Guest web redirect with redundant ISE

Similar Messages

• Guest portal redirection with mulple PSNs

  Hi All
  In a distributed deployment where there is more than one PSN's how do we have a common url for guest redirection when doing a CWA (assuming no load balancer is used for the PSNs)? usually the redirection url would be 'https://<ise01.fqdn/guetsportal" or 'https://<ise02.fqdn/guetsportal" and we can only specify one in the wlc guest ssid?
  Thanks

  Fully Qualified Domain Name in URL Redirection
  When Cisco ISE builds an authorization profile redirect (for central web authentication, device registration web authentication, native supplicant provisioning, mobile device management, and client provisioning and posture services), the resulting cisco-av-pair includes a string similar to the following:
  url-redirect=https://ip:port/guestportal/gateway?sessionId=SessionIdValue&action=cwa
  When processing this request, Cisco ISE substitutes actual values for some keywords in this string. For example, SessionIdValue is replaced with the actual session ID of the request. For eth0 interface, Cisco ISE replaces the IP in the URL with the FQDN of the Cisco ISE node. For non-eth0 interfaces, Cisco ISE uses the IP address in the URL. You can assign a host alias(name) for interfaces eth1 through eth3, which Cisco ISE can then substitute in place of IP address during URL redirection. To do this, you can use the ip host command in the configuration mode from the Cisco ISE CLI:
  ISE /admin(config)# ip host IP_address host-alias FQDN-string
  where IP_address is the IP address of the network interface (eth1 or eth2 or eth3)
  host-alias is the name that you assign to the network interface
  FQDN-string is the fully qualified domain name of the network interface
  Using this command, you can assign a host-alias or an FQDN-string or both to a network interface.
  Here is an example:
  ISE/admin(config)# ip host a.b.c.d sales sales.amer.xyz.com
  After you assign a host alias to the non-eth0 interface, you must restart the application services on Cisco ISE using the application start ise command.
  Use the no form of this command to remove the association of the host alias with the network interface:
  ISE/admin(config)# no ip-host IP_address host-alias FQDN-string
  Use the show running-config command to view the host alias definitions.
  If you provide the FQDN-string, Cisco ISE replaces the IP address in the URL with the FQDN. If you provide only the host alias, Cisco ISE combines the host alias with the configured IP domain name to form a complete FQDN, and replaces the IP address in the URL with the FQDN. If you do not map a network interface to a host alias, then Cisco ISE uses the IP address of the network interface in the URL.
  When you make use of non-eth0 interfaces for client provisioning or native supplicant or guest flows, you have to make sure that the IP address or host alias for non-eth0 interfaces should be configured appropriately in the Policy Service node certificate's SAN fields.

• ISE Web Authentication with Profile

     Hi,
     I'm using Web Authentication with Cisco ISE 1.2.1 without problems.
     The Cisco ISE didn't find the endpoint in my internal endpoint store and continue with Web Authentication
     But when I enable the PSN with the Profile Server, the Cisco ISE populate dynamically the internal endpoint store and I cannot use
     the Web Authentication cause the endpoint is already in the internal endpoint store.
     What's the better way to solve this problem ?
     Thanks in Advanced
     Andre Gustavo Lomonaco

      Hi Neno, let me clarify my question
      I'm already using my internal endpoints to permit authenticate via MAB my IP Phones, Access Points and Printers.  I'm using Profile to be able to populate this ISE internet database.
      Now imagine that I wanna use the Web Authentication to permit authenticate guest workstations without 802.1x.If the profile put the guest workstation mac in the endpoints database, those workstation always will be authenticate using the MAC authentication and not the Web Authentication. Remember that for the Web authentication works we need to configure the continue options if the mac are not found in the endpoints database. But when the profile is on, the news (guest workstations) macs are inserted in endpoints database before I have chance to use the Web Authentication.

• ISE Guest Access- Redirect to URL after successful logon

  Currently, when guest users attempt to browse they get redirected to the guest portal.  After login, they get a message that they can now access the original URL.  Is there a way to automatically redirect to the URL they were trying to access, or remember the URL after they login?

  ISE guest flow :
  The user associates to the web authentication Service Set Identifier (SSID).
  The user opens the browser.
  The WLC redirects to the guest portal (such as ISE or NGS) as soon as a URL is entered.
  The user authenticates on the portal.
  The guest portal redirects back to the WLC with the credentials entered.
  The WLC authenticates the guest user via RADIUS.
  The WLC redirects back to the original URL

• Cisco ISE guest portal redirect not working after successful authentiation and URL redirect.

