Guest web redirect with redundant ISE
Dears,
I have redundant ISE configured (primary and secondary) and integrated cisco WLC 5508.
I already configured SSID for Guest Web authentication.
With primary ISE the redirect link is working fine but when I power off the primary ISE the redirect link stop working even if I changed the Role of the secondary to primary.
Please I need your support,
Regards,
Thank you for your reply,
- Yes on the same nodegroup.
- Yes resolved correctly in the DNS.
- I will recheck it but I already create an ACL for redirect.
- Yes the both ISE defined on the Radius Auth. on the WLC.
Now I will check the ACL and back to you.
Regards,
Similar Messages
-
Guest portal redirection with mulple PSNs
Hi All
In a distributed deployment where there is more than one PSN's how do we have a common url for guest redirection when doing a CWA (assuming no load balancer is used for the PSNs)? usually the redirection url would be 'https://<ise01.fqdn/guetsportal" or 'https://<ise02.fqdn/guetsportal" and we can only specify one in the wlc guest ssid?
ThanksFully Qualified Domain Name in URL Redirection
When Cisco ISE builds an authorization profile redirect (for central web authentication, device registration web authentication, native supplicant provisioning, mobile device management, and client provisioning and posture services), the resulting cisco-av-pair includes a string similar to the following:
url-redirect=https://ip:port/guestportal/gateway?sessionId=SessionIdValue&action=cwa
When processing this request, Cisco ISE substitutes actual values for some keywords in this string. For example, SessionIdValue is replaced with the actual session ID of the request. For eth0 interface, Cisco ISE replaces the IP in the URL with the FQDN of the Cisco ISE node. For non-eth0 interfaces, Cisco ISE uses the IP address in the URL. You can assign a host alias(name) for interfaces eth1 through eth3, which Cisco ISE can then substitute in place of IP address during URL redirection. To do this, you can use the ip host command in the configuration mode from the Cisco ISE CLI:
ISE /admin(config)# ip host IP_address host-alias FQDN-string
where IP_address is the IP address of the network interface (eth1 or eth2 or eth3)
host-alias is the name that you assign to the network interface
FQDN-string is the fully qualified domain name of the network interface
Using this command, you can assign a host-alias or an FQDN-string or both to a network interface.
Here is an example:
ISE/admin(config)# ip host a.b.c.d sales sales.amer.xyz.com
After you assign a host alias to the non-eth0 interface, you must restart the application services on Cisco ISE using the application start ise command.
Use the no form of this command to remove the association of the host alias with the network interface:
ISE/admin(config)# no ip-host IP_address host-alias FQDN-string
Use the show running-config command to view the host alias definitions.
If you provide the FQDN-string, Cisco ISE replaces the IP address in the URL with the FQDN. If you provide only the host alias, Cisco ISE combines the host alias with the configured IP domain name to form a complete FQDN, and replaces the IP address in the URL with the FQDN. If you do not map a network interface to a host alias, then Cisco ISE uses the IP address of the network interface in the URL.
When you make use of non-eth0 interfaces for client provisioning or native supplicant or guest flows, you have to make sure that the IP address or host alias for non-eth0 interfaces should be configured appropriately in the Policy Service node certificate's SAN fields. -
ISE Web Authentication with Profile
Hi,
I'm using Web Authentication with Cisco ISE 1.2.1 without problems.
The Cisco ISE didn't find the endpoint in my internal endpoint store and continue with Web Authentication
But when I enable the PSN with the Profile Server, the Cisco ISE populate dynamically the internal endpoint store and I cannot use
the Web Authentication cause the endpoint is already in the internal endpoint store.
What's the better way to solve this problem ?
Thanks in Advanced
Andre Gustavo LomonacoHi Neno, let me clarify my question
I'm already using my internal endpoints to permit authenticate via MAB my IP Phones, Access Points and Printers. I'm using Profile to be able to populate this ISE internet database.
Now imagine that I wanna use the Web Authentication to permit authenticate guest workstations without 802.1x.If the profile put the guest workstation mac in the endpoints database, those workstation always will be authenticate using the MAC authentication and not the Web Authentication. Remember that for the Web authentication works we need to configure the continue options if the mac are not found in the endpoints database. But when the profile is on, the news (guest workstations) macs are inserted in endpoints database before I have chance to use the Web Authentication. -
ISE Guest Access- Redirect to URL after successful logon
Currently, when guest users attempt to browse they get redirected to the guest portal. After login, they get a message that they can now access the original URL. Is there a way to automatically redirect to the URL they were trying to access, or remember the URL after they login?
ISE guest flow :
The user associates to the web authentication Service Set Identifier (SSID).
