CWA redirect failure

I have a situation where DNS cannot be used for redirecting on CWA, so I have had to create a auth profile that has manual entries in it that redirects the guest to the IP address of the guest portal, rather than the DNS name.
The attribute is configured with the following:
cisco-av-pair = url-redirect=https://x.x.x.x:8443/guestportal/Login.action
cisco-av-pair = url-redirect-acl=cwa
The redirection works, and the guest is prompted with a login screen, but as soon as they are authenticated they receive a error page stating that the resource is not found, with the resource being /guestportal.
The URL that it is trying to reach is https://x.x.x.x:8443/guestportal/guest/redir.html
Has anyone managed to configure CWA to use the IP address rather than the DNS name, and go around this issue?

Hi
You can configure custom portal to perform Client Provisioning and Posture. If you select this option, the guest login flow performs a CWA and the guest portal will be redirected to Client Provisioning after performing AUP and change password checks. In this case, the posture subsystem performs a CoA to the NAD to re-authenticate the client connection once the posture has been assessed.
If Vlan Dhcp Release is selected under Multi-Portal Configurations, posture will perform the client side IP release and renew operation. Check the Vlan Dhcp Release option to refresh Windows clients IP address after VLAN change in both wired or wireless environments for Guest with posture.
This affects the CWA user login flow when the network access during the final authorization switches the guest VLAN to a new VLAN. In this case, the old IP of the guest needs to be released before the VLAN change and a new guest IP needs to be requested through DHCP once the new VLAN access is in place. The Cisco ISE server redirects the guest browser to download an applet to perform the IP release renew operation.

Similar Messages

  • ISE 1.2 CWA Redirect URL

    Hi,
    Just wondered was there anyway to manipulate what webauth URL is sent to a client in the redirect string. Currently my ISE sends clients the internal machine name, I was wondering if there was anyway I can change this.
    I know on local webauth on the WLC you can set external URL's, does this feature exist in the ISE?
    TIA
    -G
    Sent from Cisco Technical Support iPad App

    Users Are Not Appropriately Redirected to URL
    Symptoms or Issue
    Administrator   receives one or more "Bad URL" error messages from Cisco ISE.
    Conditions
    This   scenario applies to 802.1X authentication as well as guest access sessions.
    Click   the magnifying glass icon in Authentications to launch the Authentication   Details. The authentication report should have the redirect URL in the RADIUS   response section as well as the session event section (which displays the   switch syslog messages).
    Possible   Causes
    Redirection   URL is entered incorrectly with invalid syntax or a missing path component.
    Resolution
    Verify   that the redirection URL specified in Cisco ISE via Cisco-av pair "URL   Redirect" is correct per the following options:
    •CWA   Redirection URL:   https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cwa
    •802.1X   Redirection URL:   url-redirect=https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cpp

