CWA ISE Apple redirection

What can be the reason that Apple devices 8.0 cant be redirected to ISE web portal, WLC image 7.4.121.0, Apple device just stucks in redirection process and nothing happens, i used config network web-auth captive-bypass enable command, it doesnt help, all other non-apple devices redirected fine, thank you

Problem resolved by adding 
dhcp domain-name xxx.local to dhcp server configurations
using config network web-auth redirect bypass enable command on wlc
after that Apple device are able to be redirected 

Similar Messages

  • ISE url-redirect CWA to Gig1

    Hello,
    say I want to have five ISE 1.3 nodes behind load balancer, I want only only G0 behind LB, and G1 interfaces will be dedicated for certain things. Specifically I want to use G1 interface for Redirected Web Portal access (could be CWA, device registration, NSP, etc). RADIUS auth will happen through LB on G0 of some specific PSN, and that PSN will url-redirect user to the CWA URL.
    How do I tell ISE to use specifically Gig1's IP address or Gig2's IP address? When I check result authorization profile, there is no option there, it's just ip:port. Obviously, that's not the right place, because which PSN is used to processed the policy is unpredictable.
    So then I go to guest portal, and specifically Self-Registered Guest Portal that I'm using. So here I see Gig0, Gig1, Gig2, and Gig3 listed. My guess is that if I only leave Gig1 selected then I will achieve my goal, is that correct?
    But then, why does it let me choose multiple interfaces, what happens if I select all of them?
    Am I missing another spot in ISE admin where I can control this?
    Additional question. I know that in ISE 1.2 you could configure "ip host" in ISE's CLI, which would force URL-redirect response to be translated to FQDN:port. Is that still the right method in ISE 1.3?
    Thanks!

    Take a look at the following document:
    http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/installation_guide/b_ise_InstallationGuide13.pdf
    Towards the end of the document you will find a section called: "Cisco ISE Infrastructure" and there you will see the following:
    • Cisco ISE management is restricted to Gigabit Ethernet 0.
    • RADIUS listens on all network interface cards (NICs).
    • All NICs can be configured with IP addresses.
    So, you can take an interface, give it an IP address and then assign it to the web portal that you are working with. 
    I hope this helps!
    Thank you for rating helpful posts!

  • Apple Devices ISE GUEST REDIRECT

    Dears,
    All our devices connecting to corporate SSID and Guest SSID
    when connecting to Guest SSID all devices connect and  been redirected to  ISE Guert portal
    BUT APPLE devices just stays on loading page to Ise server page for guest portal and nothing happens
    i used 
    config network captive bypass command and reboot it doesnt help

    You need to do a bit more testing. What I would do is create a new WLAN for testing using the internal auth portal and define the WLAN the same as your guest with the exception of radius, aaa override and radius nac. Have user use that and your self use that on your phone and see if you have to login every so often. Right now, every hour the users device goes to sleep (iOS especially), they would need to login again.  Maybe your aaa is overwriting the timer or something else, that's why testing with a different wlan will help you understand if it's a radius, WLC, or maybe device issues.  You only have one WLC so roaming shouldn't break this  
    -Scott

  • CWA/ISE/WLC - client timeout when redirected to portal.

    Problem: When connecting to the CWA ssid, the client gets redirected to: https://lab-ise01.lab.local:8443/guestportal/gateway?sessionId=3c02a8c00000000878430a51&action=cwa
    but the link times out.
    I'm currently following this guide: https://supportforums.cisco.com/docs/DOC-26442
    Any thoughts or suggestions are appreciated.
    Info: ISE 1.1.1 and vWLC 7.3.101.0 is installed on vmware. Identity Source: Internal Users. AP is in FlexConnect mode. MAC filtering enable, no layer 3 security. Allow AAA Override enabled. Radius NAC enabled.
    Topology:
    Win7/iPad -  -  - AP----labswitch-----switch-----switch-----VMware
    (Traffic does not pass through FW and there are no ACL on the switches.)
    ACL on WLC:
    Client on WLC

