Cisco ISE - CWA Redirect

Similar Messages

• Cisco ISE - CWA redirect in another way than cisco-av-pair?

  Hello.
  I'm trying to set up ISE as a CWA.
  I have made all the rules in both Authenticatin and Authorization, and I also see the clients hitting the right rules. The Authorizaton rule redirects the client to a captive web portal within ISE like this: cisco-av-pair = url-redirect=https://ip:port/portal/gateway?sessionId=SessionIdValue&portal=etc.
  But here is the problem: We use Aerohive as Accesspoints. And Aerohive does not support cisco-av-pair attributtes, since it's Cisco proprietary.
  Therefore, even if ISE says everything is fine, it's not, because Aerohive does not understand what's been sent to it.
  So the big question: Is there way to make the same redirect using standard radius attributes?
  Thank you.

  Unfortunately there isn't. I have done a project with ISE and Aerohive before and outside of basic 802.1x authentications, I was not able to deploy any of the other ISE features. There isn't an interoperability guide for ISE but just a compatibility one:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/compatibility/ise_sdt.html
  If could be wrong here so if someone else has done this before pls chime in.
  Thank you for rating helpful posts! 

• ISE - CWA Redirection

  HI
  i am trying to implement guest portal and i have configure the ISE and switch to redirect guests and i see the whole process goes will when i issue
  show authentication session interface GigabitEthernet1/0/11
              Interface:  GigabitEthernet1/0/11
            MAC Address:  1078.d2fc.698c
             IP Address:  192.168.0.59
              User-Name:  10-78-D2-FC-69-8C
                 Status:  Authz Success
                 Domain:  DATA
         Oper host mode:  multi-domain
       Oper control dir:  both
          Authorized By:  Authentication Server
            Vlan Policy:  81
                ACS ACL:  xACSACLx-IP-TEST-WEBAUTH-DACL-519b76ec
       URL Redirect ACL:  ACL-WEBAUTH-REDIRECT
           URL Redirect:  https://HDOFFISEP01.mycompany.com:8443/guestportal/gateway?sessionId=0A0A6518000000010006F2B5&action=cwa
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  0A0A6518000000010006F2B5
        Acct Session ID:  0x00000003
                 Handle:  0x0D000001
  Runnable methods list:
         Method   State
         mab      Authc Success
         dot1x    Not run
  my problem that the web browser does NOT direct automtically to the portal but it does manually when i copy the URL from the switch, any idea ?
  switch configuration
  boot-start-marker
  boot-end-marker
  logging monitor informational
  enable secret 5 $1$PO2h$G1BUFwkbkA8ywc89FhBso/
  username cisco privilege 15 password 0 cisco
  username ise-rad-alive password 0 CICSOISEalive123
  aaa new-model
  aaa authentication login local local
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  aaa authorization auth-proxy default group radius
  aaa accounting auth-proxy default start-stop group radius
  aaa accounting dot1x default start-stop group radius
  aaa server radius dynamic-author
  client 10.10.20.13 server-key myshared
  client 10.10.20.14 server-key myshared
  aaa session-id common
  switch 1 provision ws-c2960s-24ps-l
  ip dhcp snooping vlan 1-2000
  no ip dhcp snooping information option
  ip dhcp snooping
  ip domain-name mycompany.com
  ip name-server 192.168.10.40
  ip device tracking probe use-svi
  ip device tracking
  ip admission name Webauth proxy http inactivity-time 60
  vtp mode transparent
  epm logging
  dot1x system-auth-control
  fallback profile Webauth
  ip access-group ACL-WEBAUTH-REDIRECT in
  ip admission Webauth
  spanning-tree mode pvst
  spanning-tree extend system-id
  interface GigabitEthernet1/0/11
  switchport mode access
  switchport voice vlan 93
  ip access-group ACL-ALLOW in
  authentication event fail action next-method
  authentication event server dead action reinitialize vlan 777
  authentication event server dead action authorize voice
  authentication host-mode multi-domain
  authentication order mab dot1x
  authentication priority dot1x mab
  authentication port-control auto
  mab
  dot1x pae authenticator
  spanning-tree portfast
  interface Vlan1
  no ip address
  shutdown
  interface Vlan80
  ip address 10.10.101.24 255.255.255.0
  ip default-gateway 10.10.101.1
  ip http server
  ip http secure-server
  ip access-list extended ACL-AGENT-REDIRECT
  remark explicitly prevent DNS from being redirected to address a bug
  deny   udp any any eq domain
  remark redirect HTTP traffic only
  permit tcp any any eq www
  remark all other traffic will be implicitly denied from the redirection
  ip access-list extended ACL-ALLOW
  permit ip any any
  ip access-list extended ACL-DEFAULT
  remark DHCP
  permit udp any eq bootpc any eq bootps
  remark DNS
  permit udp any any eq domain
  remark Ping
  permit icmp any any
  remark PXE / TFTP
  permit udp any any eq tftp
  remark Drop all the rest
  deny   ip any any log
  ip access-list extended ACL-WEBAUTH-REDIRECT
  deny   ip any host 10.10.20.13
  deny   ip any host 10.10.20.14
  deny   ip any host 192.168.10.43
  deny   ip any host 192.168.10.40
  deny   ip any host 192.168.10.41
  deny   ip any host 192.168.10.42
  remark explicitly prevent DNS from being redirected to accommodate certain switches
  deny   udp any any eq domain
  remark redirect all applicable traffic to the ISE Server
  permit tcp any any eq www
  permit tcp any any eq 443
  ip radius source-interface Vlan80
  logging origin-id ip
  logging source-interface Vlan80
  logging host 10.10.20.11 transport udp port 20514
  logging host 10.10.20.12 transport udp port 20514
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 6 support-multiple
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server dead-criteria time 5 tries 3
  radius-server host 10.10.20.13 auth-port 1812 acct-port 1813 key myshared
  radius-server host 10.10.20.14 auth-port 1812 acct-port 1813 key myshared
  radius-server vsa send accounting
  radius-server vsa send authentication