  Hi to all,
  I am having difficulties with an ISE deployment which I am scratching my head over and can't fathom out why this isn't working.
  I have an ISE 3315 doing a captive webportal for my guest users who are on an SSID.  The users are successfully redirected by the WLC to the following URL:https://x.x.x.x:8443/guestportal/Login.action?portalname=XXX_Guest_Portal
  Now when the user passes through the user authentication splash screen they get redirected to https://x.x.x.x:8443/guestportal/guest/redir.html and recieve the following error:
  Error: Resource not found.
  Resource: /guestportal/
  Does anyone have any ideas why the portal is doing this?
  Thanks
  Paul

  Hello,
  As you are not able to  get the guest portal, then you need to assure the following things:-
  1) Ensure that the  two  Cisco av-pairs that are configured on the  authorization profile should  exactly match the example below. (Note: Do  not replace the "IP" with the  actual Cisco ISE IP address.)
  –url-redirect=https://ip:8443/guestportal/gateway?...lue&action=cpp
  –url-redirect-acl=ACL-WEBAUTH-REDIRECT (ensure that this ACL is also  defined on the access switch)
  2) Ensure that the URL redirection portion of the ACL have been  applied  to the session by entering the show epm session ip   command on the switch. (Where the session IP is the IP address  that is  passed to the client machine by the DHCP server.)
  Admission feature : DOT1X
  AAA Policies : #ACSACL#-IP-Limitedaccess-4cb2976e
  URL Redirect ACL : ACL-WEBAUTH-REDIRECT
  URL Redirect :
  https://node250.cisco.com:8443/guestportal/gateway?sessionId=0A000A72
  0000A45A2444BFC2&action=cpp
  3) Ensure that the preposture assessment DACL that is enforced from  the  Cisco ISE authorization profile contains the following command  lines:
  remark Allow DHCP
  permit udp any eq bootpc any eq bootps
  remark Allow DNS
  permit udp any any eq domain
  remark ping
  permit icmp any any
  permit tcp any host 80.0.80.2 eq 443 --> This is for URL redirect
  permit tcp any host 80.0.80.2 eq www --> Provides access to internet
  permit tcp any host 80.0.80.2 eq 8443 --> This is for guest portal
  port
  permit tcp any host 80.0.80.2 eq 8905 --> This is for posture
  communication between NAC agent and ISE (Swiss ports)
  permit udp any host 80.0.80.2 eq 8905 --> This is for posture
  communication between NAC agent and ISE (Swiss ports)
  permit udp any host 80.0.80.2 eq 8906 --> This is for posture
  communication between NAC agent and ISE (Swiss ports)
  deny ip any any
  Note:- Ensure that the above URL Redirect has the proper Cisco ISE FQDN.
  4) Ensure that the ACL with the name "ACL-WEBAUTH_REDIRECT" exists on  the switch as follows:
  ip access-list extended ACL-WEBAUTH-REDIRECT
  deny ip any host 80.0.80.2
  permit ip any any
  5) Ensure that the http and https servers are running on the switch:
  ip http server
  ip http secure-server
  6) Ensure that, if the client machine employs any kind of personal  firewall, it is disabled.
  7) Ensure that the client machine browser is not configured to use any  proxies.
  8) Verify connectivity between the client machine and the Cisco ISE IP  address.
  9) If Cisco ISE is deployed in a distributed environment, make sure  that  the client machines are aware of the Policy Service ISE node FQDN.
  10) Ensure that the Cisco ISE FQDN is resolved and reachable from the  client machine.
  11) Or you need to do re-image again.

• Guest Anchor - Web Passthrough - Apple device web redirect issue

  Hi All,
  I've setup a Guest Mobility Anchor at DMZ with 5508 WLC. I've setup the EoIP mobility tunnel and everything works so far.
  Now, I was testing multiple clients to connect to the Guest SSID and observed that Apple devices are not redirecting url, resulting unsuccessful connection.
  I looked Cisco docs and added the command "config network web-auth captive-bypass enable" on the Anchor as recommended.
  Even after executing the command, I'm still facing web redirect issue with Apple Devices. I don't have any issues with other devices, except Apple.
  My controller running code AirOS 7.6.130.0. I'm using DMZ controller as DHCP server for Guests and public DNS servers as 8.8.8.8 & 8.8.4.4
  How to solve this web redirect issue? Will a Third-party generated CSR solves the problem?
  Thanks,
  CJ

  Hi All,
  The issue was with WISPr Protocol with iOS Clients. After upgrading the AirOS Code on the controller to 8.0.100.0; the issue with Web Redirect is resolved.
  Jagan

• Web auth with , intenal web page of WLC and ISE as radius server

  Hi All ,
  We have created a SSID as web auth with internal web page for login . In advanced tab we configured AAA server.  AD is integrated with ISE .
  When the user tries to get connect , he is getting redirect URL . But during the authentication , we are getting error in ISE as
  "ise has problems communicating with active directory  using its machine credentials "  and authentication getting failed .
  When we have L2 security mechanism enabled with PEAP , ISE is able to read the AD and providing authentication .
  Only for L3 web auth it is not happening..
  Any clue on this ..???
  Thanks,
  Regards,
  Vijay.