    Hi all.
    Accoding with this behaviour, I have a similar problem with the renew of the IP address. In a similar scenario (ISE1.1.2 + vWLC 7.3.101. + CWA + DVLAN assigment); for test purposses I need to use the AP in flexconnect mode with central control and traffic data due to vWLC does not support APs in a local mode.
    Applying WCA in a SSID with a "non-routed" interface and two interfaces for both different profiles. Client passes CWA profile in "non route" subnet when redirected;  after a successful web authetication ISE sends to WLC the new attributes including the new VLAN, new ACL and the access-accept, but the client is not trying to change the IP address through DHCP.
    I use two rules for authentication
    First: Guest Redirection; condition "Wireless MAB" then "WLC-CWA" (central authentication - ACL-POSTURE-REDIRECT)
    Second (This rule above the first) Guest Traffic; Condition "Network access: UseCase EQUALS GuestFlow) then "Guest Permit Access"(with includes new vlan assigment in function of the role based - new ACL asigment - Termination-Action=0)
    WLC shows me the data correctly, it changes the interface, the ACL and changes the client status to RUN but maintains the IP address belonging to the old VLAN (non-routed vlan)
    Could be possible that this bug will be hitting me?
    Are there any Radius Attribute to force a DHCP IP procces for this devices?
    Thanks in advanced.
    Best Regards.

  • Https redirection issue for Wireless Guest CWA - ISE 1.3

    Our Setup is
    ISE 1.3 (Patch level 2) running on ACS 1121
    2 nodes clustered with Admin, monitoring, policy service enabled ( Primary and Secondary ).
    Configured SSID Guest for Centralized web authentication with ISE.
    We have issues in web redirection with chrome . It is not redirecting to the ISE page but rather showing " Page cannot be displayed".
    By default chrome is pointing to https. For example if we type https://google.com it is not redirecting to ISE page. But when I specify the same as http://google.com it works.
    There is no issue with IE, Firefox as it is redirecting to ISE page with default https and i can see it is hitting our rule.
    Please advice.

    Hi Neno
    They are using a third party certificate (digi cert) for client auth. They have confirmed even if they use a self-signed-cert the result is same.
    So basically none of the https page is not loading. If we manually browse some https site from Firefox, IE the result is same showing " page cannot be displayed".
    Redirection to https is the problem which i have never faced with my other customer. This is the upgraded version of ISE from 1.2 to 1.3.

  • Ise: Url redirection not working

    everything should be ok on ise and switch
    the switch is configured with its own ip on the vlan (22)
    PS is on vlan (44)
    and ise is configured for web authentication policy to occurr on the logon vlan (33)
    the service is reachable by inputting the policy service ip address on port 8443, authentication is successful, acl downloaded and redirect url pushed properly to the switch but redirect never occurrs,
    instead a blank page (host not reachable) is displayed
    the clients on vlan 33 can resolve dns without problems
    the firewall has been set to make the vlan 44 and 33 talk each other on port 80,443,8443
    it looks like the switch's http/s-server is not making any difference maybe because it is on another vlan though it is routed
    can someone help me?
    i would really appreciate a flow chart on how web redirect works in ise and tge role of the http server
    ps the switch does not support the ip route command

    however not everithing is working as it should, sometimes the acl are not pushed properly and the redirect acl does not show any hit (often), sometimes the centralwebauth acl is not pushed properly and the show ip access list interface results in blank output
    interface GigabitEthernet1/0/10
    description Porte dot1x - voip ISE
    switchport access vlan 300
    switchport mode access
    switchport voice vlan 818
    ip access-group ACL-ALLOW in
    srr-queue bandwidth share 1 30 35 5
    queue-set 2
    priority-queue out
    authentication event fail action next-method
    authentication event server dead action authorize vlan 300
    authentication event server alive action reinitialize
    authentication host-mode multi-domain
    authentication open
    authentication order dot1x mab
    authentication priority dot1x mab
    authentication port-control auto
    authentication periodic
    authentication timer reauthenticate server
    authentication violation restrict
    mab
    mls qos trust cos
    dot1x pae authenticator
    dot1x timeout tx-period 10
    auto qos trust
    spanning-tree portfast
    spanning-tree bpduguard enable
    end
    the show auth sessiond for the interface is
                Interface:  GigabitEthernet1/0/10
              MAC Address:  20cf.3017.645b
               IP Address:  172.31.105.132
                User-Name:  20-CF-30-17-64-5B
                   Status:  Authz Success
                   Domain:  DATA
           Oper host mode:  multi-domain
         Oper control dir:  both
            Authorized By:  Authentication Server
              Vlan Policy:  300
                  ACS ACL:  xACSACLx-IP-CentralWebAuth-5062f332
         URL Redirect ACL:  redirect
             URL Redirect:  https://ISEC3395.omitted.omitted:8443/guestportal/gateway?sessionId=AC1F552F0000000A001A6FD2&action=cwa
          Session timeout:  N/A
             Idle timeout:  N/A
        Common Session ID:  AC1F552F0000000A001A6FD2
          Acct Session ID:  0x0000000D
                   Handle:  0x7C00000A