  • ISE - CWA Redirection

    HI
    i am trying to implement guest portal and i have configure the ISE and switch to redirect guests and i see the whole process goes will when i issue
    show authentication session interface GigabitEthernet1/0/11
                Interface:  GigabitEthernet1/0/11
              MAC Address:  1078.d2fc.698c
               IP Address:  192.168.0.59
                User-Name:  10-78-D2-FC-69-8C
                   Status:  Authz Success
                   Domain:  DATA
           Oper host mode:  multi-domain
         Oper control dir:  both
            Authorized By:  Authentication Server
              Vlan Policy:  81
                  ACS ACL:  xACSACLx-IP-TEST-WEBAUTH-DACL-519b76ec
         URL Redirect ACL:  ACL-WEBAUTH-REDIRECT
             URL Redirect:  https://HDOFFISEP01.mycompany.com:8443/guestportal/gateway?sessionId=0A0A6518000000010006F2B5&action=cwa
          Session timeout:  N/A
             Idle timeout:  N/A
        Common Session ID:  0A0A6518000000010006F2B5
          Acct Session ID:  0x00000003
                   Handle:  0x0D000001
    Runnable methods list:
           Method   State
           mab      Authc Success
           dot1x    Not run
    my problem that the web browser does NOT direct automtically to the portal but it does manually when i copy the URL from the switch, any idea ?
    switch configuration
    boot-start-marker
    boot-end-marker
    logging monitor informational
    enable secret 5 $1$PO2h$G1BUFwkbkA8ywc89FhBso/
    username cisco privilege 15 password 0 cisco
    username ise-rad-alive password 0 CICSOISEalive123
    aaa new-model
    aaa authentication login local local
    aaa authentication dot1x default group radius
    aaa authorization network default group radius
    aaa authorization auth-proxy default group radius
    aaa accounting auth-proxy default start-stop group radius
    aaa accounting dot1x default start-stop group radius
    aaa server radius dynamic-author
    client 10.10.20.13 server-key myshared
    client 10.10.20.14 server-key myshared
    aaa session-id common
    switch 1 provision ws-c2960s-24ps-l
    ip dhcp snooping vlan 1-2000
    no ip dhcp snooping information option
    ip dhcp snooping
    ip domain-name mycompany.com
    ip name-server 192.168.10.40
    ip device tracking probe use-svi
    ip device tracking
    ip admission name Webauth proxy http inactivity-time 60
    vtp mode transparent
    epm logging
    dot1x system-auth-control
    fallback profile Webauth
    ip access-group ACL-WEBAUTH-REDIRECT in
    ip admission Webauth
    spanning-tree mode pvst
    spanning-tree extend system-id
    interface GigabitEthernet1/0/11
    switchport mode access
    switchport voice vlan 93
    ip access-group ACL-ALLOW in
    authentication event fail action next-method
    authentication event server dead action reinitialize vlan 777
    authentication event server dead action authorize voice
    authentication host-mode multi-domain
    authentication order mab dot1x
    authentication priority dot1x mab
    authentication port-control auto
    mab
    dot1x pae authenticator
    spanning-tree portfast
    interface Vlan1
    no ip address
    shutdown
    interface Vlan80
    ip address 10.10.101.24 255.255.255.0
    ip default-gateway 10.10.101.1
    ip http server
    ip http secure-server
    ip access-list extended ACL-AGENT-REDIRECT
    remark explicitly prevent DNS from being redirected to address a bug
    deny   udp any any eq domain
    remark redirect HTTP traffic only
    permit tcp any any eq www
    remark all other traffic will be implicitly denied from the redirection
    ip access-list extended ACL-ALLOW
    permit ip any any
    ip access-list extended ACL-DEFAULT
    remark DHCP
    permit udp any eq bootpc any eq bootps
    remark DNS
    permit udp any any eq domain
    remark Ping
    permit icmp any any
    remark PXE / TFTP
    permit udp any any eq tftp
    remark Drop all the rest
    deny   ip any any log
    ip access-list extended ACL-WEBAUTH-REDIRECT
    deny   ip any host 10.10.20.13
    deny   ip any host 10.10.20.14
    deny   ip any host 192.168.10.43
    deny   ip any host 192.168.10.40
    deny   ip any host 192.168.10.41
    deny   ip any host 192.168.10.42
    remark explicitly prevent DNS from being redirected to accommodate certain switches
    deny   udp any any eq domain
    remark redirect all applicable traffic to the ISE Server
    permit tcp any any eq www
    permit tcp any any eq 443
    ip radius source-interface Vlan80
    logging origin-id ip
    logging source-interface Vlan80
    logging host 10.10.20.11 transport udp port 20514
    logging host 10.10.20.12 transport udp port 20514
    radius-server attribute 6 on-for-login-auth
    radius-server attribute 6 support-multiple
    radius-server attribute 8 include-in-access-req
    radius-server attribute 25 access-request include
    radius-server dead-criteria time 5 tries 3
    radius-server host 10.10.20.13 auth-port 1812 acct-port 1813 key myshared
    radius-server host 10.10.20.14 auth-port 1812 acct-port 1813 key myshared
    radius-server vsa send accounting
    radius-server vsa send authentication

    Verify that the redirection URL specified in Cisco ISE via Cisco-av pair "URL Redirect" is correct
    CWA Redirection URL: https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cwa
    802.1X Redirection URL: url-redirect=https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cpp

  • Cisco ISE - CWA Redirect

    Why are the ISE nodes needed to be defined in the web authentication redirect acl that is configured locally on the switch?
    All the documentation that I've found states this. I've setup my 2yr old ISE environment this way and was advised in the beginning to do so. But after thinking the whole authentication process through and then testing out my theories I don't understand why the ISE nodes need to be defined in the switch redirect acl. I am now testing with a simple "redirect www & 443" acl and it is working as expected.
    The client connects to the network and, for our environment, is requested to do dot1x until that times out and then it shifts to mab. At which point, I do not have an authz rule defined for my test machine and therefore matches my catch-all authz rule of CWA which sends a CWA DACL. The switch lays the acls on the interface in this order: 1. Redirect 2. DACL 3. PACL. In my DACL I have access to the ISE nodes allowed (just to be safe) and the redirection still works because my test machine is not sending any www/443 traffic to the ISE nodes that I'm aware of (CWA is 8443).
    Can someone explain (in detail) why a client machine would send www/443 traffic to the ISE nodes and therefore need to be defined in the CWA redirect acl local to the switch.