  Verify that the redirection URL specified in Cisco ISE via Cisco-av pair "URL Redirect" is correct
  CWA Redirection URL: https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cwa
  802.1X Redirection URL: url-redirect=https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cpp

• Cisco ISE - CWA AD Authentication

  Hello,
  I'm using a Cisco ISE on 1.3 and have a CWA portal setup for AD Auth. When a user connects to a particular SSID (from a WLC) that is setup for mac filtering, it redirects to a CWA via the Auth Policy. the CWA is disabled, they login, the device registers, etc.. and all is well. The next policy checks to see if the device is registered, and if so, bypasses the Auth. Which also works. However, any AD account can authenticate against the CWA, not the particular AD account I want. I don't know where to put the Auth Policy or what it looks like. Any help would be appreciated. I've tried a few combinations to no avail.
  Below are my current Auth Policies, as I mention above. They work, but the CWA validates any AD credential, not the group I want. Should a NetworkAccess:UseCase=GuestFlow go between the 2 policies perhaps?

  Hi Marc, what I meant by "desired_permissions" is what your environment/situation calls for. With that being said, returning back only "access_accept" with your "authorization profile" would work but at the same time it will give the authorized users/devices full access. So unless you have an ACL to Firewall off the guest users, you would need to return some additional attributes when trying to restrict/limit guest users/devices. 
  For instance, I like to use Policy Sets and dedicate a policy set per SSID and then either a general Policy Set for Wired or one Policy Set for Corporate Wired and one for Guest Wired. If  you don't use policy sets, then you should create one "authorization rule for Guest_Wired and one for Guest_Wireless. 
  For the Guest_Wired, you will need to return "access_accept" and then a "DACL Name" that you can create locally in ISE.
  For the Guest_Wireless, you will need to return "access_accept" and then a "Airspace ACL Name" That ACL is not a DACL (WLCs do not support DACLs). Instead, that is an ACL that you configure locally on the WLC, thus, the name must match on both ends and it is case sensitive! 
  Both the DACL and the "Airspace ACL" would contain rules that fit your environment/security requirements. Typically though you would have:
  1. Permit DNS- Needed for DNS resolution
  2. Permit access to ISE - Needed for the guest pages to properly load) 
  3. Deny any private/RFC 1918 addresses - Blocks guests from accessing internal hosts
  4. Permit everything else - Needed for general internet browsing
  I hope this helps!
  Thank you for rating helpful posts!