  • ISE posture redirect not working

    ISE v1.1.0.665, 3395 h/w.
    Single Admin/Monitor/Policy node.
    WS-C3560-48TS      12.2(55)SE5           C3560-IPBASEK9-M
    For Client Provisioning I created an authorisation policy as follows:
    download acl "ACL-POSTURE-REMEDIATION"
    apply url redirect "ACL-POSTURE-REDIRECT".
    "Debug radius" shows all this is downloaded to the switch but:
    - Redirect does not work.
    - dACL is not applied if the URL redirect is also configured.
    Wireshark on the client shows no direct.
    Attached file shows "debug radius" for various combinations of authorisation policy i.e. dACL only, Redirect only, dACL + Redirect.
    I've also attached screen shots of these policies and wireshark.

    Grant,
    It looks like you are changing the vlan after your client gets an ip address, it seems like the client gets an ip address of
    192.168.16.164 and you are changing the vlan over to 516. I wanted to know if that is there isnt an ip to vlan mismatch before you move forward. If 516 is quarantine vlan you may want to start all clients on that vlan and use dynamic vlan assignment through change of authorization once a client becomes compliant. The reason is is that you can use the web portal, or the nac agent to change the ip address once the vlan is changed.
    Thanks,
    Tarik Admani

  • ISE Url Redirecting

    HI,
    I have a layer 3 ISE policy node configuration with my asa for remote access vpn configuration.
    my user gets authenticated but when i open the web-browser the the url redirect doesnt happen. i have to manually do this.
    is there something which i am missing? please let me know?
    any help or ideas will be helpful.
    thanks
    Nitesh

    Nitesh,
    In the WLC make sure you have it set to "Redirect to External Server", also, almost always, its a problem with how you have your ACLs configured, because you want to "Force redirection to ISE Guest Server" by using the ACLs, therefore, you must have a redirect ACL in place.

  • ISE no redirect to origin URL after guest login

    Hi, is there a possibility to redirect a guest user to the origin URL after he logged in successfully?
    Right now the attached file is what the user sees after login.
    Thanks!

    The first method is local web authentication. In this case, the WLC  redirects the HTTP traffic to an internal or external server where the  user is prompted to authenticate. The WLC then fetches the credentials  (sent back via an HTTP GET request in the case of an external server)  and makes a RADIUS authentication. In the case of a guest user, an  external server (such as Identity Services Engine (ISE) or NAC Guest  Server (NGS)) is required because the portal provides features such as  device registering and self-provisioning. The flow includes these steps:
    The user associates to the web authentication Service Set Identifier (SSID).
    The user opens the browser.
    The WLC redirects to the guest portal (such as ISE or NGS) as soon as a URL is entered.
    The user authenticates on the portal.
    The guest portal redirects back to the WLC with the credentials entered.
    The WLC authenticates the guest user via RADIUS.
    The WLC redirects back to the original URL.
    This  flow includes several redirections. The new approach is to use central  web authentication. This method works with ISE (versions later than 1.1)  and WLC (versions later than 7.2). The flow includes these steps:
    The user associates to the web authentication SSID, which is in fact open+macfiltering and no layer 3 security.
    The user opens the browser.
    The WLC redirects to the guest portal.
    The user authenticates on the portal.
    The  ISE sends a RADIUS Change of Authorization (CoA - UDP Port 1700) to  indicate to the controller that the user is valid, and eventually pushes  RADIUS attributes such as the Access Control List (ACL).
    The user is prompted to retry the original URL.

