ISE 1.2 CWA Redirect URL

Similar Messages

• ISE CWA Redirect URL customization

  Hi,
  Just wanted to know if we can change the redirect url. By default it starts with the hostname of ISE. I will have four PSN nodes and want that url is actually the Load Balancer Url rather than ISE node. Since ISE isintegrated with AD  domain.local so public certificate would not be possible. We are planning to install publecrt cert with differnt domain name likke domain.com. If some one has done it before please let me know
  Thanks
  Aijaz

  Hello,
  I went through your query and have found a link which I think would surely help you to solve your query:-
  http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml

• ISE - CWA Redirection

  HI
  i am trying to implement guest portal and i have configure the ISE and switch to redirect guests and i see the whole process goes will when i issue
  show authentication session interface GigabitEthernet1/0/11
              Interface:  GigabitEthernet1/0/11
            MAC Address:  1078.d2fc.698c
             IP Address:  192.168.0.59
              User-Name:  10-78-D2-FC-69-8C
                 Status:  Authz Success
                 Domain:  DATA
         Oper host mode:  multi-domain
       Oper control dir:  both
          Authorized By:  Authentication Server
            Vlan Policy:  81
                ACS ACL:  xACSACLx-IP-TEST-WEBAUTH-DACL-519b76ec
       URL Redirect ACL:  ACL-WEBAUTH-REDIRECT
           URL Redirect:  https://HDOFFISEP01.mycompany.com:8443/guestportal/gateway?sessionId=0A0A6518000000010006F2B5&action=cwa
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  0A0A6518000000010006F2B5
        Acct Session ID:  0x00000003
                 Handle:  0x0D000001
  Runnable methods list:
         Method   State
         mab      Authc Success
         dot1x    Not run
  my problem that the web browser does NOT direct automtically to the portal but it does manually when i copy the URL from the switch, any idea ?
  switch configuration
  boot-start-marker
  boot-end-marker
  logging monitor informational
  enable secret 5 $1$PO2h$G1BUFwkbkA8ywc89FhBso/
  username cisco privilege 15 password 0 cisco
  username ise-rad-alive password 0 CICSOISEalive123
  aaa new-model
  aaa authentication login local local
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  aaa authorization auth-proxy default group radius
  aaa accounting auth-proxy default start-stop group radius
  aaa accounting dot1x default start-stop group radius
  aaa server radius dynamic-author
  client 10.10.20.13 server-key myshared
  client 10.10.20.14 server-key myshared
  aaa session-id common
  switch 1 provision ws-c2960s-24ps-l
  ip dhcp snooping vlan 1-2000
  no ip dhcp snooping information option
  ip dhcp snooping
  ip domain-name mycompany.com
  ip name-server 192.168.10.40
  ip device tracking probe use-svi
  ip device tracking
  ip admission name Webauth proxy http inactivity-time 60
  vtp mode transparent
  epm logging
  dot1x system-auth-control
  fallback profile Webauth
  ip access-group ACL-WEBAUTH-REDIRECT in
  ip admission Webauth
  spanning-tree mode pvst
  spanning-tree extend system-id
  interface GigabitEthernet1/0/11
  switchport mode access
  switchport voice vlan 93
  ip access-group ACL-ALLOW in
  authentication event fail action next-method
  authentication event server dead action reinitialize vlan 777
  authentication event server dead action authorize voice
  authentication host-mode multi-domain
  authentication order mab dot1x
  authentication priority dot1x mab
  authentication port-control auto
  mab
  dot1x pae authenticator
  spanning-tree portfast
  interface Vlan1
  no ip address
  shutdown
  interface Vlan80
  ip address 10.10.101.24 255.255.255.0
  ip default-gateway 10.10.101.1
  ip http server
  ip http secure-server
  ip access-list extended ACL-AGENT-REDIRECT
  remark explicitly prevent DNS from being redirected to address a bug
  deny   udp any any eq domain
  remark redirect HTTP traffic only
  permit tcp any any eq www
  remark all other traffic will be implicitly denied from the redirection
  ip access-list extended ACL-ALLOW
  permit ip any any
  ip access-list extended ACL-DEFAULT
  remark DHCP
  permit udp any eq bootpc any eq bootps
  remark DNS
  permit udp any any eq domain
  remark Ping
  permit icmp any any
  remark PXE / TFTP
  permit udp any any eq tftp
  remark Drop all the rest
  deny   ip any any log
  ip access-list extended ACL-WEBAUTH-REDIRECT
  deny   ip any host 10.10.20.13
  deny   ip any host 10.10.20.14
  deny   ip any host 192.168.10.43
  deny   ip any host 192.168.10.40
  deny   ip any host 192.168.10.41
  deny   ip any host 192.168.10.42
  remark explicitly prevent DNS from being redirected to accommodate certain switches
  deny   udp any any eq domain
  remark redirect all applicable traffic to the ISE Server
  permit tcp any any eq www
  permit tcp any any eq 443
  ip radius source-interface Vlan80
  logging origin-id ip
  logging source-interface Vlan80
  logging host 10.10.20.11 transport udp port 20514
  logging host 10.10.20.12 transport udp port 20514
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 6 support-multiple
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server dead-criteria time 5 tries 3
  radius-server host 10.10.20.13 auth-port 1812 acct-port 1813 key myshared
  radius-server host 10.10.20.14 auth-port 1812 acct-port 1813 key myshared
  radius-server vsa send accounting
  radius-server vsa send authentication

