CWA Redirection Loop
Hi,
I was testing CWA with ISE 1.3 and WLC 5760.
Requirement-
1- 2 SSID's on WLC one for STUDENT and another for GUEST
2- Guest once connected to GUEST SSID it will redirect it to guest registration portal.
3- Student's once connected to STUDENT SSID it will redirect it to student self registration portal.
4- In Self registration we want both Guest and Student to fill their details like username. password, email etc
5- Once Register they will only be allowed to use only one device in the network ( Fixed device no changeble)
6- On successfull registration we want them to show their password on the portal itself (using PRINT) but at the same time not allowing them to logging until sponsor approved ( want to use both PRINT and approval feature at the same time)
Scenario- The scenario is like this. There will be 2 SSID namely STUDENT and GUEST. Each one will be having a specific Self Registration Guest portal. Portals are seperated by using AIRESPACE wlan -id.
ISSUES-
1- Self-Registration- Even password is entered by the USER's. After registering ISE is regenerating the password by itself and resetting the password to something random (based on Guest password policy). I don't want that I just wanna use the only password used by the USER's when the entered at the time of registration.
2- I am able to get different portal based on SSID ( STUDENT , GUEST) but once the user get registered even after successful login they are redirected to login portal ( LOOP). Even when I used Network:Access Guest flow above the CWA Auth policy
3- Once user get registered they will only to use a single device in the network which will be fixed. and their credential will only on this device.
Please help me in get this done
Hello
tip: check iis log on both of exch servers and check owa application haven't got "HTTP redirect" enabled.
sorry my english
Similar Messages
-
ISE 1.2 CWA Redirect URL
Hi,
Just wondered was there anyway to manipulate what webauth URL is sent to a client in the redirect string. Currently my ISE sends clients the internal machine name, I was wondering if there was anyway I can change this.
I know on local webauth on the WLC you can set external URL's, does this feature exist in the ISE?
TIA
-G
Sent from Cisco Technical Support iPad AppUsers Are Not Appropriately Redirected to URL
Symptoms or Issue
Administrator receives one or more "Bad URL" error messages from Cisco ISE.
Conditions
This scenario applies to 802.1X authentication as well as guest access sessions.
Click the magnifying glass icon in Authentications to launch the Authentication Details. The authentication report should have the redirect URL in the RADIUS response section as well as the session event section (which displays the switch syslog messages).
Possible Causes
Redirection URL is entered incorrectly with invalid syntax or a missing path component.
Resolution
Verify that the redirection URL specified in Cisco ISE via Cisco-av pair "URL Redirect" is correct per the following options:
•CWA Redirection URL: https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cwa
•802.1X Redirection URL: url-redirect=https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cpp -
Cookieless session causes redirect loop when deployed to Azure Website
I have a website that needs to use cookieless session. The website works fine locally and the session key gets passed into each request url as expected. However, when deployed to an Azure website, the website requests cause a redirect loop by reloading the
url over and over again with new session keys each time. I've tried setting regenerateExpiredSessionId to false but that does not have any effect. The Azure Website works okay with UseCookies, but I need to use cookieless session for other technical reasons.
What can be done to resolve this issue or get more insight into why it is happening?Hi,
Disabling the affinity can be done in two ways:
In your application
In a site configuration
Which one did you tried.
Regards,
Azam khan
I'm unmarking this as an answer. In no way does this answer the original question. In my previous reply I stated that I used web.config setting to disable ARR Infinity cookie. This did not resolve my problem. Also, could you please take a minute to describe
why you think disabling this feature would solve the problem? The original link you posted does not mention cookieless session or give any description of why that would be related to my problem.
Thanks for trying to help, but unfortunately this has not solved the problem. If you have more details, please provide them. -
Cant download Flash trial, says redirect loop
I want to try a trial of adobe flash but it will not let me even start downloading the software at all. It says redirect loop, i tried to dload on firefox and google chrome, internet explorer does not work on my comp. Also it told me to delete all my cookies from the list and i did but i get the same problem. please help.
That happened once to me when downloading a trial. I just tried it again after a few minutes and it worked. In Firefox, clear al private data including saved sessions. If it keeps up, email support.