The user opens the browser.
The WLC redirects to the guest portal (such as ISE or NGS) as soon as a URL is entered.
The user authenticates on the portal.
The guest portal redirects back to the WLC with the credentials entered.
The WLC authenticates the guest user via RADIUS.
The WLC redirects back to the original URL -
Cisco ISE guest portal redirect not working after successful authentiation and URL redirect.
Hi to all,
I am having difficulties with an ISE deployment which I am scratching my head over and can't fathom out why this isn't working.
I have an ISE 3315 doing a captive webportal for my guest users who are on an SSID. The users are successfully redirected by the WLC to the following URL:https://x.x.x.x:8443/guestportal/Login.action?portalname=XXX_Guest_Portal
Now when the user passes through the user authentication splash screen they get redirected to https://x.x.x.x:8443/guestportal/guest/redir.html and recieve the following error:
Error: Resource not found.
Resource: /guestportal/
Does anyone have any ideas why the portal is doing this?
Thanks
PaulHello,
As you are not able to get the guest portal, then you need to assure the following things:-
1) Ensure that the two Cisco av-pairs that are configured on the authorization profile should exactly match the example below. (Note: Do not replace the "IP" with the actual Cisco ISE IP address.)
–url-redirect=https://ip:8443/guestportal/gateway?...lue&action=cpp
–url-redirect-acl=ACL-WEBAUTH-REDIRECT (ensure that this ACL is also defined on the access switch)
2) Ensure that the URL redirection portion of the ACL have been applied to the session by entering the show epm session ip command on the switch. (Where the session IP is the IP address that is passed to the client machine by the DHCP server.)
Admission feature : DOT1X
AAA Policies : #ACSACL#-IP-Limitedaccess-4cb2976e
URL Redirect ACL : ACL-WEBAUTH-REDIRECT
URL Redirect :
https://node250.cisco.com:8443/guestportal/gateway?sessionId=0A000A72
0000A45A2444BFC2&action=cpp
3) Ensure that the preposture assessment DACL that is enforced from the Cisco ISE authorization profile contains the following command lines:
remark Allow DHCP
permit udp any eq bootpc any eq bootps
remark Allow DNS
permit udp any any eq domain
remark ping
permit icmp any any
permit tcp any host 80.0.80.2 eq 443 --> This is for URL redirect
permit tcp any host 80.0.80.2 eq www --> Provides access to internet
permit tcp any host 80.0.80.2 eq 8443 --> This is for guest portal
port
permit tcp any host 80.0.80.2 eq 8905 --> This is for posture
communication between NAC agent and ISE (Swiss ports)
permit udp any host 80.0.80.2 eq 8905 --> This is for posture
communication between NAC agent and ISE (Swiss ports)
permit udp any host 80.0.80.2 eq 8906 --> This is for posture
communication between NAC agent and ISE (Swiss ports)
deny ip any any
Note:- Ensure that the above URL Redirect has the proper Cisco ISE FQDN.
4) Ensure that the ACL with the name "ACL-WEBAUTH_REDIRECT" exists on the switch as follows:
ip access-list extended ACL-WEBAUTH-REDIRECT
deny ip any host 80.0.80.2
permit ip any any
5) Ensure that the http and https servers are running on the switch:
ip http server
ip http secure-server
6) Ensure that, if the client machine employs any kind of personal firewall, it is disabled.
7) Ensure that the client machine browser is not configured to use any proxies.
8) Verify connectivity between the client machine and the Cisco ISE IP address.
9) If Cisco ISE is deployed in a distributed environment, make sure that the client machines are aware of the Policy Service ISE node FQDN.
10) Ensure that the Cisco ISE FQDN is resolved and reachable from the client machine.
11) Or you need to do re-image again. -
Guest Anchor - Web Passthrough - Apple device web redirect issue
Hi All,
I've setup a Guest Mobility Anchor at DMZ with 5508 WLC. I've setup the EoIP mobility tunnel and everything works so far.
Now, I was testing multiple clients to connect to the Guest SSID and observed that Apple devices are not redirecting url, resulting unsuccessful connection.
I looked Cisco docs and added the command "config network web-auth captive-bypass enable" on the Anchor as recommended.
Even after executing the command, I'm still facing web redirect issue with Apple Devices. I don't have any issues with other devices, except Apple.
My controller running code AirOS 7.6.130.0. I'm using DMZ controller as DHCP server for Guests and public DNS servers as 8.8.8.8 & 8.8.4.4
How to solve this web redirect issue? Will a Third-party generated CSR solves the problem?
