CWA Redirection Loop

Similar Messages

• ISE 1.2 CWA Redirect URL

  Hi,
  Just wondered was there anyway to manipulate what webauth URL is sent to a client in the redirect string. Currently my ISE sends clients the internal machine name, I was wondering if there was anyway I can change this.
  I know on local webauth on the WLC you can set external URL's, does this feature exist in the ISE?
  TIA
  -G
  Sent from Cisco Technical Support iPad App

  Users Are Not Appropriately Redirected to URL
  Symptoms or Issue
  Administrator   receives one or more "Bad URL" error messages from Cisco ISE.
  Conditions
  This   scenario applies to 802.1X authentication as well as guest access sessions.
  Click   the magnifying glass icon in Authentications to launch the Authentication   Details. The authentication report should have the redirect URL in the RADIUS   response section as well as the session event section (which displays the   switch syslog messages).
  Possible   Causes
  Redirection   URL is entered incorrectly with invalid syntax or a missing path component.
  Resolution
  Verify   that the redirection URL specified in Cisco ISE via Cisco-av pair "URL   Redirect" is correct per the following options:
  •CWA   Redirection URL:   https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cwa
  •802.1X   Redirection URL:   url-redirect=https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cpp

• Cookieless session causes redirect loop when deployed to Azure Website

  I have a website that needs to use cookieless session. The website works fine locally and the session key gets passed into each request url as expected. However, when deployed to an Azure website, the website requests cause a redirect loop by reloading the
  url over and over again with new session keys each time. I've tried setting regenerateExpiredSessionId to false but that does not have any effect. The Azure Website works okay with UseCookies, but I need to use cookieless session for other technical reasons.
  What can be done to resolve this issue or get more insight into why it is happening?

  Hi,
  Disabling the affinity can be done in two ways:
  In your application
  In a site configuration
  Which one did you tried.
  Regards,
  Azam khan
  I'm unmarking this as an answer. In no way does this answer the original question. In my previous reply I stated that I used web.config setting to disable ARR Infinity cookie. This did not resolve my problem. Also, could you please take a minute to describe
  why you think disabling this feature would solve the problem? The original link you posted does not mention cookieless session or give any description of why that would be related to my problem.
  Thanks for trying to help, but unfortunately this has not solved the problem. If you have more details, please provide them.

• Cant download Flash trial, says redirect loop

  I want to try a trial of adobe flash but it will not let me even start downloading the software at all. It says redirect loop, i tried to dload on firefox and google chrome, internet explorer does not work on my comp. Also it told me to delete all my cookies from the list and i did but i get the same problem. please help.

  That happened once to me when downloading a trial.  I just tried it again after a few minutes and it worked.  In Firefox, clear al private data including saved sessions.  If it keeps up, email support.