  Machine credentials requires a lookup on the computer OU and that has to be defined on the client side.
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• Web-redirect to external radius not wokring on some browsers for Guest SSID

  Hi,
  We are using Cisco 5760 with 3.7, and the guest SSID doesn't perform web-redirect to external radius (cisco NAC appliance), for some browsers. Although the same works on Cisco 5508 and 4402 WLC with the same NAC appliance for all browsers.
  working browsers: IE9.0 and IE 11.0
  Non-working: Chrome all versions, Firefox all versions, Safari all versions.
  Can anyone provide some help if they have seen  this issue before.?

  You need to check the compatibility guide of Cisco WLC and check if those browsers are supported or not.

• ISE-Guest Portal Redirection

  Dears
  i have configured everything right for the Gusset login and everything is going the way i want except one thing that the switch doesn’t force the quest to web directed to the ISE login paged however the ouput of the below command looks perfect and when i copy the url manually it works .. so how can i make it automatically ?
  ISE-SWITCH#sh authen se int f0/12 
              Interface:  FastEthernet0/12
            MAC Address:  c80a.a96a.47b1
             IP Address:  Unknown
              User-Name:  C8-0A-A9-6A-47-B1
                 Status:  Authz Success
                 Domain:  DATA
        Security Policy:  Should Secure
        Security Status:  Unsecure
         Oper host mode:  multi-auth
       Oper control dir:  both
          Authorized By:  Authentication Server
             Vlan Group:  N/A
                ACS ACL:  xACSACLx-IP-CENTRAL_WEB_AUTH-50683952
       URL Redirect ACL:  ACL-WEBAUTH-REDIRECT
           URL Redirect:  https://EG1SHQ06.HEIWAY.NET:8443/guestportal/gateway?sessionId=0A8B080600000005001ECF63&action=cwa
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  0A8B080600000005001ECF63
        Acct Session ID:  0x00000007
                 Handle:  0xD9000005
  Runnable methods list:
         Method   State
         mab      Authc Success
         dot1x    Not run
  ISE-SWITCH#sh ip access-l
  Extended IP access list ACL-WEBAUTH-REDIRECT
      10 deny ip any host 10.139.8.216
      11 permit tcp any any eq www
      12 permit tcp any any eq 443
  Extended IP access list Auth-Default-ACL-OPEN
      10 permit ip any any (314 matches)
  Extended IP access list xACSACLx-IP-CENTRAL_WEB_AUTH-50683952 (per-user)
      10 permit udp any any eq domain
      20 permit icmp any any
      30 permit tcp any any eq www
      40 permit tcp any any eq 443
      50 permit tcp any host 10.139.8.216 eq 8443

  i did this changes and even upgraded the switch IOS to 12.2(58)SE2 but no luck ,
  any other idea?
  ISE-SWITCH#sh ip access-l               
  Extended IP access list ACL-DEFAULT
      10 permit udp any eq bootpc any eq bootps
      20 permit udp any any eq domain
      30 permit icmp any any
      40 permit udp any any eq tftp
      50 permit tcp any host 10.139.8.216 eq www
      60 permit tcp any host 10.139.8.216 eq 443
      70 permit tcp any host 10.139.8.216 eq 8443
      80 permit tcp any host 10.139.8.216 eq 8905
      90 permit udp any host 10.139.8.216 eq 8905
      100 permit udp any host 10.139.8.216 eq 8906
      110 permit tcp any host 10.139.8.216 eq 8080
      120 permit udp any host 10.139.8.216 eq 9996
      130 deny ip any any log
  Extended IP access list ACL-POSTURE-REDIRECT
      10 deny udp any any eq domain
      20 deny udp any host 10.139.8.216 eq 8905
      30 deny udp any host 10.139.8.216 eq 8906
      40 deny tcp any host 10.139.8.216 eq 8443
      50 deny tcp any host 10.139.8.216 eq 8905
      60 deny tcp any host 10.1.252.21 eq www
      70 permit ip any any
  Extended IP access list ACL-WEBAUTH-REDIRECT
      10 deny ip any host 10.139.8.216
      20 permit tcp any any eq www
      30 permit tcp any any eq 443
  Extended IP access list Auth-Default-ACL-OPEN
      10 permit udp any eq bootpc any eq bootps
      20 permit udp any any eq domain
      30 permit icmp any any
      40 permit udp any any eq tftp
      50 permit tcp any host 10.139.8.216 eq www
      60 permit tcp any host 10.139.8.216 eq 443
      70 permit tcp any host 10.139.8.216 eq 8443
      80 permit tcp any host 10.139.8.216 eq 8905
      90 permit udp any host 10.139.8.216 eq 8905
      100 permit udp any host 10.139.8.216 eq 8906
      110 permit tcp any host 10.139.8.216 eq 8080
      120 permit udp any host 10.139.8.216 eq 9996
      130 deny ip any any
  Extended IP access list xACSACLx-IP-CENTRAL_WEB_AUTH-50683952 (per-user)
      10 permit udp any any eq domain
      20 permit icmp any any
      30 permit tcp any any eq www
      40 permit tcp any any eq 443
      50 permit tcp any host 10.139.8.216 eq 8443