  Verify that the redirection URL specified in Cisco ISE via Cisco-av pair "URL Redirect" is correct
  CWA Redirection URL: https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cwa
  802.1X Redirection URL: url-redirect=https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cpp

• ISE Sending Hostname in CWA Redirect

  Dear Support Team.
  we have setup in which wireless controllers are deployed in Foreign & Anchor Scenario. (Guest WLC or Anchor is deployed in DMZ) , Controllers are running 7.3 and CWA config is done as per standard TAC documents.
  When WLC redirects the session to ISE, Redirection URL has ISE hostname and is something like this
  https://ise-ip-address:8443/guestportal/gateway........
  we have setup Guest Access in such a way, that guest dhcp pool is using the Public DNS, we are not providing our internal DNS to guest dhcp pool, since public DNS does not have an entry for ise-ip-address, DNS resolution Fails and CWA is not happening.
  is it possible that ISE can send IP address in place of its hostname, for example
  https://10.15.24.20:8443/guestportal/gateway......
  Any help will be highly appreciated.
  Thanks
  Ahad

  One workaround that I have gotten to work in the past when using ASA firewalls is to create a static NAT entry and leverage DNS inspection to translate the Private IP address for you.  It is important to note that in this example the domain name that the ISE PSN is registered as is on a publicly resolvable domain name which you have control of the DNS entries. 
  In this example we will have a three legged ASA.  Inside, DMZ, and Outside. 
  The PSN's hostname is psn.example.com.
  The PSN's Private IP address is 10.1.1.100
  Steps:
  Create a Public DNS record for psn.example.com.  For best practices you should use an IP address that belongs to you and that is not a part of RFC 1918.  This way the public DNS servers do not reject the IP address for some other reason. In this example we will use 1.1.1.1
  Enable DNS inspeciton on the ASA.
  Create a Static NAT entry for 1.1.1.1 (outside) -> 10.1.1.100 (inside) and enable DNS translation. 
  Now when the CWA user connects and gets a public DNS server it will query the public server for psn.exmaple.com and the public DNS server will return 1.1.1.1.  Now because of the DNS inspection the reply of 1.1.1.1 is replaced with the private IP address of 10.1.1.100.
  End result is the DMZ host using a public DNS server to return a private IP address.  If you have multiple PSNs you will need to create multiple DNS and NAT.
  You are welcome to try and use RFC Bogus RFC 1918 addresses, but the public DNS servers may have rules against doing so which is why i recommend using the public IP addresses that you own.  It is important to remember that even though you are creating Inside to Outside NAT entries for your ISE servers because you haven't created any inboundACL's they are not exposed to the Internet just because you created a NAT for them. 
  Here is a cisco doc on how to do "DNS Doctoring"
  http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/72273-dns-doctoring-3zones.html
  I should note that I have tested this using 1.2 with the static hostname, but I have not tested it with 1.1.4, but the underlying pricipals should be the same.

• Cisco ISE - CWA redirect in another way than cisco-av-pair?

  Hello.
  I'm trying to set up ISE as a CWA.
  I have made all the rules in both Authenticatin and Authorization, and I also see the clients hitting the right rules. The Authorizaton rule redirects the client to a captive web portal within ISE like this: cisco-av-pair = url-redirect=https://ip:port/portal/gateway?sessionId=SessionIdValue&portal=etc.
  But here is the problem: We use Aerohive as Accesspoints. And Aerohive does not support cisco-av-pair attributtes, since it's Cisco proprietary.
  Therefore, even if ISE says everything is fine, it's not, because Aerohive does not understand what's been sent to it.
  So the big question: Is there way to make the same redirect using standard radius attributes?
  Thank you.