• ISE - CWA Redirection

  HI
  i am trying to implement guest portal and i have configure the ISE and switch to redirect guests and i see the whole process goes will when i issue
  show authentication session interface GigabitEthernet1/0/11
              Interface:  GigabitEthernet1/0/11
            MAC Address:  1078.d2fc.698c
             IP Address:  192.168.0.59
              User-Name:  10-78-D2-FC-69-8C
                 Status:  Authz Success
                 Domain:  DATA
         Oper host mode:  multi-domain
       Oper control dir:  both
          Authorized By:  Authentication Server
            Vlan Policy:  81
                ACS ACL:  xACSACLx-IP-TEST-WEBAUTH-DACL-519b76ec
       URL Redirect ACL:  ACL-WEBAUTH-REDIRECT
           URL Redirect:  https://HDOFFISEP01.mycompany.com:8443/guestportal/gateway?sessionId=0A0A6518000000010006F2B5&action=cwa
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  0A0A6518000000010006F2B5
        Acct Session ID:  0x00000003
                 Handle:  0x0D000001
  Runnable methods list:
         Method   State
         mab      Authc Success
         dot1x    Not run
  my problem that the web browser does NOT direct automtically to the portal but it does manually when i copy the URL from the switch, any idea ?
  switch configuration
  boot-start-marker
  boot-end-marker
  logging monitor informational
  enable secret 5 $1$PO2h$G1BUFwkbkA8ywc89FhBso/
  username cisco privilege 15 password 0 cisco
  username ise-rad-alive password 0 CICSOISEalive123
  aaa new-model
  aaa authentication login local local
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  aaa authorization auth-proxy default group radius
  aaa accounting auth-proxy default start-stop group radius
  aaa accounting dot1x default start-stop group radius
  aaa server radius dynamic-author
  client 10.10.20.13 server-key myshared
  client 10.10.20.14 server-key myshared
  aaa session-id common
  switch 1 provision ws-c2960s-24ps-l
  ip dhcp snooping vlan 1-2000
  no ip dhcp snooping information option
  ip dhcp snooping
  ip domain-name mycompany.com
  ip name-server 192.168.10.40
  ip device tracking probe use-svi
  ip device tracking
  ip admission name Webauth proxy http inactivity-time 60
  vtp mode transparent
  epm logging
  dot1x system-auth-control
  fallback profile Webauth
  ip access-group ACL-WEBAUTH-REDIRECT in
  ip admission Webauth
  spanning-tree mode pvst
  spanning-tree extend system-id
  interface GigabitEthernet1/0/11
  switchport mode access
  switchport voice vlan 93
  ip access-group ACL-ALLOW in
  authentication event fail action next-method
  authentication event server dead action reinitialize vlan 777
  authentication event server dead action authorize voice
  authentication host-mode multi-domain
  authentication order mab dot1x
  authentication priority dot1x mab
  authentication port-control auto
  mab
  dot1x pae authenticator
  spanning-tree portfast
  interface Vlan1
  no ip address
  shutdown
  interface Vlan80
  ip address 10.10.101.24 255.255.255.0
  ip default-gateway 10.10.101.1
  ip http server
  ip http secure-server
  ip access-list extended ACL-AGENT-REDIRECT
  remark explicitly prevent DNS from being redirected to address a bug
  deny   udp any any eq domain
  remark redirect HTTP traffic only
  permit tcp any any eq www
  remark all other traffic will be implicitly denied from the redirection
  ip access-list extended ACL-ALLOW
  permit ip any any
  ip access-list extended ACL-DEFAULT
  remark DHCP
  permit udp any eq bootpc any eq bootps
  remark DNS
  permit udp any any eq domain
  remark Ping
  permit icmp any any
  remark PXE / TFTP
  permit udp any any eq tftp
  remark Drop all the rest
  deny   ip any any log
  ip access-list extended ACL-WEBAUTH-REDIRECT
  deny   ip any host 10.10.20.13
  deny   ip any host 10.10.20.14
  deny   ip any host 192.168.10.43
  deny   ip any host 192.168.10.40
  deny   ip any host 192.168.10.41
  deny   ip any host 192.168.10.42
  remark explicitly prevent DNS from being redirected to accommodate certain switches
  deny   udp any any eq domain
  remark redirect all applicable traffic to the ISE Server
  permit tcp any any eq www
  permit tcp any any eq 443
  ip radius source-interface Vlan80
  logging origin-id ip
  logging source-interface Vlan80
  logging host 10.10.20.11 transport udp port 20514
  logging host 10.10.20.12 transport udp port 20514
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 6 support-multiple
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server dead-criteria time 5 tries 3
  radius-server host 10.10.20.13 auth-port 1812 acct-port 1813 key myshared
  radius-server host 10.10.20.14 auth-port 1812 acct-port 1813 key myshared
  radius-server vsa send accounting
  radius-server vsa send authentication

  Verify that the redirection URL specified in Cisco ISE via Cisco-av pair "URL Redirect" is correct
  CWA Redirection URL: https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cwa
  802.1X Redirection URL: url-redirect=https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cpp

• Cisco ISE - CWA Redirect

  Why are the ISE nodes needed to be defined in the web authentication redirect acl that is configured locally on the switch?
  All the documentation that I've found states this. I've setup my 2yr old ISE environment this way and was advised in the beginning to do so. But after thinking the whole authentication process through and then testing out my theories I don't understand why the ISE nodes need to be defined in the switch redirect acl. I am now testing with a simple "redirect www & 443" acl and it is working as expected.
  The client connects to the network and, for our environment, is requested to do dot1x until that times out and then it shifts to mab. At which point, I do not have an authz rule defined for my test machine and therefore matches my catch-all authz rule of CWA which sends a CWA DACL. The switch lays the acls on the interface in this order: 1. Redirect 2. DACL 3. PACL. In my DACL I have access to the ISE nodes allowed (just to be safe) and the redirection still works because my test machine is not sending any www/443 traffic to the ISE nodes that I'm aware of (CWA is 8443).
  Can someone explain (in detail) why a client machine would send www/443 traffic to the ISE nodes and therefore need to be defined in the CWA redirect acl local to the switch.