    Poonam,
    I appreciate the response. I understand the process and flow of CWA but I still don't see why the ISE nodes need to be defined (as deny statements or at all) in the redirect acl that is locally configured on the switch. Let me try to explain it better (sorry for the novel):
    1. a default PACL is statically applied to an unused interface. For my environment our PACL is a simple "permit ip any any" which allows an open fallback in case communication to ISE fails.
    2. A client plugs in and the switch begins talking dot1x to the client. During this time the PACL is the ONLY acl that is applied to the interface/client.
    3. The client does not run dot1x and therefore the switch eventually fails over to mab. At this time, the CWA authz rule comes into effect and ISE sends the DACL to the switch via radius and also references which RACL (redirect acl) to use.
    4. Not many people seem to understand this part....The switch then rebuilds the ACL that is applied to the interface/user. The switch creates an ACL that consists of ALL THREE ACLs. The first portion of this ACL is the RACL with permit statements (which are the deny RACL statements configured on the switch) and then redirect statements (which are the permit RACL statements configured on the switch) and then the DACL from ISE is the next portion of this new ACL and then the very last portion is the original static PACL that is configured on the port.
    Again, I've tested this out over and over again on several different platforms (6500, 3700, 3800) and because, during the stage where the interface is in CWA state, the ACL that is applied to the interface is ALL THREE ACLs in the order of RACL>DACL>PACL....it doesn't seem to make sense that you need to define the ISE nodes in the RACL because all you need to define is what traffic you want to redirect. You define what traffic you want allowed in the DACL which is where you state access to the ISE nodes (either complete access or only 8443 access).
    Let me give you this example. Say I have the following confgured:
    CONFIGURED SWITCH INTERFACE ACL (PACL)
      ip access-list standard ACL-ALLOW
       permit ip any any
    CONFIGURED SWITCH REDIRECT ACL (RACL)
      ip access-list extended ACL-WEBAUTH-REDIRECT
       permit tcp any any eq www 443
    CONFIGURED ISE DOWNLOADABLE ACL (DACL)
      permit tcp any host <psn01> eq 8443
      permit udp any host <dns01> eq 53
      deny ip any any
    Then the process would look like this:
    1. During dot1x negotiation the acl that is used is this:
    permit ip any any     <<<<<PACL
    2. Once CWA is in effect then the acl looks like this:
    redirect tcp host <host ip> any eq www 443             <<<<<<RACL
    permit tcp host <host ip> host <psn01 ip> eq 8443       <<<<<<DACL
    permit udp host <host ip> host <dns01 ip> eq 53       <<<<<<DACL
    deny ip any any      <<<<<<DACL
    permit ip any any      <<<<<<PACL

  • CWA Redirection Loop

    Hi,
    I was testing  CWA  with ISE 1.3 and WLC 5760.
    Requirement-
    1- 2 SSID's  on WLC    one for STUDENT  and another for GUEST
    2- Guest once connected to GUEST SSID it will redirect it to guest registration portal.
    3- Student's once connected to STUDENT SSID it will redirect it to student self registration portal.
    4- In Self registration we want both Guest and Student to fill their details like username. password, email etc
    5- Once Register they will only be allowed to use only one device in the network ( Fixed device no changeble)
    6- On successfull registration we want them to show their password on the portal itself (using PRINT) but at the same time not allowing them to logging until sponsor approved ( want to use both PRINT and approval feature at the same time)
    Scenario-  The scenario is like this. There will be 2 SSID  namely STUDENT and GUEST. Each one will be having a specific Self Registration Guest portal. Portals are seperated by using AIRESPACE wlan -id.
    ISSUES-
    1-  Self-Registration- Even password is entered by the USER's. After registering ISE is regenerating the password by itself and resetting the password to something random (based on Guest password policy).  I don't want that  I just wanna use the only password used by the USER's when the entered at the time of registration.
    2- I am able to get different portal based on SSID  ( STUDENT , GUEST)  but once the user get registered even after successful  login they are redirected to login portal ( LOOP). Even when I used  Network:Access Guest flow   above the  CWA Auth policy
    3- Once user get registered they will only to use a single device in the network which will be fixed. and their credential will only on this device.
    Please help me in get this done