• Cisco ISE CWA issue

  Good Day,
  I have Cisco ISE 1.2 with Cisco 2960 NAD.
  I configured the authorization for the employee successfully, but my issue is with the guest users the link is not redirected.
  Please advise what I have put in the authentication policy default rule?? deny access ?
  And on the switch I should put the guest connect to a specific ports or I have to configure specific VLAN in the authorization profile?
  Appreciate your support,

  In your authorization policy you are giving your Wired-Guest the same result as Wired-Webauth.
  First time through you don't know he's a guest so he hits Wired-Webauth and gets redirected. Second time through, you have him in guest flow, so you know he's an authenticated guest, he hits Wired-Guest, but you send him the same permissions "Web_Auth". Create a profile that you want to give to your authenticated guests - Guest_Allowed for instance.

• ISE CWA redirect redundancy

  Hi
  If in a CWA authorization profile the IP address option is used for the redirection, how will this impact on redundancy ? For instance in my implementation with 2 ISE appliances, on the Primary Admin Node the CWA profile is configured with an IP address of x.x.x.110 which is the address of the Primary ISE appliance. When the primary appliance fails how will the secondary appliance handle the above cause the x.x.x.110 ip address will then be unavailable and the new ip should be x.x.x.109....? 

  If you check that box and set an IP address manually then all CWA requests will go to that IP/Host Name. If you want to have redundancy then you should leave that box unchecked. Doing that will allow ISE to use the FQDN of the Radius server that is currently serving that SSID. 
  I hope this helps!
  Thank you for rating helpful posts!

• ISE CWA Redirect URL customization

  Hi,
  Just wanted to know if we can change the redirect url. By default it starts with the hostname of ISE. I will have four PSN nodes and want that url is actually the Load Balancer Url rather than ISE node. Since ISE isintegrated with AD  domain.local so public certificate would not be possible. We are planning to install publecrt cert with differnt domain name likke domain.com. If some one has done it before please let me know
  Thanks
  Aijaz

  Hello,
  I went through your query and have found a link which I think would surely help you to solve your query:-
  http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml

• ISE CWA redirection problem for Apple devices

  Hi,
  I'm testing some guest scenarios (CWA) in my lab using ISE1.3 and WLC2504 (7.6.130).
  I have noticed that redirection to ISE portal doesn't work for apple devices (iOS 7 and later).All other devices like laptops,androids etc work fine.
  Seems that the workaround on WLC that bypasses the CNA on iDevices doesn't work in my case.The device tries to open the ISE portal and shows just a blank page (attached photo)
  The problem doesn't appear for devices with iOS 6 but only for newer versions.
  I've also tried with version 8.0 on WLC without success.
  Any advise?
  Regards. 

  Captive portal/wispr support for apple ios7
  CSCuj18674
  Description
  Symptom:
  When attempting to access the Guest Portal with an Apple iOS 7 device while the WLC "Captive Portal Bypass" feature is enabled, the web sheet on the device still appears, preventing the user from continuing the flow.
  Conditions:
  The Apple device is running Apple iOS 7.
  Workaround:
  In the ACL on the WLC used for captive portal redirection and exemption of special traffic for the Guest Portal, add exemptions for the IP resources that resolve from "www.appleiphonecell.com" and "captive.apple.com" FQDNs.
  IMPORTANT NOTE: These IP addresses are associated with the FQDNs of "www.appleiphonecell.com" and "captive.apple.com" and are subject to change by the entities hosting those domains. If the IP addresses do change, the ACL would need to reflect that.

• Cisco ISE URL Redirect Update

  I made a mistake configuring the domain-name on my ISE appliance.  I issued to the no ip domain-name and then added the domain-name I'd like to show up.  It seems to have partially worked, as the FQDN on the appliance is now correct but the redirect URL on my wireless LAN controller is still redirecting to the old domain. 
  EX: WLC redirect: ise1.xyz.net
       ISE FQDN: ise1.abc.net
  Any ideas on how to change that?