• Https redirect on wifi ise guest

  Hi
  We have a problem of redirect https on ise wifi guest so if we connect as a Guest PC i login and can access to internet using http but the problem if we use https can you help me to resolve this issue
  Regards

  The ISE trust sec guide #30 on page 46 states
  For traffic initiated by the client, Cisco Wireless LAN Controllers support redirection of HTTP traffic only. Redirection of HTTPS traffic is not supported. The traffic redirected to ISE is always HTTPS.
  Sent from Cisco Technical Support iPad App

• Weblogic 10.0 web application with CLIENT-CERT suddenly redirect with 401

  Hi everybody,
  we currently have a Weblogic Portal 10.2 web application with an integrated Windows authentication.
  I configured a Negociate Identity Asserter and an Active Directory provider.
  I configure Kerberos services, so we have succefully access to our application through the Windows session.
  But, most of time we have 401 errors on any page when navigating. In fact, the error occures when clicking on a link when a page is not fully loaded.
  For our tests, we use the security webapp provided by BEA/Oracle, and it just work.
  The web.xml used in our webapp :
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>sso</web-resource-name>
  <description>Desc</description>
  <url-pattern>/appmanager/*</url-pattern>
  <http-method>GET</http-method>
  <http-method>POST</http-method>
  </web-resource-collection>
  <auth-constraint>
  <description>desc</description>
  <role-name>ssoRole</role-name>
  </auth-constraint>
  </security-constraint>
  <login-config>
  <auth-method>CLIENT-CERT</auth-method>
  <realm-name/>
  </login-config>
  <security-role>
  <description>Authenticated user</description>
  <role-name>ssoRole</role-name>
  </security-role>

  which version of web server r u using here ? 6.1 or 7.0 ? if it is 6.1 then there is no easy <If> syntax. if u r using 7.0, then u need to be aware that the processing of 'ppath' is slightly different in 7.0
  in any case, this would be the syntax
  <Object name="weblogic" ppath="/hw/">
  Service fn="wl_proxy" WebLogicHost="------------------" WebLogicPort="------"
  # gateway timeout - back end web logic not responding handle differently
  <If code='504'>
  # send it to a different post..
  Service fn="wl_proxy" WebLogicHost="------------------" WebLogicPort="------"
  </If>
  </Object>
  - sriram

• Web Redirect is not working

  Hello,
  We configured the web authentication in wlc 5508with ISE for the guest traffic. When client tries to connect it redirects to the different URL. That means the specified URL (that is default redirection page of ISE) 'https://<ISE IP>:8443/guestportal/portal.jsp'  but client is getting redirected to
  'https://<ISE>:8443/guestportal/login.action?switch_url=https://<virtual IP>/login.html&wlan...'. And finally page cannot be displayed now error message i am getting.
  Why it happens..? Any quick help would be really appreciated
  Moreover i have doubts on the below points.
  1) Should both the Anchor and the foriegn controllers be configured for web auth security or only anchor ..?
  2) When external web redirection, the client has to get the DNS resolved entry for the Specified URL or WLC knows to take it to the external web page..?
  3) Any special configuration has to be done on ISE?
  Thanks for your time
  KVS
  Message was edited by: Prasan Venky