  • Cisco ISE URL Redirect Update

    I made a mistake configuring the domain-name on my ISE appliance.  I issued to the no ip domain-name and then added the domain-name I'd like to show up.  It seems to have partially worked, as the FQDN on the appliance is now correct but the redirect URL on my wireless LAN controller is still redirecting to the old domain. 
    EX: WLC redirect: ise1.xyz.net
         ISE FQDN: ise1.abc.net
    Any ideas on how to change that?

    Although you have changed the  domain-name on the ISE appliance but still the output on WLC shows the  older domain for url redirect.The reason behind is that the domain  name(FQDN) which is present as the common name(CN) on the certificate of  the server is still the old-domain name.

  • [WLC - CWA] [ISE] Wlan Portal with Local Switiching

    Description: Guest Portal ISE (WLAN) in a Flexconnect local switching enviorment.
    Problem: The communication stops everytime we turn on the feature Radius NAC on the WLC.
    We are trying to use Central WebAuth in a Flexconnect environment and with so the procedure that we are using it´s the one that´s available in the cisco DOCS ( http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html ) but there´s something occuring in my setup. I´ve configured step by step the WLC and ISE in accordance with previous DOC but I can´t establish communication everytime I turn on the feature RADIUS NAC in the WLC.
    All the ACL´s were configured, I can see the ISE policy beeing sent to the client but when the PC tries to establish the connection to him nothing leaves the PC ( a simple ping was done ). I´ve tried a bunch of setups to see if it was a misconfiguration or something else but at the end , everytime I trun on the NAC feature the final client looses all the comms to anywere.
    You can see in the following attachment the setup of WLC, and AP with flexconnect groups (I´ve also tried without a group but the final result was the same)
    We are using a WLC 5500 with 7.6.120.0 ( http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-6/configuration-guide/b_cg76.html ) and the only thing I can foun is a simple note stating,
    "Flex local switching with Radius NAC support is added in Release 7.2.110.0. It is not supported in 7.0 Releases and 7.2 Releases. Downgrading 7.2.110.0 and later releases to either 7.2 or 7.0 releases will require you to reconfigure the WLAN for Radius NAC feature to work."
    In the Flexconnect Feature Matrix the RADIUS NAC is supported in a local switching enviorment ( http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/112042-technote-product-00.html?referring_site=RE&pos=3&page=http://www.cisco.com/c/en/us/support/docs/wireless/flex-7500-series-wireless-controllers/113605-ewa-flex-guide-00.html) but what  we´ve found out so far it´s  the other way around.
    Another thing that we´ve found is that in the version 7.4 configuration guide ( http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_0110100.html#ID2372 ) cisco says that the "FlexConnect local switching is not supported."
    So, after seeing several docs my question is: Does Cisco support Radius NAC in a local switching environment ?

    Viten,
    tnx for the quick reply but,
    a) what do you mean by webauth ( http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html) ?
    b) When I say comms stop is that I´m simple using ping as a test to see what happens in the client.Whenever I activate the radius feature the final client (laptop) ceases all comms in a local switching environment.
    BR,
    DS

  • Wireless Anchor SSID for CWA ISE 1.3

    Hello Team,
    Trying to follow this guide: http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html#anc11
    We are trying to enable for a guest access with an anchored WLC.
    However when we create the SSID with mac filtering, the local WLC is putting the mac address of the client in to the excluded clients list, instead of passing on the auth to the foreign DMZ WLC anchor.
    I have created the SSID with correct anchors.
    Any Ideas? Maybe this option doesn't actually work with anchor?