Thanks,
CJHi All,
The issue was with WISPr Protocol with iOS Clients. After upgrading the AirOS Code on the controller to 8.0.100.0; the issue with Web Redirect is resolved.
Jagan -
Web auth with , intenal web page of WLC and ISE as radius server
Hi All ,
We have created a SSID as web auth with internal web page for login . In advanced tab we configured AAA server. AD is integrated with ISE .
When the user tries to get connect , he is getting redirect URL . But during the authentication , we are getting error in ISE as
"ise has problems communicating with active directory using its machine credentials " and authentication getting failed .
When we have L2 security mechanism enabled with PEAP , ISE is able to read the AD and providing authentication .
Only for L3 web auth it is not happening..
Any clue on this ..???
Thanks,
Regards,
Vijay.Machine credentials requires a lookup on the computer OU and that has to be defined on the client side.
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered" -
Web-redirect to external radius not wokring on some browsers for Guest SSID
Hi,
We are using Cisco 5760 with 3.7, and the guest SSID doesn't perform web-redirect to external radius (cisco NAC appliance), for some browsers. Although the same works on Cisco 5508 and 4402 WLC with the same NAC appliance for all browsers.
working browsers: IE9.0 and IE 11.0
Non-working: Chrome all versions, Firefox all versions, Safari all versions.
Can anyone provide some help if they have seen this issue before.?You need to check the compatibility guide of Cisco WLC and check if those browsers are supported or not.
-
Dears
i have configured everything right for the Gusset login and everything is going the way i want except one thing that the switch doesn’t force the quest to web directed to the ISE login paged however the ouput of the below command looks perfect and when i copy the url manually it works .. so how can i make it automatically ?
ISE-SWITCH#sh authen se int f0/12
Interface: FastEthernet0/12
MAC Address: c80a.a96a.47b1
IP Address: Unknown
User-Name: C8-0A-A9-6A-47-B1
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Group: N/A
ACS ACL: xACSACLx-IP-CENTRAL_WEB_AUTH-50683952
URL Redirect ACL: ACL-WEBAUTH-REDIRECT
URL Redirect: https://EG1SHQ06.HEIWAY.NET:8443/guestportal/gateway?sessionId=0A8B080600000005001ECF63&action=cwa
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A8B080600000005001ECF63
Acct Session ID: 0x00000007
Handle: 0xD9000005
Runnable methods list:
Method State
mab Authc Success
dot1x Not run
ISE-SWITCH#sh ip access-l
Extended IP access list ACL-WEBAUTH-REDIRECT
10 deny ip any host 10.139.8.216
11 permit tcp any any eq www
12 permit tcp any any eq 443
Extended IP access list Auth-Default-ACL-OPEN
10 permit ip any any (314 matches)
Extended IP access list xACSACLx-IP-CENTRAL_WEB_AUTH-50683952 (per-user)
10 permit udp any any eq domain
20 permit icmp any any
30 permit tcp any any eq www
40 permit tcp any any eq 443
50 permit tcp any host 10.139.8.216 eq 8443i did this changes and even upgraded the switch IOS to 12.2(58)SE2 but no luck ,
any other idea?
ISE-SWITCH#sh ip access-l
Extended IP access list ACL-DEFAULT
10 permit udp any eq bootpc any eq bootps
20 permit udp any any eq domain
30 permit icmp any any
40 permit udp any any eq tftp
50 permit tcp any host 10.139.8.216 eq www
60 permit tcp any host 10.139.8.216 eq 443
70 permit tcp any host 10.139.8.216 eq 8443
80 permit tcp any host 10.139.8.216 eq 8905
90 permit udp any host 10.139.8.216 eq 8905
100 permit udp any host 10.139.8.216 eq 8906
110 permit tcp any host 10.139.8.216 eq 8080
120 permit udp any host 10.139.8.216 eq 9996
130 deny ip any any log
Extended IP access list ACL-POSTURE-REDIRECT
10 deny udp any any eq domain
20 deny udp any host 10.139.8.216 eq 8905
30 deny udp any host 10.139.8.216 eq 8906
40 deny tcp any host 10.139.8.216 eq 8443
50 deny tcp any host 10.139.8.216 eq 8905
60 deny tcp any host 10.1.252.21 eq www
70 permit ip any any
Extended IP access list ACL-WEBAUTH-REDIRECT
10 deny ip any host 10.139.8.216
20 permit tcp any any eq www
30 permit tcp any any eq 443
Extended IP access list Auth-Default-ACL-OPEN
10 permit udp any eq bootpc any eq bootps
20 permit udp any any eq domain
30 permit icmp any any
40 permit udp any any eq tftp
50 permit tcp any host 10.139.8.216 eq www
60 permit tcp any host 10.139.8.216 eq 443
70 permit tcp any host 10.139.8.216 eq 8443
80 permit tcp any host 10.139.8.216 eq 8905
90 permit udp any host 10.139.8.216 eq 8905
100 permit udp any host 10.139.8.216 eq 8906
110 permit tcp any host 10.139.8.216 eq 8080
120 permit udp any host 10.139.8.216 eq 9996
130 deny ip any any
Extended IP access list xACSACLx-IP-CENTRAL_WEB_AUTH-50683952 (per-user)
10 permit udp any any eq domain
20 permit icmp any any
30 permit tcp any any eq www
40 permit tcp any any eq 443
50 permit tcp any host 10.139.8.216 eq 8443 -
Https redirect on wifi ise guest
Hi
We have a problem of redirect https on ise wifi guest so if we connect as a Guest PC i login and can access to internet using http but the problem if we use https can you help me to resolve this issue
RegardsThe ISE trust sec guide #30 on page 46 states
For traffic initiated by the client, Cisco Wireless LAN Controllers support redirection of HTTP traffic only. Redirection of HTTPS traffic is not supported. The traffic redirected to ISE is always HTTPS.
