method
     authentication event server dead action authorize vlan 139
     authentication event server alive action reinitialize
     authentication host-mode multi-auth
     authentication open
     authentication order dot1x mab
     authentication priority dot1x mab
     authentication port-control auto
     authentication periodic
     authentication timer reauthenticate server
     authentication timer inactivity 180
     authentication violation restrict
     mab
     dot1x pae authenticator
     dot1x timeout tx-period 10
    interface GigabitEthernet0/1
     switchport mode trunk
    interface GigabitEthernet0/2
    interface Vlan1
     no ip address
    interface Vlan139
     ip address E.F.G.H 255.255.255.0
    ip default-gateway I.J.K.L
    ip http server
    ip http secure-server
    ip access-list extended ACL-ALLOW
     permit ip any any
    ip access-list extended ACL-DEFAULT
     remark Allow DHCP
     permit udp any eq bootpc any eq bootps
     remark Allow DNS
     permit udp any any eq domain
     permit icmp any any
     permit tcp any host A.B.C.D eq 8443
     permit tcp any host A.B.C.D eq 443
     permit tcp any host A.B.C.D eq www
     permit tcp any host A.B.C.D eq 8905
     permit tcp any host A.B.C.D eq 8909
     permit udp any host A.B.C.D eq 8905
     permit udp any host A.B.C.D eq 8909
     deny   ip any any
    ip access-list extended ACL-WEBAUTH-REDIRECT
     permit tcp any any eq www
     permit tcp any any eq 443
     deny   ip any any
    ip radius source-interface Vlan139
    snmp-server community keystrings RW
    snmp-server enable traps snmp linkdown linkup
    snmp-server enable traps mac-notification change move
    snmp-server host A.B.C.D version 2c keystrings  mac-notification
    radius-server attribute 6 on-for-login-auth
    radius-server attribute 8 include-in-access-req
    radius-server attribute 25 access-request include
    radius-server dead-criteria time 5 tries 3
    radius-server host A.B.C.D auth-port 1812 acct-port 1813 key STRINGSKEY
    radius-server vsa send accounting
    radius-server vsa send authentication
    line con 0
    line vty 5 15
    end
    My switch version is
    WS-2960   12.2(55)SE5 C2960-LANBASEK9-M
    I would greatly appreciate any help you can give me in working this problem.

  • ISE - CWA Redirection

    HI
    i am trying to implement guest portal and i have configure the ISE and switch to redirect guests and i see the whole process goes will when i issue
    show authentication session interface GigabitEthernet1/0/11
                Interface:  GigabitEthernet1/0/11
              MAC Address:  1078.d2fc.698c
               IP Address:  192.168.0.59
                User-Name:  10-78-D2-FC-69-8C
                   Status:  Authz Success
                   Domain:  DATA
           Oper host mode:  multi-domain
         Oper control dir:  both
            Authorized By:  Authentication Server
              Vlan Policy:  81
                  ACS ACL:  xACSACLx-IP-TEST-WEBAUTH-DACL-519b76ec
         URL Redirect ACL:  ACL-WEBAUTH-REDIRECT
             URL Redirect:  https://HDOFFISEP01.mycompany.com:8443/guestportal/gateway?sessionId=0A0A6518000000010006F2B5&action=cwa
          Session timeout:  N/A
             Idle timeout:  N/A
        Common Session ID:  0A0A6518000000010006F2B5
          Acct Session ID:  0x00000003
                   Handle:  0x0D000001
    Runnable methods list:
           Method   State
           mab      Authc Success
           dot1x    Not run
    my problem that the web browser does NOT direct automtically to the portal but it does manually when i copy the URL from the switch, any idea ?
    switch configuration
    boot-start-marker
    boot-end-marker
    logging monitor informational
    enable secret 5 $1$PO2h$G1BUFwkbkA8ywc89FhBso/
    username cisco privilege 15 password 0 cisco
    username ise-rad-alive password 0 CICSOISEalive123
    aaa new-model
    aaa authentication login local local
    aaa authentication dot1x default group radius
    aaa authorization network default group radius
    aaa authorization auth-proxy default group radius
    aaa accounting auth-proxy default start-stop group radius
    aaa accounting dot1x default start-stop group radius
    aaa server radius dynamic-author
    client 10.10.20.13 server-key myshared
    client 10.10.20.14 server-key myshared
    aaa session-id common
    switch 1 provision ws-c2960s-24ps-l
    ip dhcp snooping vlan 1-2000
    no ip dhcp snooping information option
    ip dhcp snooping
    ip domain-name mycompany.com
    ip name-server 192.168.10.40
    ip device tracking probe use-svi
    ip device tracking
    ip admission name Webauth proxy http inactivity-time 60
    vtp mode transparent
    epm logging
    dot1x system-auth-control
    fallback profile Webauth
    ip access-group ACL-WEBAUTH-REDIRECT in
    ip admission Webauth
    spanning-tree mode pvst
    spanning-tree extend system-id
    interface GigabitEthernet1/0/11
    switchport mode access
    switchport voice vlan 93
    ip access-group ACL-ALLOW in
    authentication event fail action next-method
    authentication event server dead action reinitialize vlan 777
    authentication event server dead action authorize voice
    authentication host-mode multi-domain
    authentication order mab dot1x
    authentication priority dot1x mab
    authentication port-control auto
    mab
    dot1x pae authenticator
    spanning-tree portfast
    interface Vlan1
    no ip address
    shutdown
    interface Vlan80
    ip address 10.10.101.24 255.255.255.0
    ip default-gateway 10.10.101.1
    ip http server
    ip http secure-server
    ip access-list extended ACL-AGENT-REDIRECT
    remark explicitly prevent DNS from being redirected to address a bug
    deny   udp any any eq domain
    remark redirect HTTP traffic only
    permit tcp any any eq www
    remark all other traffic will be implicitly denied from the redirection
    ip access-list extended ACL-ALLOW
    permit ip any any
    ip access-list extended ACL-DEFAULT
    remark DHCP
    permit udp any eq bootpc any eq bootps
    remark DNS
    permit udp any any eq domain
    remark Ping
    permit icmp any any
    remark PXE / TFTP
    permit udp any any eq tftp
    remark Drop all the rest
    deny   ip any any log
    ip access-list extended ACL-WEBAUTH-REDIRECT
    deny   ip any host 10.10.20.13
    deny   ip any host 10.10.20.14
    deny   ip any host 192.168.10.43
    deny   ip any host 192.168.10.40
    deny   ip any host 192.168.10.41
    deny   ip any host 192.168.10.42
    remark explicitly prevent DNS from being redirected to accommodate certain switches
    deny   udp any any eq domain
    remark redirect all applicable traffic to the ISE Server
    permit tcp any any eq www
    permit tcp any any eq 443
    ip radius source-interface Vlan80
    logging origin-id ip
    logging source-interface Vlan80
    logging host 10.10.20.11 transport udp port 20514
    logging host 10.10.20.12 transport udp port 20514
    radius-server attribute 6 on-for-login-auth
    radius-server attribute 6 support-multiple
    radius-server attribute 8 include-in-access-req
    radius-server attribute 25 access-request include
    radius-server dead-criteria time 5 tries 3
    radius-server host 10.10.20.13 auth-port 1812 acct-port 1813 key myshared
    radius-server host 10.10.20.14 auth-port 1812 acct-port 1813 key myshared
    radius-server vsa send accounting
    radius-server vsa send authentication