  Although you have changed the  domain-name on the ISE appliance but still the output on WLC shows the  older domain for url redirect.The reason behind is that the domain  name(FQDN) which is present as the common name(CN) on the certificate of  the server is still the old-domain name.

• CWA redirect failure

  I have a situation where DNS cannot be used for redirecting on CWA, so I have had to create a auth profile that has manual entries in it that redirects the guest to the IP address of the guest portal, rather than the DNS name.
  The attribute is configured with the following:
  cisco-av-pair = url-redirect=https://x.x.x.x:8443/guestportal/Login.action
  cisco-av-pair = url-redirect-acl=cwa
  The redirection works, and the guest is prompted with a login screen, but as soon as they are authenticated they receive a error page stating that the resource is not found, with the resource being /guestportal.
  The URL that it is trying to reach is https://x.x.x.x:8443/guestportal/guest/redir.html
  Has anyone managed to configure CWA to use the IP address rather than the DNS name, and go around this issue?

  Hi
  You can configure custom portal to perform Client Provisioning and Posture. If you select this option, the guest login flow performs a CWA and the guest portal will be redirected to Client Provisioning after performing AUP and change password checks. In this case, the posture subsystem performs a CoA to the NAD to re-authenticate the client connection once the posture has been assessed.
  If Vlan Dhcp Release is selected under Multi-Portal Configurations, posture will perform the client side IP release and renew operation. Check the Vlan Dhcp Release option to refresh Windows clients IP address after VLAN change in both wired or wireless environments for Guest with posture.
  This affects the CWA user login flow when the network access during the final authorization switches the guest VLAN to a new VLAN. In this case, the old IP of the guest needs to be released before the VLAN change and a new guest IP needs to be requested through DHCP once the new VLAN access is in place. The Cisco ISE server redirects the guest browser to download an applet to perform the IP release renew operation.

• Dual Node CWA Redirect

  Hi,
  we are using two ISE nodes for guest authentication (CWA) in our wireless network. We have an inside interface (eth0) on the ISE and a public interface (eth1), accessable for the wireless clients.
  At the moment i make a redirect to the ip address of the primary ISE: 
  For backup purposes, this is not a good idea. So I tried to configure an ip host 10.x.x.x FQDN with the ip address of eth1 and the FQDN of eth1 and removed the static host parameter in the common tasks of the CWA configuration page.
  But then the wireless guests will be redirected to the FQDN of eth0, which is the wrong IP and not reachable for him.
  What am i doing wrong?
  ISE Version is 1.2.1 and i restarted the services after configuring the ip host part.

  Hi
  You can configure custom portal to perform Client Provisioning and Posture. If you select this option, the guest login flow performs a CWA and the guest portal will be redirected to Client Provisioning after performing AUP and change password checks. In this case, the posture subsystem performs a CoA to the NAD to re-authenticate the client connection once the posture has been assessed.
  If Vlan Dhcp Release is selected under Multi-Portal Configurations, posture will perform the client side IP release and renew operation. Check the Vlan Dhcp Release option to refresh Windows clients IP address after VLAN change in both wired or wireless environments for Guest with posture.
  This affects the CWA user login flow when the network access during the final authorization switches the guest VLAN to a new VLAN. In this case, the old IP of the guest needs to be released before the VLAN change and a new guest IP needs to be requested through DHCP once the new VLAN access is in place. The Cisco ISE server redirects the guest browser to download an applet to perform the IP release renew operation.

• ISE url-redirect CWA to Gig1

  Hello,
  say I want to have five ISE 1.3 nodes behind load balancer, I want only only G0 behind LB, and G1 interfaces will be dedicated for certain things. Specifically I want to use G1 interface for Redirected Web Portal access (could be CWA, device registration, NSP, etc). RADIUS auth will happen through LB on G0 of some specific PSN, and that PSN will url-redirect user to the CWA URL.
  How do I tell ISE to use specifically Gig1's IP address or Gig2's IP address? When I check result authorization profile, there is no option there, it's just ip:port. Obviously, that's not the right place, because which PSN is used to processed the policy is unpredictable.
  So then I go to guest portal, and specifically Self-Registered Guest Portal that I'm using. So here I see Gig0, Gig1, Gig2, and Gig3 listed. My guess is that if I only leave Gig1 selected then I will achieve my goal, is that correct?
  But then, why does it let me choose multiple interfaces, what happens if I select all of them?
  Am I missing another spot in ISE admin where I can control this?
  Additional question. I know that in ISE 1.2 you could configure "ip host" in ISE's CLI, which would force URL-redirect response to be translated to FQDN:port. Is that still the right method in ISE 1.3?
  Thanks!