Sent from Cisco Technical Support iPad App -
Weblogic 10.0 web application with CLIENT-CERT suddenly redirect with 401
Hi everybody,
we currently have a Weblogic Portal 10.2 web application with an integrated Windows authentication.
I configured a Negociate Identity Asserter and an Active Directory provider.
I configure Kerberos services, so we have succefully access to our application through the Windows session.
But, most of time we have 401 errors on any page when navigating. In fact, the error occures when clicking on a link when a page is not fully loaded.
For our tests, we use the security webapp provided by BEA/Oracle, and it just work.
The web.xml used in our webapp :
<security-constraint>
<web-resource-collection>
<web-resource-name>sso</web-resource-name>
<description>Desc</description>
<url-pattern>/appmanager/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description>desc</description>
<role-name>ssoRole</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name/>
</login-config>
<security-role>
<description>Authenticated user</description>
<role-name>ssoRole</role-name>
</security-role>which version of web server r u using here ? 6.1 or 7.0 ? if it is 6.1 then there is no easy <If> syntax. if u r using 7.0, then u need to be aware that the processing of 'ppath' is slightly different in 7.0
in any case, this would be the syntax
<Object name="weblogic" ppath="/hw/">
Service fn="wl_proxy" WebLogicHost="------------------" WebLogicPort="------"
# gateway timeout - back end web logic not responding handle differently
<If code='504'>
# send it to a different post..
Service fn="wl_proxy" WebLogicHost="------------------" WebLogicPort="------"
</If>
</Object>
- sriram -
Hello,
We configured the web authentication in wlc 5508with ISE for the guest traffic. When client tries to connect it redirects to the different URL. That means the specified URL (that is default redirection page of ISE) 'https://<ISE IP>:8443/guestportal/portal.jsp' but client is getting redirected to
'https://<ISE>:8443/guestportal/login.action?switch_url=https://<virtual IP>/login.html&wlan...'. And finally page cannot be displayed now error message i am getting.
Why it happens..? Any quick help would be really appreciated
Moreover i have doubts on the below points.
1) Should both the Anchor and the foriegn controllers be configured for web auth security or only anchor ..?
2) When external web redirection, the client has to get the DNS resolved entry for the Specified URL or WLC knows to take it to the external web page..?
3) Any special configuration has to be done on ISE?
Thanks for your time
KVS
Message was edited by: Prasan VenkyHello,
How to Make an External (Local) Web Authentication Work with an External Page
As already briefly explained, the utilization of an external WebAuth server is just an external repository for the login page. The user credentials are still authenticated by the WLC. The external web server only allows you to use a special or different login page. Here are the steps performed for an external WebAuth:
The client (end user) opens a web browser and enters a URL.
If the client is not authenticated and external web authentication is used, the WLC redirects the user to the external web server URL. In other words, the WLC sends an HTTP redirect to the client with the website's spoofed IP address and points to the external server IP address. The external web authentication login URL is appended with parameters such as the AP_Mac_Address, the client_url (www.website.com), and the action_URL that the customer needs to contact the switch web server.
The external web server URL sends the user to a login page. Then the user can use a pre-authentication access control list (ACL) in order to access the server. The ACL is only needed for the Wireless LAN Controller 2000 series.
The login page takes the user credentials input and sends the request back to the action_URL, such as http://1.1.1.1/login.html, of the WLC web server. This is provided as an input parameter to the customer redirect URL, where 1.1.1.1 is the virtual interface address on the switch.