-
HI
i am trying to implement guest portal and i have configure the ISE and switch to redirect guests and i see the whole process goes will when i issue
show authentication session interface GigabitEthernet1/0/11
Interface: GigabitEthernet1/0/11
MAC Address: 1078.d2fc.698c
IP Address: 192.168.0.59
User-Name: 10-78-D2-FC-69-8C
Status: Authz Success
Domain: DATA
Oper host mode: multi-domain
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: 81
ACS ACL: xACSACLx-IP-TEST-WEBAUTH-DACL-519b76ec
URL Redirect ACL: ACL-WEBAUTH-REDIRECT
URL Redirect: https://HDOFFISEP01.mycompany.com:8443/guestportal/gateway?sessionId=0A0A6518000000010006F2B5&action=cwa
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A0A6518000000010006F2B5
Acct Session ID: 0x00000003
Handle: 0x0D000001
Runnable methods list:
Method State
mab Authc Success
dot1x Not run
my problem that the web browser does NOT direct automtically to the portal but it does manually when i copy the URL from the switch, any idea ?
switch configuration
boot-start-marker
boot-end-marker
logging monitor informational
enable secret 5 $1$PO2h$G1BUFwkbkA8ywc89FhBso/
username cisco privilege 15 password 0 cisco
username ise-rad-alive password 0 CICSOISEalive123
aaa new-model
aaa authentication login local local
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting auth-proxy default start-stop group radius
aaa accounting dot1x default start-stop group radius
aaa server radius dynamic-author
client 10.10.20.13 server-key myshared
client 10.10.20.14 server-key myshared
aaa session-id common
switch 1 provision ws-c2960s-24ps-l
ip dhcp snooping vlan 1-2000
no ip dhcp snooping information option
ip dhcp snooping
ip domain-name mycompany.com
ip name-server 192.168.10.40
ip device tracking probe use-svi
ip device tracking
ip admission name Webauth proxy http inactivity-time 60
vtp mode transparent
epm logging
dot1x system-auth-control
fallback profile Webauth
ip access-group ACL-WEBAUTH-REDIRECT in
ip admission Webauth
spanning-tree mode pvst
spanning-tree extend system-id
interface GigabitEthernet1/0/11
switchport mode access
switchport voice vlan 93
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 777
authentication event server dead action authorize voice
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
mab
dot1x pae authenticator
spanning-tree portfast
interface Vlan1
no ip address
shutdown
interface Vlan80
ip address 10.10.101.24 255.255.255.0
ip default-gateway 10.10.101.1
ip http server
ip http secure-server
ip access-list extended ACL-AGENT-REDIRECT
remark explicitly prevent DNS from being redirected to address a bug
deny udp any any eq domain
remark redirect HTTP traffic only
permit tcp any any eq www
remark all other traffic will be implicitly denied from the redirection
ip access-list extended ACL-ALLOW
permit ip any any
ip access-list extended ACL-DEFAULT
remark DHCP
permit udp any eq bootpc any eq bootps
remark DNS
permit udp any any eq domain
remark Ping
permit icmp any any
remark PXE / TFTP
permit udp any any eq tftp
remark Drop all the rest
deny ip any any log
ip access-list extended ACL-WEBAUTH-REDIRECT
deny ip any host 10.10.20.13
deny ip any host 10.10.20.14
deny ip any host 192.168.10.43
deny ip any host 192.168.10.40
deny ip any host 192.168.10.41
deny ip any host 192.168.10.42
remark explicitly prevent DNS from being redirected to accommodate certain switches
deny udp any any eq domain
remark redirect all applicable traffic to the ISE Server
permit tcp any any eq www
permit tcp any any eq 443
ip radius source-interface Vlan80
logging origin-id ip
logging source-interface Vlan80
logging host 10.10.20.11 transport udp port 20514
logging host 10.10.20.12 transport udp port 20514
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
radius-server host 10.10.20.13 auth-port 1812 acct-port 1813 key myshared
radius-server host 10.10.20.14 auth-port 1812 acct-port 1813 key myshared
radius-server vsa send accounting
radius-server vsa send authenticationVerify that the redirection URL specified in Cisco ISE via Cisco-av pair "URL Redirect" is correct
CWA Redirection URL: https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cwa
802.1X Redirection URL: url-redirect=https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cpp -
Why are the ISE nodes needed to be defined in the web authentication redirect acl that is configured locally on the switch?
All the documentation that I've found states this. I've setup my 2yr old ISE environment this way and was advised in the beginning to do so. But after thinking the whole authentication process through and then testing out my theories I don't understand why the ISE nodes need to be defined in the switch redirect acl. I am now testing with a simple "redirect www & 443" acl and it is working as expected.