    Verify that the redirection URL specified in Cisco ISE via Cisco-av pair "URL Redirect" is correct
    CWA Redirection URL: https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cwa
    802.1X Redirection URL: url-redirect=https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cpp

  • Cisco ISE Guest Sponsor Portal Isssue

    Dear all ,
    We have insatalled 5 ise 3315 boxes IOS 1.0.4 in our network where in two of them are admin node , two of policy services and one is mnt node. We are using guest sponsor portal for wirless guest user where in we have integrated WLC 5508 with ise and using weblogin for guest users.
    We have created open ssid in wlc and using external redirected url of ise for guest login page.
    But when we create any guest user in sponsor login for guest user we faced following issue
    1) When guest user gets conected to wirless and login in to guest portal with credential after putting credential  then its again redirect to same login page
    wihout successful login prompt.
    Can we pompt successful login after guest login to guest portal or redirect to any other link like google.com so guest user will gets to know he is able to access internet now
    2) We have creted time profile 8hours first login for guest user. When guest user gets connected while putting credential in to guest portal.
    But we face issue after approximately every 20 mins guest gets disconnected from internet and guest again gets login page of guest portal and if we put same credential then its working but after approx 20 min interval user get disconnected from internet.
    Can anyone help me to resolved above issue regading cisco ise guest sponsor portal
    Thanks & Regards
    Pranav Gade

    Pranav your answers are inline,
    1) When guest user gets conected to wirless and login in to guest  portal with credential after putting credential  then its again redirect  to same login page
    wihout successful login prompt. When you are using CWA (central web authentication) there is no way we can redirect users using the redirect-url because this will always redirect users for every time they initiate a web request. There is no other coa feature that will remove this condition since they have already been authenticated.  Here is a guide that explains the user experience when using central web auth -
    http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_guest_pol.html#wp1296954
    Can  we pompt successful login after guest login to guest portal or redirect  to any other link like google.com so guest user will gets to know he is  able to access internet now No this is not possible, you can change the verbage and force the AUP to be displayed informing users that they can retry their web request after hitting the accept button.
    Here is the documented experience once users go through the guest process -
    http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080ba6514.shtml#final
    2)  We have creted time profile 8hours first login for guest user. When  guest user gets connected while putting credential in to guest portal.
    But  we face issue after approximately every 20 mins guest gets disconnected  from internet and guest again gets login page of guest portal and if we  put same credential then its working but after approx 20 min interval  user get disconnected from internet. Check the advanced timer on your SSID as you may be hitting the session timeout on the WLC. Please disable this option and let the COA feature in ISE expire user sessions on the controller.
    Thanks,
    Tarik Admani
    *Please rate helpful posts*

Maybe you are looking for

  • Old Computer whent bad how do I deauthorize it?

    All right I live in more than one place to start off with so I have 2 computer two start with that I authorize to play and down load music + a laptop. Well I had a hard drive go bad on one computer and then my Step father decied to reload the pc that

  • CS4 closes after about 5 minutes

    When I run CS4, after about 5 minutes ( of non-use), it closes automatically. It was working fine until last night. Any suggestions as to what is causing this? I have Windows XP Home Edition.

  • ICloud won't stay enabled

    I have a laptop running Windows 7 and the latest iCloud Panel installed.  This laptop does not keep iCloud enabled after it has been turned off.  Other computers/laptops on same network are working correctly. Looking for an answer and or soultion.

  • Using  BIW IDES ECC5

    Hi there.. We are presently working on 4.6c & upgrading to MySAP . We have installed IDES ECC5 System (SAP ERP Central Component 5.0) in our organization. As we have never used BI or any of it's features,  how do we start using the BW IDES & learning

  • GUID issue

    Hi I am using BW 3.5 and R/3 4.6 and i am installing Business Content cubes for Project System. When i am loading  data into cube 0PS_C04, i am unable to find the data for OPROJ,WBS... I heard that this infocube which consist of GUID will not support