The WLC web server submits the username and password for authentication.
The WLC initiates the RADIUS server request or uses the local database on the WLC, and then authenticates the user.
If authentication is successful, the WLC web server either forwards the user to the configured redirect URL or to the URL the client entered.
If authentication fails, then the WLC web server redirects the user back to the customer login URL.
Note: If the access points (APs) are in FlexConnect mode, a preauth ACL is irrelevant. Flex ACLs can be used to allow access to the web server for clients that have not been authenticated.
For more details, please refer to the following:
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080bf7d89.shtml#redirect -
Problem with redundancy in CSS 11051
I have a problem with redundancy in CSS 11051. I use firewall load balancing and server load balancing. Load balancers which only load balance over 3 firewall switch from primary to master with no problems.
problem is with load balancers which load balance over firewalls and over servers two. whene the master is shutdown, backup keeps master function, all services on backup LB are alive, but it is not possible to display web page on address 10.10.7.16. Even if I try from the network 10.10.7.0/24, so before firewalls. below my config. any help appreciate.
===primary LB=====
!Generated on 10/30/2002 10:42:53
!Active version: ap0500002
configure
!*************************** GLOBAL ***************************
ip redundancy master
no console authentication
restrict ftp
app
app session 10.10.60.13
ip firewall 1 10.10.7.1 10.10.8.1 10.10.8.10
ip firewall 2 10.10.7.2 10.10.8.2 10.10.8.10
ip firewall 3 10.10.7.3 10.10.8.3 10.10.8.10
ip route 0.0.0.0 0.0.0.0 firewall 1 1
ip route 0.0.0.0 0.0.0.0 firewall 2 1
ip route 0.0.0.0 0.0.0.0 firewall 3 1
ip route 10.10.1.0 255.255.255.0 10.10.3.1 1
ip route 10.10.2.0 255.255.255.0 10.10.3.1 1
ip route 10.10.12.0 255.255.255.0 10.10.3.1 1
ip route 10.10.14.0 255.255.255.0 10.10.3.1 1
ip route 10.10.22.0 255.255.255.0 10.10.3.1 1
!************************* INTERFACE *************************
interface e1
phy 100Mbits-FD
bridge vlan 62
interface e2
phy 100Mbits-FD
bridge vlan 7
interface e3
bridge vlan 3
interface e4
phy 100Mbits-FD
bridge vlan 7
interface e5
phy 100Mbits-FD
interface e6
phy 100Mbits-FD
bridge vlan 6
interface e7
phy 100Mbits-FD
interface e8
phy 100Mbits-FD
bridge vlan 6
!************************** CIRCUIT **************************
circuit VLAN62
ip address 10.10.60.14 255.255.255.252
redundancy-protocol
circuit VLAN7
redundancy
ip address 10.10.7.10 255.255.255.0
circuit VLAN3
redundancy
ip address 10.10.3.10 255.255.255.0
no redirects
circuit VLAN6
redundancy
ip address 10.10.6.10 255.255.255.0
!************************** SERVICE **************************
service cc1
ip address 10.10.3.129
keepalive type tcp
keepalive port 443
service cc2
ip address 10.10.3.130
keepalive type tcp
keepalive port 443
active
service ssl1
ip address 10.10.6.131
keepalive port 443
keepalive type tcp
active
service ssl3
ip address 10.10.6.133
keepalive port 443
keepalive type tcp
active
service ssl4
ip address 10.10.6.141
keepalive type tcp
keepalive port 443
active
service ssl6
ip address 10.10.6.143
keepalive port 443
keepalive type tcp
active
service www1
ip address 10.10.6.101
keepalive type tcp
keepalive port 443
weight 2
active
service www3
ip address 10.10.6.103
keepalive type tcp
keepalive port 443
active
service www4
ip address 10.10.6.121
keepalive port 443
keepalive type tcp
active
service www6
ip address 10.10.6.123
keepalive type tcp
keepalive port 443
active
!*************************** OWNER ***************************
owner L5_Owner
content L5_Rule
vip address 10.10.7.6
application ssl
protocol tcp
port 443
url "/*"
add service www1
add service www3
add service www4
advanced-balance sticky-srcip
add service www6
balance weightedrr
active
content L5_Rule_CC
vip address 10.10.3.120
advanced-balance sticky-srcip
add service cc1
add service cc2
active
content L5_Rule_SSL
vip address 10.10.7.16
application ssl
protocol tcp
port 443
url "/*"
add service ssl1
add service ssl3
add service ssl4
advanced-balance sticky-srcip
add service ssl6
active
!*************************** GROUP ***************************
group CC
vip address 10.10.3.120