The client connects to the network and, for our environment, is requested to do dot1x until that times out and then it shifts to mab. At which point, I do not have an authz rule defined for my test machine and therefore matches my catch-all authz rule of CWA which sends a CWA DACL. The switch lays the acls on the interface in this order: 1. Redirect 2. DACL 3. PACL. In my DACL I have access to the ISE nodes allowed (just to be safe) and the redirection still works because my test machine is not sending any www/443 traffic to the ISE nodes that I'm aware of (CWA is 8443).
Can someone explain (in detail) why a client machine would send www/443 traffic to the ISE nodes and therefore need to be defined in the CWA redirect acl local to the switch.Poonam,
I appreciate the response. I understand the process and flow of CWA but I still don't see why the ISE nodes need to be defined (as deny statements or at all) in the redirect acl that is locally configured on the switch. Let me try to explain it better (sorry for the novel):
1. a default PACL is statically applied to an unused interface. For my environment our PACL is a simple "permit ip any any" which allows an open fallback in case communication to ISE fails.
2. A client plugs in and the switch begins talking dot1x to the client. During this time the PACL is the ONLY acl that is applied to the interface/client.
3. The client does not run dot1x and therefore the switch eventually fails over to mab. At this time, the CWA authz rule comes into effect and ISE sends the DACL to the switch via radius and also references which RACL (redirect acl) to use.
4. Not many people seem to understand this part....The switch then rebuilds the ACL that is applied to the interface/user. The switch creates an ACL that consists of ALL THREE ACLs. The first portion of this ACL is the RACL with permit statements (which are the deny RACL statements configured on the switch) and then redirect statements (which are the permit RACL statements configured on the switch) and then the DACL from ISE is the next portion of this new ACL and then the very last portion is the original static PACL that is configured on the port.
Again, I've tested this out over and over again on several different platforms (6500, 3700, 3800) and because, during the stage where the interface is in CWA state, the ACL that is applied to the interface is ALL THREE ACLs in the order of RACL>DACL>PACL....it doesn't seem to make sense that you need to define the ISE nodes in the RACL because all you need to define is what traffic you want to redirect. You define what traffic you want allowed in the DACL which is where you state access to the ISE nodes (either complete access or only 8443 access).
Let me give you this example. Say I have the following confgured:
CONFIGURED SWITCH INTERFACE ACL (PACL)
ip access-list standard ACL-ALLOW
permit ip any any
CONFIGURED SWITCH REDIRECT ACL (RACL)
ip access-list extended ACL-WEBAUTH-REDIRECT
permit tcp any any eq www 443
CONFIGURED ISE DOWNLOADABLE ACL (DACL)
permit tcp any host <psn01> eq 8443
permit udp any host <dns01> eq 53
deny ip any any
Then the process would look like this:
1. During dot1x negotiation the acl that is used is this:
permit ip any any <<<<<PACL
2. Once CWA is in effect then the acl looks like this:
redirect tcp host <host ip> any eq www 443 <<<<<<RACL
permit tcp host <host ip> host <psn01 ip> eq 8443 <<<<<<DACL
permit udp host <host ip> host <dns01 ip> eq 53 <<<<<<DACL
deny ip any any <<<<<<DACL
permit ip any any <<<<<<PACL -
AD FS - KB3003381 causes redirect loop on login
Hi,
I'm using AD FS 2.1 for SSO (2 IIS sites and several WCF services) but my users have been seeing redirect loops when they try to login. Once the user's browser recognises the loop and interrupts it, they are able to either resubmit the request with a page
refresh (depending on the browser) or navigate to the URL of the site and they are logged in, but this is not a good workaround. We are using SecurEnvoy for 2FA.
This behaviour started shortly after KB3003381 was applied to the production environment, and I have replicated the behaviour on our staging environment. Removing this patch from the staging environment causes the login mechanism to behave normally.
From Fiddler, once users have authenticated successfully using SecurEnvoy, they are directed to
https://<AD FS proxy URL>/adfs/ls/?wa=wsignin1.0&wtrealm=<site URL>&wctx=rm%3d0%26id%3dpassive%26ru%3d%252f&wct=<UTC timestamp>
which results in a 302 redirect to
https://<AD FS proxy URL>/adfs/ls/auth/basic/?wa=wsignin1.0&wtrealm=<site URL>&wctx=rm%3d0%26id%3dpassive%26ru%3d%252f&wct=<UTC timestamp>
This should return a 200, but instead returns a 302 redirect to the same URL, until stopped by the browser.It seems that you have already asked in another forum: http://serverfault.com/questions/658095/adfs-2-1-redirect-loop-on-login
Simply remove the installed update and contact Microsoft to report the issue: http://support.microsoft.com/ContactUs
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile -
JSF Web Application - endless redirecting loop
I've created a simple JSF WebApplication, just one page, one static text. When I deploy it to the bundled server, everything is OK. When I deploy it to a remote server, that I have access to (Sun Java System Application Server Enterprise Edition 8.1_02), and I browse to its URL (http://server:port//Webapplication), the browser shows me an error. IE just displays Page cannot be displayed error, Firefox tells me, that the app. ended up in a redirection loop.