    Hello
    tip: check iis log on both of exch servers and check  owa  application haven't got "HTTP redirect" enabled.
    sorry my english

  • CWA redirect issue and access across the WAN

    Hello,
    I am trying to get CWA working on my wireless ISE setup and am having an issue where the guest portal redirect is pointing to the wrong port.  My setup is as follows:
    The PSN has two connections - Gig 0 is on our management VLAN 172.24.x.x  Gig 1 is on our guest network VLAN 10.190.x.x
    Using a laptop I connect to the guest ssid and guest portal times out as it is pointing to 172.24.x.x instead of the guest vlan 10.190.x.x
    We do not want guest traffic on the corp network for obvious reasons.
    One more question - Is it possible to have guest access work across the WAN?  For example, we have the admin box in Detroit and a PSN in Chicago.  Detroit's guest network is routed through a tunnel to Chicago currently.
    Some more info:
    Here is from the radius authentication details -
    cisco-av-pair=url-redirect=https://172.24.24.41:8443/guestportal/gateway?sessionId=ac18180a000024a45151d92d&action=cwa
    How do I force it to 10.190.x.x and how does ISE get 172.24.24.41 for the redirect address? DNS? I guess I am unfamiliar with how cisco-av-pair attribute is determined.  Any help will be greatly appreciated.

    Have you ran anything such as MTR on a Linux box (or WINMTR equivalent on PC)?  If so, can you find a trend in loss or high latency on a specific hop on the path? I would ensure you adjust the ICMP payload size to a higher size such as 1000Bytes and adjust the ping interval to every two seconds or so.  This ensures you are not running into an issue where the provider is rate limiting your pings, which is not uncommon for some providers, if the pings (ICMP messages) are terminating on their endpoints.
    Do you have QoS policies applied on interfaces on either end of these pings / traces?  If so, do you have assurance that ICMP messages will not be impacted by queue based dropping or shaping latency?  One solution is, move traffic from your ICMP traffic with the source or destination of your ICMP ping and trace endpoint in a priority queue with adequate bandwidth (should be a very low requirement).  This may not make sense since your bandwidth utilization is low, but shaping of busy flows can actually occur long before congestion, depending on your design. 
    Another item that may give you better insight is running and monitoring / graphing IP-SLA probes between your routers on each end.  You could then trend issues and give graphed evidence to your provider.  They could then compare your lossy  and high latency periods to their appliance interface, memory, and CPU loads to see if they can find a correlating trend.  It can be a hard battle to get ISPs to not only admit they have issues, but allocate resources to isolate and resolve these issues.  Good SLA probe data showing that their paths are not meeting delivery standards speak much louder that pings to them.

  • ISE CWA redirect redundancy

    Hi
    If in a CWA authorization profile the IP address option is used for the redirection, how will this impact on redundancy ? For instance in my implementation with 2 ISE appliances, on the Primary Admin Node the CWA profile is configured with an IP address of x.x.x.110 which is the address of the Primary ISE appliance. When the primary appliance fails how will the secondary appliance handle the above cause the x.x.x.110 ip address will then be unavailable and the new ip should be x.x.x.109....? 

    If you check that box and set an IP address manually then all CWA requests will go to that IP/Host Name. If you want to have redundancy then you should leave that box unchecked. Doing that will allow ISE to use the FQDN of the Radius server that is currently serving that SSID. 
    I hope this helps!
    Thank you for rating helpful posts!

  • ISE CWA redirection problem for Apple devices

    Hi,
    I'm testing some guest scenarios (CWA) in my lab using ISE1.3 and WLC2504 (7.6.130).
    I have noticed that redirection to ISE portal doesn't work for apple devices (iOS 7 and later).All other devices like laptops,androids etc work fine.
    Seems that the workaround on WLC that bypasses the CNA on iDevices doesn't work in my case.The device tries to open the ISE portal and shows just a blank page (attached photo)
    The problem doesn't appear for devices with iOS 6 but only for newer versions.
    I've also tried with version 8.0 on WLC without success.
    Any advise?
    Regards. 