  Hello,
  How to Make an External (Local) Web Authentication Work with an External Page
  As already briefly explained, the utilization of an external WebAuth       server is just an external repository for the login page. The user credentials       are still authenticated by the WLC. The external web server only allows you to       use a special or different login page. Here are the steps performed for an       external WebAuth:
  The client (end user) opens a web browser and enters a           URL.
  If the client is not authenticated and external web authentication is           used, the WLC redirects the user to the external web server URL. In other           words, the WLC sends an HTTP redirect to the client with the website's spoofed           IP address and points to the external server IP address. The external web           authentication login URL is appended with parameters such as the           AP_Mac_Address, the client_url (www.website.com), and the action_URL that the customer needs           to contact the switch web server.
  The external web server URL sends the user to a login page. Then the           user can use a pre-authentication access control list (ACL) in order to access           the server. The ACL is only needed for the Wireless LAN Controller 2000           series.
  The login page takes the user credentials input and sends the request           back to the action_URL, such as http://1.1.1.1/login.html, of           the WLC web server. This is provided as an input parameter to the customer           redirect URL, where 1.1.1.1 is the virtual interface address on the           switch.
  The WLC web server submits the username and password for           authentication.
  The WLC initiates the RADIUS server request or uses the local           database on the WLC, and then authenticates the user.
  If authentication is successful, the WLC web server either forwards           the user to the configured redirect URL or to the URL the client           entered.
  If authentication fails, then the WLC web server redirects the user           back to the customer login URL.
  Note: If the access points (APs) are in FlexConnect mode, a           preauth ACL is irrelevant. Flex ACLs can be used to allow           access to the web server for clients that have not been authenticated.
  For more details, please refer to the following:
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080bf7d89.shtml#redirect