  Poonam,
  I appreciate the response. I understand the process and flow of CWA but I still don't see why the ISE nodes need to be defined (as deny statements or at all) in the redirect acl that is locally configured on the switch. Let me try to explain it better (sorry for the novel):
  1. a default PACL is statically applied to an unused interface. For my environment our PACL is a simple "permit ip any any" which allows an open fallback in case communication to ISE fails.
  2. A client plugs in and the switch begins talking dot1x to the client. During this time the PACL is the ONLY acl that is applied to the interface/client.
  3. The client does not run dot1x and therefore the switch eventually fails over to mab. At this time, the CWA authz rule comes into effect and ISE sends the DACL to the switch via radius and also references which RACL (redirect acl) to use.
  4. Not many people seem to understand this part....The switch then rebuilds the ACL that is applied to the interface/user. The switch creates an ACL that consists of ALL THREE ACLs. The first portion of this ACL is the RACL with permit statements (which are the deny RACL statements configured on the switch) and then redirect statements (which are the permit RACL statements configured on the switch) and then the DACL from ISE is the next portion of this new ACL and then the very last portion is the original static PACL that is configured on the port.
  Again, I've tested this out over and over again on several different platforms (6500, 3700, 3800) and because, during the stage where the interface is in CWA state, the ACL that is applied to the interface is ALL THREE ACLs in the order of RACL>DACL>PACL....it doesn't seem to make sense that you need to define the ISE nodes in the RACL because all you need to define is what traffic you want to redirect. You define what traffic you want allowed in the DACL which is where you state access to the ISE nodes (either complete access or only 8443 access).
  Let me give you this example. Say I have the following confgured:
  CONFIGURED SWITCH INTERFACE ACL (PACL)
    ip access-list standard ACL-ALLOW
     permit ip any any
  CONFIGURED SWITCH REDIRECT ACL (RACL)
    ip access-list extended ACL-WEBAUTH-REDIRECT
     permit tcp any any eq www 443
  CONFIGURED ISE DOWNLOADABLE ACL (DACL)
    permit tcp any host <psn01> eq 8443
    permit udp any host <dns01> eq 53
    deny ip any any
  Then the process would look like this:
  1. During dot1x negotiation the acl that is used is this:
  permit ip any any     <<<<<PACL
  2. Once CWA is in effect then the acl looks like this:
  redirect tcp host <host ip> any eq www 443             <<<<<<RACL
  permit tcp host <host ip> host <psn01 ip> eq 8443       <<<<<<DACL
  permit udp host <host ip> host <dns01 ip> eq 53       <<<<<<DACL
  deny ip any any      <<<<<<DACL
  permit ip any any      <<<<<<PACL

• AD FS - KB3003381 causes redirect loop on login

  Hi,
  I'm using AD FS 2.1 for SSO (2 IIS sites and several WCF services) but my users have been seeing redirect loops when they try to login. Once the user's browser recognises the loop and interrupts it, they are able to either resubmit the request with a page
  refresh (depending on the browser) or navigate to the URL of the site and they are logged in, but this is not a good workaround. We are using SecurEnvoy for 2FA.
  This behaviour started shortly after KB3003381 was applied to the production environment, and I have replicated the behaviour on our staging environment. Removing this patch from the staging environment causes the login mechanism to behave normally.
  From Fiddler, once users have authenticated successfully using SecurEnvoy, they are directed to
  https://<AD FS proxy URL>/adfs/ls/?wa=wsignin1.0&wtrealm=<site URL>&wctx=rm%3d0%26id%3dpassive%26ru%3d%252f&wct=<UTC timestamp>
  which results in a 302 redirect to 
  https://<AD FS proxy URL>/adfs/ls/auth/basic/?wa=wsignin1.0&wtrealm=<site URL>&wctx=rm%3d0%26id%3dpassive%26ru%3d%252f&wct=<UTC timestamp>
  This should return a 200, but instead returns a 302 redirect to the same URL, until stopped by the browser.