    Captive portal/wispr support for apple ios7
    CSCuj18674
    Description
    Symptom:
    When attempting to access the Guest Portal with an Apple iOS 7 device while the WLC "Captive Portal Bypass" feature is enabled, the web sheet on the device still appears, preventing the user from continuing the flow.
    Conditions:
    The Apple device is running Apple iOS 7.
    Workaround:
    In the ACL on the WLC used for captive portal redirection and exemption of special traffic for the Guest Portal, add exemptions for the IP resources that resolve from "www.appleiphonecell.com" and "captive.apple.com" FQDNs.
    IMPORTANT NOTE: These IP addresses are associated with the FQDNs of "www.appleiphonecell.com" and "captive.apple.com" and are subject to change by the entities hosting those domains. If the IP addresses do change, the ACL would need to reflect that.

  • ISE Sending Hostname in CWA Redirect

    Dear Support Team.
    we have setup in which wireless controllers are deployed in Foreign & Anchor Scenario. (Guest WLC or Anchor is deployed in DMZ) , Controllers are running 7.3 and CWA config is done as per standard TAC documents.
    When WLC redirects the session to ISE, Redirection URL has ISE hostname and is something like this
    https://ise-ip-address:8443/guestportal/gateway........
    we have setup Guest Access in such a way, that guest dhcp pool is using the Public DNS, we are not providing our internal DNS to guest dhcp pool, since public DNS does not have an entry for ise-ip-address, DNS resolution Fails and CWA is not happening.
    is it possible that ISE can send IP address in place of its hostname, for example
    https://10.15.24.20:8443/guestportal/gateway......
    Any help will be highly appreciated.
    Thanks
    Ahad

    One workaround that I have gotten to work in the past when using ASA firewalls is to create a static NAT entry and leverage DNS inspection to translate the Private IP address for you.  It is important to note that in this example the domain name that the ISE PSN is registered as is on a publicly resolvable domain name which you have control of the DNS entries. 
    In this example we will have a three legged ASA.  Inside, DMZ, and Outside. 
    The PSN's hostname is psn.example.com.
    The PSN's Private IP address is 10.1.1.100
    Steps:
    Create a Public DNS record for psn.example.com.  For best practices you should use an IP address that belongs to you and that is not a part of RFC 1918.  This way the public DNS servers do not reject the IP address for some other reason. In this example we will use 1.1.1.1
    Enable DNS inspeciton on the ASA.
    Create a Static NAT entry for 1.1.1.1 (outside) -> 10.1.1.100 (inside) and enable DNS translation. 
    Now when the CWA user connects and gets a public DNS server it will query the public server for psn.exmaple.com and the public DNS server will return 1.1.1.1.  Now because of the DNS inspection the reply of 1.1.1.1 is replaced with the private IP address of 10.1.1.100.
    End result is the DMZ host using a public DNS server to return a private IP address.  If you have multiple PSNs you will need to create multiple DNS and NAT.
    You are welcome to try and use RFC Bogus RFC 1918 addresses, but the public DNS servers may have rules against doing so which is why i recommend using the public IP addresses that you own.  It is important to remember that even though you are creating Inside to Outside NAT entries for your ISE servers because you haven't created any inboundACL's they are not exposed to the Internet just because you created a NAT for them. 
    Here is a cisco doc on how to do "DNS Doctoring"
    http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/72273-dns-doctoring-3zones.html
    I should note that I have tested this using 1.2 with the static hostname, but I have not tested it with 1.1.4, but the underlying pricipals should be the same.

  • IOS CWA Redirect - ISE - Safari

    I do not believe I can be the only one with this issue, not when I have it at two sites and with the original installs being done by different people.
    Is anyone else having issues with Safari properly being redirected to ISE CWA by IOS redirection?
    I have this issue on 3750X for wired clients, and on a 3850 NGWC for wireless clients.  What makes this unique is that the only thing similar to this deployment is the Macbooks running with Safari.
    My troubleshooting seems to point at an issue with Safari not liking the redirect based upon the switch(3850,3750X) certificate.  Firefox and Chrome both work without issues on the test Macbooks.  I'm unable to find anything in the Bugtoolkit about it.
    If using Safari on Cisco switch for CWA is unsupported, please provide a link to Cisco document detailing it.