• Problem with redundancy in CSS 11051

  I have a problem with redundancy in CSS 11051. I use firewall load balancing and server load balancing. Load balancers which only load balance over 3 firewall switch from primary to master with no problems.
  problem is with load balancers which load balance over firewalls and over servers two. whene the master is shutdown, backup keeps master function, all services on backup LB are alive, but it is not possible to display web page on address 10.10.7.16. Even if I try from the network 10.10.7.0/24, so before firewalls. below my config. any help appreciate.
  ===primary LB=====
  !Generated on 10/30/2002 10:42:53
  !Active version: ap0500002
  configure
  !*************************** GLOBAL ***************************
  ip redundancy master
  no console authentication
  restrict ftp
  app
  app session 10.10.60.13
  ip firewall 1 10.10.7.1 10.10.8.1 10.10.8.10
  ip firewall 2 10.10.7.2 10.10.8.2 10.10.8.10
  ip firewall 3 10.10.7.3 10.10.8.3 10.10.8.10
  ip route 0.0.0.0 0.0.0.0 firewall 1 1
  ip route 0.0.0.0 0.0.0.0 firewall 2 1
  ip route 0.0.0.0 0.0.0.0 firewall 3 1
  ip route 10.10.1.0 255.255.255.0 10.10.3.1 1
  ip route 10.10.2.0 255.255.255.0 10.10.3.1 1
  ip route 10.10.12.0 255.255.255.0 10.10.3.1 1
  ip route 10.10.14.0 255.255.255.0 10.10.3.1 1
  ip route 10.10.22.0 255.255.255.0 10.10.3.1 1
  !************************* INTERFACE *************************
  interface e1
  phy 100Mbits-FD
  bridge vlan 62
  interface e2
  phy 100Mbits-FD
  bridge vlan 7
  interface e3
  bridge vlan 3
  interface e4
  phy 100Mbits-FD
  bridge vlan 7
  interface e5
  phy 100Mbits-FD
  interface e6
  phy 100Mbits-FD
  bridge vlan 6
  interface e7
  phy 100Mbits-FD
  interface e8
  phy 100Mbits-FD
  bridge vlan 6
  !************************** CIRCUIT **************************
  circuit VLAN62
  ip address 10.10.60.14 255.255.255.252
  redundancy-protocol
  circuit VLAN7
  redundancy
  ip address 10.10.7.10 255.255.255.0
  circuit VLAN3
  redundancy
  ip address 10.10.3.10 255.255.255.0
  no redirects
  circuit VLAN6
  redundancy
  ip address 10.10.6.10 255.255.255.0
  !************************** SERVICE **************************
  service cc1
  ip address 10.10.3.129
  keepalive type tcp
  keepalive port 443
  service cc2
  ip address 10.10.3.130
  keepalive type tcp
  keepalive port 443
  active
  service ssl1
  ip address 10.10.6.131
  keepalive port 443
  keepalive type tcp
  active
  service ssl3
  ip address 10.10.6.133
  keepalive port 443
  keepalive type tcp
  active
  service ssl4
  ip address 10.10.6.141
  keepalive type tcp
  keepalive port 443
  active
  service ssl6
  ip address 10.10.6.143
  keepalive port 443
  keepalive type tcp
  active
  service www1
  ip address 10.10.6.101
  keepalive type tcp
  keepalive port 443
  weight 2
  active
  service www3
  ip address 10.10.6.103
  keepalive type tcp
  keepalive port 443
  active
  service www4
  ip address 10.10.6.121
  keepalive port 443
  keepalive type tcp
  active
  service www6
  ip address 10.10.6.123
  keepalive type tcp
  keepalive port 443
  active
  !*************************** OWNER ***************************
  owner L5_Owner
  content L5_Rule
  vip address 10.10.7.6
  application ssl
  protocol tcp
  port 443
  url "/*"
  add service www1
  add service www3
  add service www4
  advanced-balance sticky-srcip
  add service www6
  balance weightedrr
  active
  content L5_Rule_CC
  vip address 10.10.3.120
  advanced-balance sticky-srcip
  add service cc1
  add service cc2
  active
  content L5_Rule_SSL
  vip address 10.10.7.16
  application ssl
  protocol tcp
  port 443
  url "/*"
  add service ssl1
  add service ssl3
  add service ssl4
  advanced-balance sticky-srcip
  add service ssl6
  active
  !*************************** GROUP ***************************
  group CC
  vip address 10.10.3.120
  add destination service cc1
  add destination service cc2
  active
  ======
  ===backup LB=====
  !Generated on 10/29/2002 20:47:30
  !Active version: ap0503015
  configure
  !*************************** GLOBAL ***************************
  ip redundancy
  console authentication primary none
  restrict ftp
  app
  app session 10.10.60.14
  ip firewall 1 10.10.7.1 10.10.8.1 10.10.8.10
  ip firewall 2 10.10.7.2 10.10.8.2 10.10.8.10
  ip firewall 3 10.10.7.3 10.10.8.3 10.10.8.10
  ip route 0.0.0.0 0.0.0.0 firewall 1 1
  ip route 0.0.0.0 0.0.0.0 firewall 2 1
  ip route 0.0.0.0 0.0.0.0 firewall 3 1
  ip route 10.10.1.0 255.255.255.0 10.10.3.1 1
  ip route 10.10.2.0 255.255.255.0 10.10.3.1 1
  ip route 10.10.12.0 255.255.255.0 10.10.3.1 1
  ip route 10.10.14.0 255.255.255.0 10.10.3.1 1
  !************************* INTERFACE *************************
  interface e1
  phy 100Mbits-FD
  bridge vlan 62
  interface e2
  phy 100Mbits-FD
  bridge vlan 7
  interface e3
  phy 100Mbits-FD
  bridge vlan 3
  interface e4
  phy 100Mbits-FD
  bridge vlan 7
  interface e5
  phy 100Mbits-FD
  interface e6
  phy 100Mbits-FD
  bridge vlan 6
  interface e7
  phy 100Mbits-FD
  interface e8
  phy 100Mbits-FD
  bridge vlan 6
  !************************** CIRCUIT **************************
  circuit VLAN62
  ip address 10.10.60.13 255.255.255.252
  redundancy-protocol
  circuit VLAN7
  redundancy
  ip address 10.10.7.10 255.255.255.0
  circuit VLAN3
  redundancy
  ip address 10.10.3.10 255.255.255.0
  no redirects
  circuit VLAN6
  redundancy
  ip address 10.10.6.10 255.255.255.0
  !************************** SERVICE **************************
  service cc1
  ip address 10.10.3.129
  active
  service cc2
  ip address 10.10.3.130
  active
  service ssl1
  ip address 10.10.6.131
  keepalive port 443
  keepalive type tcp
  active
  service ssl3
  ip address 10.10.6.133
  keepalive port 443
  keepalive type tcp
  active
  service ssl4
  ip address 10.10.6.141
  keepalive type tcp
  keepalive port 443
  active
  service ssl6
  ip address 10.10.6.143
  keepalive port 443
  keepalive type tcp
  active
  service www1
  ip address 10.10.6.101
  keepalive type tcp
  keepalive port 443
  weight 2
  active
  service www3
  ip address 10.10.6.103
  keepalive type tcp
  keepalive port 443
  active
  service www4
  ip address 10.10.6.121
  keepalive port 443
  keepalive type tcp
  active
  service www6
  ip address 10.10.6.123
  keepalive type tcp
  keepalive port 443
  active
  !*************************** OWNER ***************************
  owner L5_Owner
  content L5_Rule
  vip address 10.10.7.6
  protocol tcp
  port 443
  url "/*"
  add service www1
  add service www3
  add service www4
  advanced-balance sticky-srcip
  add service www6
  balance weightedrr
  active
  content L5_Rule_CC
  vip address 10.10.3.120
  advanced-balance sticky-srcip
  add service cc1
  add service cc2
  active
  content L5_Rule_SSL
  vip address 10.10.7.16
  protocol tcp
  port 443
  url "/*"
  add service ssl1
  add service ssl3
  add service ssl4
  advanced-balance sticky-srcip
  add service ssl6
  active
  !*************************** GROUP ***************************
  group CC
  vip address 10.10.3.120
  add destination service cc1
  add destination service cc2
  active
  =======

  Please visit the folloiwing page where you can find many configuration examples on configuring CSS for Load Balancing.
  http://www.cisco.com/en/US/products/hw/contnetw/ps789/prod_configuration_examples_list.html
  Hope it helps.