  It seems that you have already asked in another forum: http://serverfault.com/questions/658095/adfs-2-1-redirect-loop-on-login
  Simply remove the installed update and contact Microsoft to report the issue: http://support.microsoft.com/ContactUs
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• JSF Web Application - endless redirecting loop

  I've created a simple JSF WebApplication, just one page, one static text. When I deploy it to the bundled server, everything is OK. When I deploy it to a remote server, that I have access to (Sun Java System Application Server Enterprise Edition 8.1_02), and I browse to its URL (http://server:port//Webapplication), the browser shows me an error. IE just displays Page cannot be displayed error, Firefox tells me, that the app. ended up in a redirection loop.
  When I browse to /Webapplication/faces/Page1.jsp, everything is ok.
  What can be wrong?

  Hello
  We are looking at doing the same thing (iviews in Sharepoint)
  Any luck in solving the problem ?
  thank you
  Robin

• Muse mobile site has a redirect loop in my subdomain

  I have an existing site which I am working on redoing in Muse, but I wanted to get a mobile version up immediately. I got it working, tests out fine in preview and BC, but after uploading it to a subdomain (m.junebugjam.com) I keep getting a redirect loop with smartphone and tablets. Desktop views it fine, so I know it's something in whatever Adobe uses to detect mobile users. Currently, I just have .htaccess redirecting to BC, but I would prefer to be using my own domain (not too fond of the "Report Abuse" button.)
  Site is: www.junebugjam.com
  Sub is: m.junebugjam.com
  Thanks in advance for the assistance.
  -Scott

  So your desktop and mobile versions are on different hosts? If so you need to add the redirect script to your desktop page if on mobile and you need to direct it to the mobile domain. It looks to me like you have also created the mobile layout in the desktop view in Muse?

• Usage Meter Not Working in Chrome - Redirect Loop

  Using Google Chrome I'm unable to view my broadband usage. When I click the link in 'My BT' the link ends up as a massive URL and Chrome informs that it's hit a redirect loop.
  Works fine in Internet Explorer though.
  Just an FYI
  Chrome Version 32.0.1700.102 m

  Hi Ignitionnet and welcome.
  Are you getting any error messages? Can you give us a screen shot of the issue? Give us as much detail as possible and we’ll try and help.
  Cheers
  David
  BTCare Community Mod
  If we have asked you to email us with your details, please make sure you are logged in to the forum, otherwise you will not be able to see our ‘Contact Us’ link within our profiles.
  We are sorry but we are unable to deal with service/account queries via the private message(PM) function so please don't PM your account info, we need to deal with this via our email account :-)

• E-Business to Apex Authentication Problem - Redirection Loop?

  Hi Folks,
  I have a couple of EBS (11i) environments which successfully launch Apex Functions using the whitepaper delivered from Cabot Consulting (Extending Oracle Applications). I have created a new responsibility, menu and function on our live environment today which does exactly what the whitepaper suggests:
  1. Send a cookie to the browser with Username and a generated hash.
  2. Apex authentication checks for this cookie and if it does not exist, displays a login page.
  3. IF the cookie exists, it takes the username and validates the hash, redirecting then to Page 1 of my application.
  However, I have found that the first time the EBS function is clicked, Firefox throws a "Redirect Loop Error", Internet Explorer instead gives an unhelpful 404 error. If I click my back button to get back into Oracle Applications and click the function again, this time it works.
  I can't release this to my userbase if there is a chance of redirect issues!
  Has anyone had experience of this and is there a verified solution to resolve the issue? I am happy to post whichever code you wish.
  Many thanks,
  Pete

  Hi Scott,
  Your suggestion answered my question first time. My login page was not public for some reason!
  I've changed this now and kerching, my applications all work a breeze!
  Fantastic - so simple :-)
  Many thanks.
  Srini - thanks for the suggestion, I've read every bit of EBS integration I could find so this is a bit of an RTFM!
  P