    This issue has been resolved.  It turned out that the Macbook was trying to do a crl download to confirm that the certificate was valid.  I am pretty sure it was becuase the cheapest GoDaddy certificate was used and the intermediate certificate isn't always found in the default Mac certificate store.  Firefox works because they handle CRL checks differently.
    I had two different resolutions as I had the problem at two different customers/sites.
    First test was allowing access to crl.godaddy.com.  After I excluded this IP address from the redirect and permitted it in the dACL - Safari was able to correctly redirect to the CWA portal page.
    At another site, due to the centralized management of the Macbooks, we utilized Mac OS X Server to create a profile in Profile Manager that included the GoDaddy Intermediate certificate and pushed that out to all macbooks to resolve the issue.
    In addition - and worthy of note.  If you are doing posturing and the ISE certificate is not trusted on Apple, the same sort of CRL check will occur and the NAC Agent will never posture the endpoint.
    tl;dr - Doublecheck Certificate trust settings on Apple because they are evil.

  • Cisco ISE - CWA redirect in another way than cisco-av-pair?

    Hello.
    I'm trying to set up ISE as a CWA.
    I have made all the rules in both Authenticatin and Authorization, and I also see the clients hitting the right rules. The Authorizaton rule redirects the client to a captive web portal within ISE like this: cisco-av-pair = url-redirect=https://ip:port/portal/gateway?sessionId=SessionIdValue&portal=etc.
    But here is the problem: We use Aerohive as Accesspoints. And Aerohive does not support cisco-av-pair attributtes, since it's Cisco proprietary.
    Therefore, even if ISE says everything is fine, it's not, because Aerohive does not understand what's been sent to it.
    So the big question: Is there way to make the same redirect using standard radius attributes?
    Thank you.

    Unfortunately there isn't. I have done a project with ISE and Aerohive before and outside of basic 802.1x authentications, I was not able to deploy any of the other ISE features. There isn't an interoperability guide for ISE but just a compatibility one:
    http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/compatibility/ise_sdt.html
    If could be wrong here so if someone else has done this before pls chime in.
    Thank you for rating helpful posts! 

  • E4200 guest wireless redirect failure in Bridged Mode: cause & solution.