• Not Working-central web-authentication with a switch and Identity Service Engine

  on the followup the document "Configuration example : central web-authentication with a switch and Identity Service Engine" by Nicolas Darchis, since the redirection on the switch is not working, i'm asking for your help...
  I'm using ISE Version : 1.0.4.573 and WS-C2960-24PC-L w/software 12.2(55)SE1 and image C2960-LANBASEK9-M for the access.
  The interface configuration looks like this:
  interface FastEthernet0/24
  switchport access vlan 6
  switchport mode access
  switchport voice vlan 20
  ip access-group webauth in
  authentication event fail action next-method
  authentication event server dead action authorize
  authentication event server alive action reinitialize
  authentication order mab
  authentication priority mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  authentication violation restrict
  mab
  spanning-tree portfast
  end
  The ACL's
  Extended IP access list webauth
      10 permit ip any any
  Extended IP access list redirect
      10 deny ip any host 172.22.2.38
      20 permit tcp any any eq www
      30 permit tcp any any eq 443
  The ISE side configuration I follow it step by step...
  When I conect the XP client, e see the following Autenthication session...
  swlx0x0x#show authentication sessions interface fastEthernet 0/24
             Interface:  FastEthernet0/24
            MAC Address:  0015.c549.5c99
             IP Address:  172.22.3.184
              User-Name:  00-15-C5-49-5C-99
                 Status:  Authz Success
                 Domain:  DATA
         Oper host mode:  single-host
       Oper control dir:  both
          Authorized By:  Authentication Server
             Vlan Group:  N/A
       URL Redirect ACL:  redirect
           URL Redirect: https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  AC16011F000000490AC1A9E2
        Acct Session ID:  0x00000077
                 Handle:  0xB7000049
  Runnable methods list:
         Method   State
         mab      Authc Success
  But there is no redirection, and I get the the following message on switch console:
  756005: Mar 28 11:40:30: epm-redirect:IP=172.22.3.184: No redirection policy for this host
  756006: Mar 28 11:40:30: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_qualify ...
  I have to mention I'm using an http proxy on port 8080...
  Any Ideas on what is going wrong?
  Regards
  Nuno

  OK, so I upgraded the IOS to version
  SW Version: 12.2(55)SE5, SW Image: C2960-LANBASEK9-M
  I tweak with ACL's to the following:
  Extended IP access list redirect
      10 permit ip any any (13 matches)
  and created a DACL that is downloaded along with the authentication
  Extended IP access list xACSACLx-IP-redirect-4f743d58 (per-user)
      10 permit ip any any
  I can see the epm session
  swlx0x0x#show epm session ip 172.22.3.74
       Admission feature:  DOT1X
       ACS ACL:  xACSACLx-IP-redirect-4f743d58
       URL Redirect ACL:  redirect
       URL Redirect:  https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
  And authentication
  swlx0x0x#show authentication sessions interface fastEthernet 0/24
       Interface:  FastEthernet0/24
       MAC Address:  0015.c549.5c99
       IP Address:  172.22.3.74
       User-Name:  00-15-C5-49-5C-99
       Status:  Authz Success
       Domain:  DATA
       Oper host mode:  multi-auth
       Oper control dir:  both
       Authorized By:  Authentication Server
       Vlan Group:  N/A
       ACS ACL:  xACSACLx-IP-redirect-4f743d58
       URL Redirect ACL:  redirect
       URL Redirect:  https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
       Session timeout:  N/A
       Idle timeout:  N/A
       Common Session ID:  AC16011F000000160042BD98
       Acct Session ID:  0x0000001B
       Handle:  0x90000016
       Runnable methods list:
       Method   State
       mab      Authc Success
  on the logging, I get the following messages...
  017857: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_qualify ...
  017858: Mar 29 11:27:04: epm-redirect:epm_redirect_cache_gen_hash: IP=172.22.3.74 Hash=271
  017859: Mar 29 11:27:04: epm-redirect:IP=172.22.3.74: CacheEntryGet Success
  017860: Mar 29 11:27:04: epm-redirect:IP=172.22.3.74: Ingress packet on [idb= FastEthernet0/24] matched with [acl=redirect]
  017861: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: Enqueue the packet with if_input=FastEthernet0/24
  017862: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_process ...
  017863: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: Not an HTTP(s) packet
  What I'm I missing?