add destination service cc1
add destination service cc2
active
======
===backup LB=====
!Generated on 10/29/2002 20:47:30
!Active version: ap0503015
configure
!*************************** GLOBAL ***************************
ip redundancy
console authentication primary none
restrict ftp
app
app session 10.10.60.14
ip firewall 1 10.10.7.1 10.10.8.1 10.10.8.10
ip firewall 2 10.10.7.2 10.10.8.2 10.10.8.10
ip firewall 3 10.10.7.3 10.10.8.3 10.10.8.10
ip route 0.0.0.0 0.0.0.0 firewall 1 1
ip route 0.0.0.0 0.0.0.0 firewall 2 1
ip route 0.0.0.0 0.0.0.0 firewall 3 1
ip route 10.10.1.0 255.255.255.0 10.10.3.1 1
ip route 10.10.2.0 255.255.255.0 10.10.3.1 1
ip route 10.10.12.0 255.255.255.0 10.10.3.1 1
ip route 10.10.14.0 255.255.255.0 10.10.3.1 1
!************************* INTERFACE *************************
interface e1
phy 100Mbits-FD
bridge vlan 62
interface e2
phy 100Mbits-FD
bridge vlan 7
interface e3
phy 100Mbits-FD
bridge vlan 3
interface e4
phy 100Mbits-FD
bridge vlan 7
interface e5
phy 100Mbits-FD
interface e6
phy 100Mbits-FD
bridge vlan 6
interface e7
phy 100Mbits-FD
interface e8
phy 100Mbits-FD
bridge vlan 6
!************************** CIRCUIT **************************
circuit VLAN62
ip address 10.10.60.13 255.255.255.252
redundancy-protocol
circuit VLAN7
redundancy
ip address 10.10.7.10 255.255.255.0
circuit VLAN3
redundancy
ip address 10.10.3.10 255.255.255.0
no redirects
circuit VLAN6
redundancy
ip address 10.10.6.10 255.255.255.0
!************************** SERVICE **************************
service cc1
ip address 10.10.3.129
active
service cc2
ip address 10.10.3.130
active
service ssl1
ip address 10.10.6.131
keepalive port 443
keepalive type tcp
active
service ssl3
ip address 10.10.6.133
keepalive port 443
keepalive type tcp
active
service ssl4
ip address 10.10.6.141
keepalive type tcp
keepalive port 443
active
service ssl6
ip address 10.10.6.143
keepalive port 443
keepalive type tcp
active
service www1
ip address 10.10.6.101
keepalive type tcp
keepalive port 443
weight 2
active
service www3
ip address 10.10.6.103
keepalive type tcp
keepalive port 443
active
service www4
ip address 10.10.6.121
keepalive port 443
keepalive type tcp
active
service www6
ip address 10.10.6.123
keepalive type tcp
keepalive port 443
active
!*************************** OWNER ***************************
owner L5_Owner
content L5_Rule
vip address 10.10.7.6
protocol tcp
port 443
url "/*"
add service www1
add service www3
add service www4
advanced-balance sticky-srcip
add service www6
balance weightedrr
active
content L5_Rule_CC
vip address 10.10.3.120
advanced-balance sticky-srcip
add service cc1
add service cc2
active
content L5_Rule_SSL
vip address 10.10.7.16
protocol tcp
port 443
url "/*"
add service ssl1
add service ssl3
add service ssl4
advanced-balance sticky-srcip
add service ssl6
active
!*************************** GROUP ***************************
group CC
vip address 10.10.3.120
add destination service cc1
add destination service cc2
active
=======Please visit the folloiwing page where you can find many configuration examples on configuring CSS for Load Balancing.
http://www.cisco.com/en/US/products/hw/contnetw/ps789/prod_configuration_examples_list.html
Hope it helps. -
Not Working-central web-authentication with a switch and Identity Service Engine
on the followup the document "Configuration example : central web-authentication with a switch and Identity Service Engine" by Nicolas Darchis, since the redirection on the switch is not working, i'm asking for your help...
I'm using ISE Version : 1.0.4.573 and WS-C2960-24PC-L w/software 12.2(55)SE1 and image C2960-LANBASEK9-M for the access.
The interface configuration looks like this:
interface FastEthernet0/24
switchport access vlan 6
switchport mode access
switchport voice vlan 20
ip access-group webauth in
authentication event fail action next-method
authentication event server dead action authorize
authentication event server alive action reinitialize
authentication order mab
authentication priority mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
spanning-tree portfast
end
The ACL's
Extended IP access list webauth
10 permit ip any any
Extended IP access list redirect
10 deny ip any host 172.22.2.38
20 permit tcp any any eq www
30 permit tcp any any eq 443
The ISE side configuration I follow it step by step...