    Background:
    I have two E4200 v1 routers, both running the 1.0.04 firmware, both running in Bridged Mode.
    On one, guest wireless redirect works perfectly: select the Network-guest SSID, open a browser and you get the Cisco login page, enter the passphrase and bingo, you're connected.
    On the other unit, the redirect seems to fail. You are never presented with the login page and so, you are never connected.
    After hours of mucking about, including some time on the phone with a very patient engineer, I believe I have stumbled on what's actually going on and possibly, what needs to be done to fix it.
    The Problem
    The firmware assumes that in Bridged Mode, DNS should come from the Gateway IP address.
    The Fix
    Linksys should include a field in Bridged Mode that allows you to specify an IP for the DNS server.
    Diagnostics
    To diagnose the problem, I used a Mac OS X machine.
    The network is set up like this:
    Router (not the E4200) is at 10.0.0.1
    DNS server is at 10.0.0.2
    E4200, Bridged Mode as a WAP, is at 10.0.0.253.
    E4200's network settings are:
    IP: 10.0.0.253
    Subnet: 255.255.255.0
    Gateway: 10.0.0.1
    The problem is that the Linksys firmware assumes that DNS and the gateway are at the same IP. You will note that there is no place in the Bridged Mode settings to specify a DNS server IP address.  You can prove this by doing the following:
    1. Connect to the guest wireless. 
    2. In a Terminal window, type cat /etc/resolv.conf and press Enter.  You'll see this:
    nameserver 10.0.0.1
    nameserver 192.168.33.1
    This tells us that when you're on the guest network, your machine is looking for DNS results from 10.0.0.1. Except that on many networks, the gateway does not supply DNS. You can prove that DNS is working by typing this into a Terminal window:
    dig yahoo.com
    You should see a result similar to this:
    ; <<>> DiG 9.6-ESV-R4-P3 <<>> yahoo.com
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45182
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 13, ADDITIONAL: 13
    ;; QUESTION SECTION:
    ;yahoo.com.            IN    A
    ;; ANSWER SECTION:
    yahoo.com.        3063    IN    A    209.191.122.70
    yahoo.com.        3063    IN    A    72.30.38.140
    yahoo.com.        3063    IN    A    98.139.183.24
    ;; AUTHORITY SECTION:
    .            24651    IN    NS    a.root-servers.net.
    .            24651    IN    NS    j.root-servers.net.
    .            24651    IN    NS    l.root-servers.net.
    .            24651    IN    NS    c.root-servers.net.
    .            24651    IN    NS    e.root-servers.net.
    .            24651    IN    NS    d.root-servers.net.
    .            24651    IN    NS    f.root-servers.net.
    .            24651    IN    NS    m.root-servers.net.
    .            24651    IN    NS    g.root-servers.net.
    .            24651    IN    NS    b.root-servers.net.
    .            24651    IN    NS    i.root-servers.net.
    .            24651    IN    NS    h.root-servers.net.
    .            24651    IN    NS    k.root-servers.net.
    ;; ADDITIONAL SECTION:
    a.root-servers.net.    24651    IN    A    198.41.0.4
    b.root-servers.net.    24651    IN    A    192.228.79.201
    c.root-servers.net.    24651    IN    A    192.33.4.12
    d.root-servers.net.    24651    IN    A    128.8.10.90
    e.root-servers.net.    24651    IN    A    192.203.230.10
    f.root-servers.net.    24651    IN    A    192.5.5.241
    g.root-servers.net.    24651    IN    A    192.112.36.4
    h. root-servers.net.    24651    IN    A    128.63.2.53
    i.root-servers.net.    24651    IN    A    192.36.148.17
    j.root-servers.net.    24651    IN    A    192.58.128.30
    k.root-servers.net.    24651    IN    A    193.0.14.129
    l.root-servers.net.    24651    IN    A    199.7.83.42
    m.root-servers.net.    24651    IN    A    202.12.27.33
    ;; Query time: 73 msec
    ;; SERVER: 10.0.0.1#53(10.0.0.1)
    ;; WHEN: Thu Apr  5 10:51:02 2012
    ;; MSG SIZE  rcvd: 494
    Note the section at the bottom that says ;; SERVER: 10.0.0.1#53(10.0.0.1). This tells you that the DNS query was answered by the DNS server at 10.0.0.1.
    But in fact, if DNS is NOT served by your Gateway, you'll see this:
    dig yahoo.com
    ; <<>> DiG 9.6-ESV-R4-P3 <<>> @10.0.0.1 yahoo.com
    ; (1 server found)
    ;; global options: +cmd
    ;; connection timed out; no servers could be reached
    Lucky:~ aball$
    As a side note: the reason that the login page is never presented is most likely that the login page is only presented the first time that your Mac OS X machine connects to the network. Thereafter, the network is remembered and the WAP allows you access without a password. So, once you've connected a second time to the network, the WAP says "I know you" and lets you sail on through to wherever your browser is pointed, but then the browser, unable to find a DNS server, returns a blank page which appears to be a failure to present the login page but is, in fact, a DNS failure.
    Hope someone finds this useful. And here's hoping that Linksys fixes this obvious issue with the firmware.

    I do understand what you were trying to do here since you would like to have only 2 SSIDs (main & guest) for perhaps easy connectivity. The reason why you were not having problems getting online wirelessly when you were connected to the main network it’s because the computer was connected to only one DHCP server since the 2 bridge routers were just acting as a switch or a passthrough device. Now with guest network access it is a different scenario, a guest network is a virtual network meaning to say it’s like your having another router embedded on your router. Since it is a virtual network, then it does not follow the parameters of the main network, hence even if the router was set to bridge mode those routers will still have their own ip address of either 192.168.33.1 or 192.168.3.1.

  • Dual Node CWA Redirect

    Hi,
    we are using two ISE nodes for guest authentication (CWA) in our wireless network. We have an inside interface (eth0) on the ISE and a public interface (eth1), accessable for the wireless clients.
    At the moment i make a redirect to the ip address of the primary ISE: 
    For backup purposes, this is not a good idea. So I tried to configure an ip host 10.x.x.x FQDN with the ip address of eth1 and the FQDN of eth1 and removed the static host parameter in the common tasks of the CWA configuration page.
    But then the wireless guests will be redirected to the FQDN of eth0, which is the wrong IP and not reachable for him.
    What am i doing wrong?
    ISE Version is 1.2.1 and i restarted the services after configuring the ip host part.