    "However when we create the SSID with mac filtering, the local WLC is putting the mac address of the client in to the excluded clients list, instead of passing on the auth to the foreign DMZ WLC anchor."
    In the anchoring scenario, the AAA authentication comes from the Foreign not the Anchor as it is layer 2 authentication.
    Make sure your Local WLC is able to authenticate the user.
    Steve

  • IOS CWA Redirect - ISE - Safari

    I do not believe I can be the only one with this issue, not when I have it at two sites and with the original installs being done by different people.
    Is anyone else having issues with Safari properly being redirected to ISE CWA by IOS redirection?
    I have this issue on 3750X for wired clients, and on a 3850 NGWC for wireless clients.  What makes this unique is that the only thing similar to this deployment is the Macbooks running with Safari.
    My troubleshooting seems to point at an issue with Safari not liking the redirect based upon the switch(3850,3750X) certificate.  Firefox and Chrome both work without issues on the test Macbooks.  I'm unable to find anything in the Bugtoolkit about it.
    If using Safari on Cisco switch for CWA is unsupported, please provide a link to Cisco document detailing it.

    This issue has been resolved.  It turned out that the Macbook was trying to do a crl download to confirm that the certificate was valid.  I am pretty sure it was becuase the cheapest GoDaddy certificate was used and the intermediate certificate isn't always found in the default Mac certificate store.  Firefox works because they handle CRL checks differently.
    I had two different resolutions as I had the problem at two different customers/sites.
    First test was allowing access to crl.godaddy.com.  After I excluded this IP address from the redirect and permitted it in the dACL - Safari was able to correctly redirect to the CWA portal page.
    At another site, due to the centralized management of the Macbooks, we utilized Mac OS X Server to create a profile in Profile Manager that included the GoDaddy Intermediate certificate and pushed that out to all macbooks to resolve the issue.
    In addition - and worthy of note.  If you are doing posturing and the ISE certificate is not trusted on Apple, the same sort of CRL check will occur and the NAC Agent will never posture the endpoint.
    tl;dr - Doublecheck Certificate trust settings on Apple because they are evil.

  • ISE 1.2 CWA Redirect URL

    Hi,
    Just wondered was there anyway to manipulate what webauth URL is sent to a client in the redirect string. Currently my ISE sends clients the internal machine name, I was wondering if there was anyway I can change this.
    I know on local webauth on the WLC you can set external URL's, does this feature exist in the ISE?
    TIA
    -G
    Sent from Cisco Technical Support iPad App

    Users Are Not Appropriately Redirected to URL
    Symptoms or Issue
    Administrator   receives one or more "Bad URL" error messages from Cisco ISE.
    Conditions
    This   scenario applies to 802.1X authentication as well as guest access sessions.
    Click   the magnifying glass icon in Authentications to launch the Authentication   Details. The authentication report should have the redirect URL in the RADIUS   response section as well as the session event section (which displays the   switch syslog messages).
    Possible   Causes
    Redirection   URL is entered incorrectly with invalid syntax or a missing path component.
    Resolution
    Verify   that the redirection URL specified in Cisco ISE via Cisco-av pair "URL   Redirect" is correct per the following options:
    •CWA   Redirection URL:   https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cwa
    •802.1X   Redirection URL:   url-redirect=https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cpp