When I conect the XP client, e see the following Autenthication session...
swlx0x0x#show authentication sessions interface fastEthernet 0/24
Interface: FastEthernet0/24
MAC Address: 0015.c549.5c99
IP Address: 172.22.3.184
User-Name: 00-15-C5-49-5C-99
Status: Authz Success
Domain: DATA
Oper host mode: single-host
Oper control dir: both
Authorized By: Authentication Server
Vlan Group: N/A
URL Redirect ACL: redirect
URL Redirect: https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC16011F000000490AC1A9E2
Acct Session ID: 0x00000077
Handle: 0xB7000049
Runnable methods list:
Method State
mab Authc Success
But there is no redirection, and I get the the following message on switch console:
756005: Mar 28 11:40:30: epm-redirect:IP=172.22.3.184: No redirection policy for this host
756006: Mar 28 11:40:30: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_qualify ...
I have to mention I'm using an http proxy on port 8080...
Any Ideas on what is going wrong?
Regards
NunoOK, so I upgraded the IOS to version
SW Version: 12.2(55)SE5, SW Image: C2960-LANBASEK9-M
I tweak with ACL's to the following:
Extended IP access list redirect
10 permit ip any any (13 matches)
and created a DACL that is downloaded along with the authentication
Extended IP access list xACSACLx-IP-redirect-4f743d58 (per-user)
10 permit ip any any
I can see the epm session
swlx0x0x#show epm session ip 172.22.3.74
Admission feature: DOT1X
ACS ACL: xACSACLx-IP-redirect-4f743d58
URL Redirect ACL: redirect
URL Redirect: https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
And authentication
swlx0x0x#show authentication sessions interface fastEthernet 0/24
Interface: FastEthernet0/24
MAC Address: 0015.c549.5c99
IP Address: 172.22.3.74
User-Name: 00-15-C5-49-5C-99
Status: Authz Success
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Group: N/A
ACS ACL: xACSACLx-IP-redirect-4f743d58
URL Redirect ACL: redirect
URL Redirect: https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC16011F000000160042BD98
Acct Session ID: 0x0000001B
Handle: 0x90000016
Runnable methods list:
Method State
mab Authc Success
on the logging, I get the following messages...
017857: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_qualify ...
017858: Mar 29 11:27:04: epm-redirect:epm_redirect_cache_gen_hash: IP=172.22.3.74 Hash=271
017859: Mar 29 11:27:04: epm-redirect:IP=172.22.3.74: CacheEntryGet Success
017860: Mar 29 11:27:04: epm-redirect:IP=172.22.3.74: Ingress packet on [idb= FastEthernet0/24] matched with [acl=redirect]
017861: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: Enqueue the packet with if_input=FastEthernet0/24
017862: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_process ...
017863: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: Not an HTTP(s) packet
What I'm I missing? -
Guest Splash Page with Cisco WLCs Help
Hi,
I need some guidance using Web Authentication / Web Pass-through to create a mandatory splash page that is presented to users of our guest WLAN. Currently our guest WLAN is wide open, users connect and go straight through to get Internet Access. Here's what we'd like to accomplish.
1. Have the page hosted on an external web server (i.e not on the controller)
2. Present Terms of service
3.
a. Present an optional field to enter an email address & date of birth (DOB) to opt in for marketing purposes
OR
b. Present a mandatory field to enter an email address with an optional check box and DOB to opt in for marketing (the idea behind option b, is that whether they opt in for marketing or not, we could still some how use the email as a username, but not require a password. In the hopes of then using this as a unique identifier in the WLC for troubleshooting / reporting purposes)
4. At the very end, have an "I Agree" button
5. Re-direct to our copmany's public facing website
Our controllers are 5508s, running 7.4.121.0. I more or less have an idea of how to accomplish this, but I've never used Web Auth / Web Passthrough with a Cisco Controller before, so I'm hoping someone can clear up a few things for me.
1. Am I correct that, when using an External server to host the login.html page, we must use Web Authentication, since Web Pass-through is only an option when using an Internal Page? Web Pass-through seems ideal for us, since we don't care about credentials, but from what I'm reading, it seems restricted to Internal (on the Controller) deployments only.