    Hi
    You can configure custom portal to perform Client Provisioning and Posture. If you select this option, the guest login flow performs a CWA and the guest portal will be redirected to Client Provisioning after performing AUP and change password checks. In this case, the posture subsystem performs a CoA to the NAD to re-authenticate the client connection once the posture has been assessed.
    If Vlan Dhcp Release is selected under Multi-Portal Configurations, posture will perform the client side IP release and renew operation. Check the Vlan Dhcp Release option to refresh Windows clients IP address after VLAN change in both wired or wireless environments for Guest with posture.
    This affects the CWA user login flow when the network access during the final authorization switches the guest VLAN to a new VLAN. In this case, the old IP of the guest needs to be released before the VLAN change and a new guest IP needs to be requested through DHCP once the new VLAN access is in place. The Cisco ISE server redirects the guest browser to download an applet to perform the IP release renew operation.

  • ISE CWA Redirect URL customization

    Hi,
    Just wanted to know if we can change the redirect url. By default it starts with the hostname of ISE. I will have four PSN nodes and want that url is actually the Load Balancer Url rather than ISE node. Since ISE isintegrated with AD  domain.local so public certificate would not be possible. We are planning to install publecrt cert with differnt domain name likke domain.com. If some one has done it before please let me know
    Thanks
    Aijaz

    Hello,
    I went through your query and have found a link which I think would surely help you to solve your query:-
    http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml

  • CWA page does not redirect

    Hi there,
    I am having strange issue.
    I have configured a wlan with Mac Filtering that is pointing to ISE. Followed this guide https://supportforums.cisco.com/docs/DOC-26442
    Now, when user tries to connect to the wlan, it gets stuck in DHCP_REQD state. On troubleshooting I found that the ISE authenticates with Wireless MAB policy and points to the authorization profile where CWA redirect is configured. The WLC receives the redirect acl with redirect url but does not apply it on the client.
    On ISE:
    On WLC:
    the ACL "tempcwa" allows traffic to and from ISE, DNS, DHCP, but I am not able to get IP. Even when I try manual IP address, I am not able to ping ISE. I am sure ACL is all ok! My DHCP works perfect for other WLANs with WLC webauth settings in the same subnet as CWA.
    I am using AIR-CT5760, 03.02.02.SE, ct5760-ipservicesk9 and ISE 1.2 VM
    Please help me!!

    Thanks for your response..
    If I remove the ACL then how the traffic destined to ISE will be allowed? The interesting part is, I am getting hits on the redirect ACL but client can not receive IP address.
    DHCP is working fine and if I assign manual IP then DHCP is not the matter.
    If Redirect ACL and ISE page is forwarded to WLC from ISE then why this is not working for clients??
    Moreover, I noticed that even DACL is not being pushed to wireless clients from other authorization profiles. The traffic gets Permit_access but DACL does not restrict..
    I think these two issues are interlinked..
    Please suggest..

Maybe you are looking for

  • Urgent: Suppressing unwanted Node Line in the target file

    Hi all , I am doing simple file to file scenario in which i have following as my target structure. <?xml version="1.0" encoding="UTF-8"?> <ns0:MT_IN007_IN xmlns:ns0="Http://xyz.pi.com/OTC/IN007_ABC_PQR">    <OUTPUT>       <HEADER>          <ShipmentD

  • ProLogic 7 and MacBook Pro

    If I buy ProLogic7, will it run well on my MacBook Pro or will it be really slow etc and not worth it??

  • SAP F&R - Creating More Than One Ignore DIF

    Hello there, We're running F&R 5.1, we have one internal Ignore DIF in the system and we want to create another external Ignore DIF. But when we try to create the second Ignore DIF, the system error message shows: "There must be only one DIF type of

  • GR55 reports display in different currency

    Hi SPL gurus, Hope you can help me with this GR55 question. My customer needs to apply different (constant) exchange rate type while running the GR55 reports for all the company codes to ensure constant reporting across without taking account the flu

  • Transport transaction variant

    Hello, using SHD0, I created a standard transaction variant ZIP01 for transaction IP01. But how can I transport this variant to other systems? I tried with program RSTRANSP with following parameters: - Program Name: SAPLIWP3 - Variant name: ZIP01 But