  • ISE - CWA Redirection

    HI
    i am trying to implement guest portal and i have configure the ISE and switch to redirect guests and i see the whole process goes will when i issue
    show authentication session interface GigabitEthernet1/0/11
                Interface:  GigabitEthernet1/0/11
              MAC Address:  1078.d2fc.698c
               IP Address:  192.168.0.59
                User-Name:  10-78-D2-FC-69-8C
                   Status:  Authz Success
                   Domain:  DATA
           Oper host mode:  multi-domain
         Oper control dir:  both
            Authorized By:  Authentication Server
              Vlan Policy:  81
                  ACS ACL:  xACSACLx-IP-TEST-WEBAUTH-DACL-519b76ec
         URL Redirect ACL:  ACL-WEBAUTH-REDIRECT
             URL Redirect:  https://HDOFFISEP01.mycompany.com:8443/guestportal/gateway?sessionId=0A0A6518000000010006F2B5&action=cwa
          Session timeout:  N/A
             Idle timeout:  N/A
        Common Session ID:  0A0A6518000000010006F2B5
          Acct Session ID:  0x00000003
                   Handle:  0x0D000001
    Runnable methods list:
           Method   State
           mab      Authc Success
           dot1x    Not run
    my problem that the web browser does NOT direct automtically to the portal but it does manually when i copy the URL from the switch, any idea ?
    switch configuration
    boot-start-marker
    boot-end-marker
    logging monitor informational
    enable secret 5 $1$PO2h$G1BUFwkbkA8ywc89FhBso/
    username cisco privilege 15 password 0 cisco
    username ise-rad-alive password 0 CICSOISEalive123
    aaa new-model
    aaa authentication login local local
    aaa authentication dot1x default group radius
    aaa authorization network default group radius
    aaa authorization auth-proxy default group radius
    aaa accounting auth-proxy default start-stop group radius
    aaa accounting dot1x default start-stop group radius
    aaa server radius dynamic-author
    client 10.10.20.13 server-key myshared
    client 10.10.20.14 server-key myshared
    aaa session-id common
    switch 1 provision ws-c2960s-24ps-l
    ip dhcp snooping vlan 1-2000
    no ip dhcp snooping information option
    ip dhcp snooping
    ip domain-name mycompany.com
    ip name-server 192.168.10.40
    ip device tracking probe use-svi
    ip device tracking
    ip admission name Webauth proxy http inactivity-time 60
    vtp mode transparent
    epm logging
    dot1x system-auth-control
    fallback profile Webauth
    ip access-group ACL-WEBAUTH-REDIRECT in
    ip admission Webauth
    spanning-tree mode pvst
    spanning-tree extend system-id
    interface GigabitEthernet1/0/11
    switchport mode access
    switchport voice vlan 93
    ip access-group ACL-ALLOW in
    authentication event fail action next-method
    authentication event server dead action reinitialize vlan 777
    authentication event server dead action authorize voice
    authentication host-mode multi-domain
    authentication order mab dot1x
    authentication priority dot1x mab
    authentication port-control auto
    mab
    dot1x pae authenticator
    spanning-tree portfast
    interface Vlan1
    no ip address
    shutdown
    interface Vlan80
    ip address 10.10.101.24 255.255.255.0
    ip default-gateway 10.10.101.1
    ip http server
    ip http secure-server
    ip access-list extended ACL-AGENT-REDIRECT
    remark explicitly prevent DNS from being redirected to address a bug
    deny   udp any any eq domain
    remark redirect HTTP traffic only
    permit tcp any any eq www
    remark all other traffic will be implicitly denied from the redirection
    ip access-list extended ACL-ALLOW
    permit ip any any
    ip access-list extended ACL-DEFAULT
    remark DHCP
    permit udp any eq bootpc any eq bootps
    remark DNS
    permit udp any any eq domain
    remark Ping
    permit icmp any any
    remark PXE / TFTP
    permit udp any any eq tftp
    remark Drop all the rest
    deny   ip any any log
    ip access-list extended ACL-WEBAUTH-REDIRECT
    deny   ip any host 10.10.20.13
    deny   ip any host 10.10.20.14
    deny   ip any host 192.168.10.43
    deny   ip any host 192.168.10.40
    deny   ip any host 192.168.10.41
    deny   ip any host 192.168.10.42
    remark explicitly prevent DNS from being redirected to accommodate certain switches
    deny   udp any any eq domain
    remark redirect all applicable traffic to the ISE Server
    permit tcp any any eq www
    permit tcp any any eq 443
    ip radius source-interface Vlan80
    logging origin-id ip
    logging source-interface Vlan80
    logging host 10.10.20.11 transport udp port 20514
    logging host 10.10.20.12 transport udp port 20514
    radius-server attribute 6 on-for-login-auth
    radius-server attribute 6 support-multiple
    radius-server attribute 8 include-in-access-req
    radius-server attribute 25 access-request include
    radius-server dead-criteria time 5 tries 3
    radius-server host 10.10.20.13 auth-port 1812 acct-port 1813 key myshared
    radius-server host 10.10.20.14 auth-port 1812 acct-port 1813 key myshared
    radius-server vsa send accounting
    radius-server vsa send authentication

    Verify that the redirection URL specified in Cisco ISE via Cisco-av pair "URL Redirect" is correct
    CWA Redirection URL: https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cwa
    802.1X Redirection URL: url-redirect=https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cpp

Maybe you are looking for