  Take a look at the following document:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/installation_guide/b_ise_InstallationGuide13.pdf
  Towards the end of the document you will find a section called: "Cisco ISE Infrastructure" and there you will see the following:
  • Cisco ISE management is restricted to Gigabit Ethernet 0.
  • RADIUS listens on all network interface cards (NICs).
  • All NICs can be configured with IP addresses.
  So, you can take an interface, give it an IP address and then assign it to the web portal that you are working with. 
  I hope this helps!
  Thank you for rating helpful posts!

• ISE 1.2 CWA Redirect URL

  Hi,
  Just wondered was there anyway to manipulate what webauth URL is sent to a client in the redirect string. Currently my ISE sends clients the internal machine name, I was wondering if there was anyway I can change this.
  I know on local webauth on the WLC you can set external URL's, does this feature exist in the ISE?
  TIA
  -G
  Sent from Cisco Technical Support iPad App

  Users Are Not Appropriately Redirected to URL
  Symptoms or Issue
  Administrator   receives one or more "Bad URL" error messages from Cisco ISE.
  Conditions
  This   scenario applies to 802.1X authentication as well as guest access sessions.
  Click   the magnifying glass icon in Authentications to launch the Authentication   Details. The authentication report should have the redirect URL in the RADIUS   response section as well as the session event section (which displays the   switch syslog messages).
  Possible   Causes
  Redirection   URL is entered incorrectly with invalid syntax or a missing path component.
  Resolution
  Verify   that the redirection URL specified in Cisco ISE via Cisco-av pair "URL   Redirect" is correct per the following options:
  •CWA   Redirection URL:   https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cwa
  •802.1X   Redirection URL:   url-redirect=https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cpp

• CWA using Cisco ISE issue

  Good morning everyone,
  I have some trouble to use my Cisco ISE to do Central Web Authentication. I followed this following configuration example : http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html
  But for the moment, clients can't seee the web portal. My WLC and my Cisco ISE are well configured as presented in the document, when clients connect to the AP, they are listed into the Cisco ISE with the good authorization profile but, the URL redirection doesn't work as well as I want, clients have to enter manually the IP address in the web browser to log-in trough the Cisco ISE.
  If anyone already had this problem, maybe could tell me more about that.
  Thanks in advance!

  Good news!
  I have resolved my problem 15 minutes ago. For people who have the same problem, I have just changed my static route in my WLC. The issue was that I broadcast the same VLAN used for the management interface and in adding the network allowing admin to reach service-port, all traffic of my broadcasted VLAN was sent to the service-port. A simple netmask modification resolved the problem.
  I have still a problem with CoA which doesn't work properly and I have to disconnect/reconnect to the SSID to have a complete access but I'm going to continue my research for that.
  Thanks all for your help !!!!

• Cisco ISE - Not use FQDN in url-redirect parameter

  Hi,
  I am using Cisco ISE Central Web Authentication for Guest Wireless. Clients are redirected for web authentication to: https://ip:port/guestportal/gateway?sessionId=SessionIdValue&action=cwa as it is specified by the url-redirect parameter in the Authorization Profile.
  The “ip” field in the url is now replaced by the FQDN of the Cisco ISE, but I want to use the IP address instead of the FQDN. Is there any way to do that?
  As far as I know in version 1.2 you can use the “ip host/no ip host” command to indicate what you want to use in the URL. However my Cisco ISE is running version 1.1.1.268.
  Thank you very much.
  Joana.

  Available in 1.2, and available as a "bit of a bodge" in 1.1.x  (read "a lot of a bodge")
  If you only have one PSN then you may be able to get it to work, but after that you lose the ability to get the session to be pointed automatically at whichever PSN they hit initially so it would break.
  Copy the settings that are applied when you use CWA, then create your own based on the same settings but using the ip address pasted in there instead.