• Guest Splash Page with Cisco WLCs Help

  Hi,
  I need some guidance using Web Authentication / Web Pass-through to create a mandatory splash page that is presented to users of our guest WLAN.  Currently our guest WLAN is wide open, users connect and go straight through to get Internet Access. Here's what we'd like to accomplish.
  1. Have the page hosted on an external web server (i.e not on the controller)
  2. Present Terms of service
  3.
   a. Present an optional field to enter an email address & date of birth (DOB) to opt in for marketing purposes
          OR
   b. Present a mandatory field to enter an email address with an optional check box and DOB to opt in for marketing (the idea behind option b, is that whether they opt in for marketing or not, we could still some how use the email as a username, but not require a password.  In the hopes of then using this as a unique identifier in the WLC for troubleshooting / reporting purposes)
  4. At the very end, have an "I Agree" button
  5. Re-direct to our copmany's public facing website
  Our controllers are 5508s, running 7.4.121.0.  I more or less have an idea of how to accomplish this, but I've never used Web Auth / Web Passthrough with a Cisco Controller before, so I'm hoping someone can clear up a few things for me.
  1. Am I correct that, when using an External server to host the login.html page, we must use Web Authentication, since Web Pass-through is only an option when using an Internal Page? Web Pass-through seems ideal for us, since we don't care about credentials, but from what I'm reading, it seems restricted to Internal (on the Controller) deployments only.
  Based on these
  http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/115951-web-auth-wlc-guide-00.html#passthrough
  http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/116879-configure-wlc-00.html
  http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/107474-web-pass-config.html
  2. If Web Pass-through is not an option when using an External deployment, is there any way we could use an email address as a username, but not require a password?  If not, is hiding the username/password fields in the html code of the splash page, and using a single pre-configured default username / password the only other option ? As described here: https://supportforums.cisco.com/discussion/10847046/unsecured-guest-access-customizable-splash-page-and-logo
  3. It sounds like SSL cert warnings may be an issue even if we use an External deployment, because the controller still acts as a middle man.  Is this correct, and is the best fix to install a valid 3rd party cert on the controller?
  P.S. I’m aware of the Big Brother type things that can be done with Cisco MSE and Connected Mobile Experiences, as far as guest tracking / marketing / analytics go. However, that’s way more than we’re looking to do at this point.
  Thanks in advance for any guidance you can provide!

  Hello Jonathan,
  The idea you have is fine, the only exception is the extra fields of information that you want to collect. From the WLC perspective this is not possible to gather.
  The example given on https://supportforums.cisco.com/discussion/10847046/unsecured-guest-access-customizable-splash-page-and-logo looks very interesting, and as long as the WLC receive the information it needs to authenticate the client, you can modify the HMTL code as you want. However, as somebody state on that post, Cisco provides the html example, but we do not really support the html content creation or modification.
  Anyway below on answer #2 I am giving you an idea that could work (again Im not html expert I don't know if that could be achieved that way) maybe you can have a better idea.
  To answer your queries:
  1) The customized web-passthrough page can be hosted on an external Web Server.
  When the pages are on an external webserver, the passthrough is still performed on the WLC, just the pages reside on the external server. It is a good idea to be sure that the pages come up ok on the external server without webauth involved since webauth will not work unless the external webserver works
  2) We have examples of what HTML content a customized Web Passthrough page should include. If you add extra fields on the HTML code (like email address & date of birth), the WLC won't be able to handle this data and most probably you won't be able to gather this information from the WLC , unless you customize the web page in such way that it sends the fields email address & date of birth to another server (rather than to the WLC) to gather this information, but at the end what matter for the WLC is to receive the click on the "Accept" button to authenticate the client.
  3) Regarding the certificate, there are two options, the cheapest and easiest is to disable HTTPS for web authentication. Then, your guests will open an HTTP web page, without having the certificate warning.
  Whether or not you perform local or external web authentication, you still hit the internal web server on the controller. When you redirect to an external web server, you still receive the certificate warning from the controller unless you have a valid certificate on the controller itself. If the redirect is sent to https, you receive the certificate warning from the controller and from the external web server, unless both have a valid certificate.
  In order to get rid of the certificate warnings all together, you need to have a root level certificate issued and downloaded onto your controller. The certificate is issued for a host name and you put that host name in the DNS host name box under the virtual interface on the controller. You also need to add the host name to your local DNS server and point it to the virtual IP address (1.1.1.1) of the WLC.
  This link provides information about WebAuthentication on an External Web Server, however exactly the same applies for Web Passthrough:
  http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/71881-ext-web-auth-wlc.html
  Also, you can download the WebAuthentication bundle, with the examples and some useful information about different customized web pages, it can be used as a template to build your page. Here you will see that Web Passthrough to an external server is indeed a valid option, when you download and unzip it, open the "readme.html"
  https://software.cisco.com/download/release.html?mdfid=282600534&softwareid=282791507&release=1.0.2&relind=AVAILABLE&rellifecycle=&reltype=latest
  Hope this helps