When I browse to /Webapplication/faces/Page1.jsp, everything is ok.
What can be wrong?Hello
We are looking at doing the same thing (iviews in Sharepoint)
Any luck in solving the problem ?
thank you
Robin -
Muse mobile site has a redirect loop in my subdomain
I have an existing site which I am working on redoing in Muse, but I wanted to get a mobile version up immediately. I got it working, tests out fine in preview and BC, but after uploading it to a subdomain (m.junebugjam.com) I keep getting a redirect loop with smartphone and tablets. Desktop views it fine, so I know it's something in whatever Adobe uses to detect mobile users. Currently, I just have .htaccess redirecting to BC, but I would prefer to be using my own domain (not too fond of the "Report Abuse" button.)
Site is: www.junebugjam.com
Sub is: m.junebugjam.com
Thanks in advance for the assistance.
-ScottSo your desktop and mobile versions are on different hosts? If so you need to add the redirect script to your desktop page if on mobile and you need to direct it to the mobile domain. It looks to me like you have also created the mobile layout in the desktop view in Muse?
-
Usage Meter Not Working in Chrome - Redirect Loop
Using Google Chrome I'm unable to view my broadband usage. When I click the link in 'My BT' the link ends up as a massive URL and Chrome informs that it's hit a redirect loop.
Works fine in Internet Explorer though.
Just an FYI
Chrome Version 32.0.1700.102 mHi Ignitionnet and welcome.
Are you getting any error messages? Can you give us a screen shot of the issue? Give us as much detail as possible and we’ll try and help.
Cheers
David
BTCare Community Mod
If we have asked you to email us with your details, please make sure you are logged in to the forum, otherwise you will not be able to see our ‘Contact Us’ link within our profiles.
We are sorry but we are unable to deal with service/account queries via the private message(PM) function so please don't PM your account info, we need to deal with this via our email account :-) -
E-Business to Apex Authentication Problem - Redirection Loop?
Hi Folks,
I have a couple of EBS (11i) environments which successfully launch Apex Functions using the whitepaper delivered from Cabot Consulting (Extending Oracle Applications). I have created a new responsibility, menu and function on our live environment today which does exactly what the whitepaper suggests:
1. Send a cookie to the browser with Username and a generated hash.
2. Apex authentication checks for this cookie and if it does not exist, displays a login page.
3. IF the cookie exists, it takes the username and validates the hash, redirecting then to Page 1 of my application.
However, I have found that the first time the EBS function is clicked, Firefox throws a "Redirect Loop Error", Internet Explorer instead gives an unhelpful 404 error. If I click my back button to get back into Oracle Applications and click the function again, this time it works.
I can't release this to my userbase if there is a chance of redirect issues!
Has anyone had experience of this and is there a verified solution to resolve the issue? I am happy to post whichever code you wish.
Many thanks,
PeteHi Scott,
Your suggestion answered my question first time. My login page was not public for some reason!
I've changed this now and kerching, my applications all work a breeze!
Fantastic - so simple :-)
Many thanks.
Srini - thanks for the suggestion, I've read every bit of EBS integration I could find so this is a bit of an RTFM!
P -
WCCP: Is dot1Q trunking needed on Router I/F to avoid redirection loop
Hi everyone,
I have a question how configure Router I/F to avoid redirection loop.
I understand Router and WAE must not be attached to the same segment to avoid redirection loop as written in the Quick Configuration Guide.
However the sample configuration in Quick Configuration Guide does not show necessity of whether VLAN trunking is needed or not on the Router port and Switch under following environment;
Client
|
|
Switch --- WAE
|
|
Router
|
|
WAN
|
|
Router
|
|
Switch --- WAE
|
|
Server
I think .1Q trunking is need to avoid redirection loop and it is a only way to achieve it in case of the router (core and/or edge) has just two interfaces.
And if the router does not support .1Q trunking due to hardware limitation or software limitation, I need to get the router had more one dedicated interface to redirect WAE by adding additional network module/card if it can.
I am afraid that if the router does not support .1Q trunking and router has up to two interfaces, I need to purchase/prepare another router to achieve it or not.