• WCCP: Is dot1Q trunking needed on Router I/F to avoid redirection loop

  Hi everyone,
  I have a question how configure Router I/F to avoid redirection loop.
  I understand Router and WAE must not be attached to the same segment to avoid redirection loop as written in the Quick Configuration Guide.
  However the sample configuration in Quick Configuration Guide does not show necessity of whether VLAN trunking is needed or not on the Router port and Switch under following environment;
  Client
  |
  |
  Switch --- WAE
  |
  |
  Router
  |
  |
  WAN
  |
  |
  Router
  |
  |
  Switch --- WAE
  |
  |
  Server
  I think .1Q trunking is need to avoid redirection loop and it is a only way to achieve it in case of the router (core and/or edge) has just two interfaces.
  And if the router does not support .1Q trunking due to hardware limitation or software limitation, I need to get the router had more one dedicated interface to redirect WAE by adding additional network module/card if it can.
  I am afraid that if the router does not support .1Q trunking and router has up to two interfaces, I need to purchase/prepare another router to achieve it or not.
  Is my understanding correct ?
  Or are there any method to avoid redirection loop other than using .1Q trunk or adding interface that is remains just two interfaces ?
  Would you please let me know your assistance ?
  Best regards,

  Hello,
  Note that this requirement will be changing in the very near future. Please reach out to your account team or overlay specialists for more details.
  Best regards,
  Joel

• EMET webpage redirection loop

  Has anyone else experienced a redirect loop for 
  microsoft.com/emet
  if so is there a quick and easy way of reporting it?
  Thanks,
  Matthew

  Hello
  tip: check iis log on both of exch servers and check  owa  application haven't got "HTTP redirect" enabled.
  sorry my english

• Certain parts of Verizon Site in Redirect Loops?

  For the past couple of months, when I've attempted to access certain parts of the the general Verizon site as a whole, the page will load for a moment, then tell me that it either won't load properly (Firefox) or that it is stuck in a redirect loop (Chrome). The part of the site that seems to be the most effected is the 'shopping' area. I cannot shop for Smart Phones, regular phones, tablets... nothing. As soon as I click on one of those selections the page gets stuck in a redirect loop.
  I've attempted to clear my cache. Turn off my ad-blocker, etc. But none of them work. It should be noted that I CAN access the shopping area when I am not logged into my account. I can look at any phone I want, and even add it to my cart, but in order to finish the process I must log in. The moment I log in? Stuck in another redirect loop.
  Is there any solution to this, or am I S.O.L. unless I really want to go directly to a Verizon store?

  A quick question. Usually, when clearing out one's cache for the internet, it completely clears it out, and that's that.
  But, no matter how many time I clear my Google Chrome cache, it doesn't remove this site's cached instances. Is it because I run more than one browser? (ie, I run Firefox sometimes, as well as Internet Explorer sometimes, depending on if a site works better on them...)
  Should I try to clear my cache on all of my browsers? Or is there a way to access a file on the computer itself to delete my internet history/cache, that my browsers might not be deleting despite my telling them to do so??
  Not to say this would solve my issue. But it's worth a try at the very least.

• Infinite Redirect Loop when selecting group in Google Groups

  When I sign in to Google groups, then select one of my groups, I get into an "infinite redirect loop." The page hangs, "Redirecting" appears in the page title, and at the bottom it says (alternating) "waiting for google.com" or "waiting for groups.google.com". I have Firefox 3.6.3, which I think is latest and greatest.
  This problem has been reported to Google and you can see the discussion here:
  http://groups.google.com/group/is-something-broken/browse_thread/thread/8fb760742f6ce7ba/f7065d7bd3499f65#f7065d7bd3499f65
  You go to the Google Groups help forum, look at "Is something broken" discussion, and look further for "Infinite Redirect Loop." This may be a problem that only affects moderators.
  I'm not sure if this is a problem with Firefox, Google groups, or the interaction.
  == URL of affected sites ==
  http://groups.google.com/

  Clearing out all cookies worked for me, too.
  Not that it matters, but my tentative conclusion is that (a) this is a Google problem and (b) it has something to do with cookies, possibly a defective cookie creation mechanism or something like that. In any event, if it doesn't recur, I would further conclude that whatever-it-was has been fixed.