Based on these
http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/115951-web-auth-wlc-guide-00.html#passthrough
http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/116879-configure-wlc-00.html
http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/107474-web-pass-config.html
2. If Web Pass-through is not an option when using an External deployment, is there any way we could use an email address as a username, but not require a password? If not, is hiding the username/password fields in the html code of the splash page, and using a single pre-configured default username / password the only other option ? As described here: https://supportforums.cisco.com/discussion/10847046/unsecured-guest-access-customizable-splash-page-and-logo
3. It sounds like SSL cert warnings may be an issue even if we use an External deployment, because the controller still acts as a middle man. Is this correct, and is the best fix to install a valid 3rd party cert on the controller?
P.S. I’m aware of the Big Brother type things that can be done with Cisco MSE and Connected Mobile Experiences, as far as guest tracking / marketing / analytics go. However, that’s way more than we’re looking to do at this point.
Thanks in advance for any guidance you can provide!Hello Jonathan,
The idea you have is fine, the only exception is the extra fields of information that you want to collect. From the WLC perspective this is not possible to gather.
The example given on https://supportforums.cisco.com/discussion/10847046/unsecured-guest-access-customizable-splash-page-and-logo looks very interesting, and as long as the WLC receive the information it needs to authenticate the client, you can modify the HMTL code as you want. However, as somebody state on that post, Cisco provides the html example, but we do not really support the html content creation or modification.
Anyway below on answer #2 I am giving you an idea that could work (again Im not html expert I don't know if that could be achieved that way) maybe you can have a better idea.
To answer your queries:
1) The customized web-passthrough page can be hosted on an external Web Server.
When the pages are on an external webserver, the passthrough is still performed on the WLC, just the pages reside on the external server. It is a good idea to be sure that the pages come up ok on the external server without webauth involved since webauth will not work unless the external webserver works
2) We have examples of what HTML content a customized Web Passthrough page should include. If you add extra fields on the HTML code (like email address & date of birth), the WLC won't be able to handle this data and most probably you won't be able to gather this information from the WLC , unless you customize the web page in such way that it sends the fields email address & date of birth to another server (rather than to the WLC) to gather this information, but at the end what matter for the WLC is to receive the click on the "Accept" button to authenticate the client.
3) Regarding the certificate, there are two options, the cheapest and easiest is to disable HTTPS for web authentication. Then, your guests will open an HTTP web page, without having the certificate warning.
Whether or not you perform local or external web authentication, you still hit the internal web server on the controller. When you redirect to an external web server, you still receive the certificate warning from the controller unless you have a valid certificate on the controller itself. If the redirect is sent to https, you receive the certificate warning from the controller and from the external web server, unless both have a valid certificate.
In order to get rid of the certificate warnings all together, you need to have a root level certificate issued and downloaded onto your controller. The certificate is issued for a host name and you put that host name in the DNS host name box under the virtual interface on the controller. You also need to add the host name to your local DNS server and point it to the virtual IP address (1.1.1.1) of the WLC.
This link provides information about WebAuthentication on an External Web Server, however exactly the same applies for Web Passthrough:
http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/71881-ext-web-auth-wlc.html
Also, you can download the WebAuthentication bundle, with the examples and some useful information about different customized web pages, it can be used as a template to build your page. Here you will see that Web Passthrough to an external server is indeed a valid option, when you download and unzip it, open the "readme.html"
https://software.cisco.com/download/release.html?mdfid=282600534&softwareid=282791507&release=1.0.2&relind=AVAILABLE&rellifecycle=&reltype=latest
Hope this helps
Maybe you are looking for
-
Java.lang.NoSuchFieldError: EMPTY_ORDERED_ITERATOR
Hi, I tried the sample cart application from the site http://www.roseindia.net/opensource/cart1.1.zip. I used tomcat 5.5 and mySQL 5.1. I followed the steps given in the above site. when I submit "http://localhost:8081/cart/pages/admin/adminlogin.jsp
-
Target does not currently support account discovery
What does the message "Target does not currently support account discovery" means? I am getting it while using OPAM REST API to get the accounts from a given resource. How can I make it support it? TIA Leo
-
Hello and TIA for your help. Environment: Lenovo T61 laptop (model 6457-Z4U) set to 1680x1050 Internal video controller: NVIDIA Quadro NVS 140M External monitor: Samsung Syncmaster 940BF set to 1280x1024 Win XP SP2 Problem: I am using the nView Deskt
-
Does business service have an application service for secure access?
Hi Recently we had faced a strange situation when we are attempting to execute a script these are the steps i followed *1.Created a business service* This is my business service with service name CILCSVAP <schema pageAction="read"> <said mapField="SA
-
I am running Windows 7 Pro x64 bit, and I was unable to get a driver from Cisco's website that worked. Windows was unable to find the driver as well. As of now, I am unable to use the USB 100M Etherfast Network Adapter. Is there a workaround or a dri