Is my understanding correct ?
Or are there any method to avoid redirection loop other than using .1Q trunk or adding interface that is remains just two interfaces ?
Would you please let me know your assistance ?
Best regards,Hello,
Note that this requirement will be changing in the very near future. Please reach out to your account team or overlay specialists for more details.
Best regards,
Joel -
Has anyone else experienced a redirect loop for
microsoft.com/emet
if so is there a quick and easy way of reporting it?
Thanks,
MatthewHello
tip: check iis log on both of exch servers and check owa application haven't got "HTTP redirect" enabled.
sorry my english -
Certain parts of Verizon Site in Redirect Loops?
For the past couple of months, when I've attempted to access certain parts of the the general Verizon site as a whole, the page will load for a moment, then tell me that it either won't load properly (Firefox) or that it is stuck in a redirect loop (Chrome). The part of the site that seems to be the most effected is the 'shopping' area. I cannot shop for Smart Phones, regular phones, tablets... nothing. As soon as I click on one of those selections the page gets stuck in a redirect loop.
I've attempted to clear my cache. Turn off my ad-blocker, etc. But none of them work. It should be noted that I CAN access the shopping area when I am not logged into my account. I can look at any phone I want, and even add it to my cart, but in order to finish the process I must log in. The moment I log in? Stuck in another redirect loop.
Is there any solution to this, or am I S.O.L. unless I really want to go directly to a Verizon store?A quick question. Usually, when clearing out one's cache for the internet, it completely clears it out, and that's that.
But, no matter how many time I clear my Google Chrome cache, it doesn't remove this site's cached instances. Is it because I run more than one browser? (ie, I run Firefox sometimes, as well as Internet Explorer sometimes, depending on if a site works better on them...)
Should I try to clear my cache on all of my browsers? Or is there a way to access a file on the computer itself to delete my internet history/cache, that my browsers might not be deleting despite my telling them to do so??
Not to say this would solve my issue. But it's worth a try at the very least. -
Infinite Redirect Loop when selecting group in Google Groups
When I sign in to Google groups, then select one of my groups, I get into an "infinite redirect loop." The page hangs, "Redirecting" appears in the page title, and at the bottom it says (alternating) "waiting for google.com" or "waiting for groups.google.com". I have Firefox 3.6.3, which I think is latest and greatest.
This problem has been reported to Google and you can see the discussion here:
http://groups.google.com/group/is-something-broken/browse_thread/thread/8fb760742f6ce7ba/f7065d7bd3499f65#f7065d7bd3499f65
You go to the Google Groups help forum, look at "Is something broken" discussion, and look further for "Infinite Redirect Loop." This may be a problem that only affects moderators.
I'm not sure if this is a problem with Firefox, Google groups, or the interaction.
== URL of affected sites ==
http://groups.google.com/Clearing out all cookies worked for me, too.
Not that it matters, but my tentative conclusion is that (a) this is a Google problem and (b) it has something to do with cookies, possibly a defective cookie creation mechanism or something like that. In any event, if it doesn't recur, I would further conclude that whatever-it-was has been fixed.
Maybe you are looking for
-
Voice memos not showing up in voice memos playlist on itunes after sync
I have synced my iPod Touch many times to iTunes, and usually find the Voice Memos right in the Voice Memos playlist where they should be. I have recently had to replace my hard drive on my MacBook Pro, and reinstall using Time Machine, which means m
-
There Is No Picture On Channel 477 & 466 Has A Bad Feed
Channel 477 soy latino tv which was mexicanal has no image at all of the programs that should be there and it is a channel that is not off the air. Right now there are colored bars from the left side to the right side of the channel where the colors
-
Remote desktop ver 3.6.1 not working with OS 10.8.5
Hi All, I purchased macbook pro 15" retina display, I tried to connect with remote desktop ver 3.6.1 but it showing me black screen only. Regards, Fawad.
-
BAPI_ACC_... Pb
Hello, I've tried : BAPI_ACC_GL_POSTING_POST, BAPI_ACC_DOCUMENT_POST and BAPI_ACC_EMPLOYEE_EXP_POST, in order to post (F-02) some expenses note. In all cases, I don't really know how to fill the DOCUMENTHEADER-OBJ_TYPE : 'BBKPF' ? And I ve always the
-
Hello to everyone ! My friend has bought a 5G iPod since a weeks ago on-line. Some days ago, the iPod suddently stopped playing and it turned off automatically. Now, when i'm trying to start it it doesn't gives any answer, even when i'm connecting it