  Unfortunately there isn't. I have done a project with ISE and Aerohive before and outside of basic 802.1x authentications, I was not able to deploy any of the other ISE features. There isn't an interoperability guide for ISE but just a compatibility one:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/compatibility/ise_sdt.html
  If could be wrong here so if someone else has done this before pls chime in.
  Thank you for rating helpful posts! 

• WLC Web Auth Redirect URL point to an ISE Policy NODE only?

  Hi all,
  I was wondering if the Web Auth Redirect URL configured in the WLC can only point to an ISE Policy Persona Node so the Web Portal feature (see below) in the ISE is only active when the ISE device has that Policy Persona activated.

  Thanks Peter for your clarification regarding the semantic I used and the question I made.
  Curiously, I tested it (configure the WLC Web Auth URL Redirect pointing to an ADM Node) and it did not work until I added the Policy Services persona into that ADM Node. I just wanted to verify that my test was correct because we want to make some changes in our deployment. Let me see if I can open a TAC Case in order to confirm this and add it to this post.

• Cisco ISE - CWA Redirect

  Why are the ISE nodes needed to be defined in the web authentication redirect acl that is configured locally on the switch?
  All the documentation that I've found states this. I've setup my 2yr old ISE environment this way and was advised in the beginning to do so. But after thinking the whole authentication process through and then testing out my theories I don't understand why the ISE nodes need to be defined in the switch redirect acl. I am now testing with a simple "redirect www & 443" acl and it is working as expected.
  The client connects to the network and, for our environment, is requested to do dot1x until that times out and then it shifts to mab. At which point, I do not have an authz rule defined for my test machine and therefore matches my catch-all authz rule of CWA which sends a CWA DACL. The switch lays the acls on the interface in this order: 1. Redirect 2. DACL 3. PACL. In my DACL I have access to the ISE nodes allowed (just to be safe) and the redirection still works because my test machine is not sending any www/443 traffic to the ISE nodes that I'm aware of (CWA is 8443).
  Can someone explain (in detail) why a client machine would send www/443 traffic to the ISE nodes and therefore need to be defined in the CWA redirect acl local to the switch.

  Poonam,
  I appreciate the response. I understand the process and flow of CWA but I still don't see why the ISE nodes need to be defined (as deny statements or at all) in the redirect acl that is locally configured on the switch. Let me try to explain it better (sorry for the novel):
  1. a default PACL is statically applied to an unused interface. For my environment our PACL is a simple "permit ip any any" which allows an open fallback in case communication to ISE fails.
  2. A client plugs in and the switch begins talking dot1x to the client. During this time the PACL is the ONLY acl that is applied to the interface/client.
  3. The client does not run dot1x and therefore the switch eventually fails over to mab. At this time, the CWA authz rule comes into effect and ISE sends the DACL to the switch via radius and also references which RACL (redirect acl) to use.
  4. Not many people seem to understand this part....The switch then rebuilds the ACL that is applied to the interface/user. The switch creates an ACL that consists of ALL THREE ACLs. The first portion of this ACL is the RACL with permit statements (which are the deny RACL statements configured on the switch) and then redirect statements (which are the permit RACL statements configured on the switch) and then the DACL from ISE is the next portion of this new ACL and then the very last portion is the original static PACL that is configured on the port.
  Again, I've tested this out over and over again on several different platforms (6500, 3700, 3800) and because, during the stage where the interface is in CWA state, the ACL that is applied to the interface is ALL THREE ACLs in the order of RACL>DACL>PACL....it doesn't seem to make sense that you need to define the ISE nodes in the RACL because all you need to define is what traffic you want to redirect. You define what traffic you want allowed in the DACL which is where you state access to the ISE nodes (either complete access or only 8443 access).
  Let me give you this example. Say I have the following confgured:
  CONFIGURED SWITCH INTERFACE ACL (PACL)
    ip access-list standard ACL-ALLOW
     permit ip any any
  CONFIGURED SWITCH REDIRECT ACL (RACL)
    ip access-list extended ACL-WEBAUTH-REDIRECT
     permit tcp any any eq www 443
  CONFIGURED ISE DOWNLOADABLE ACL (DACL)
    permit tcp any host <psn01> eq 8443
    permit udp any host <dns01> eq 53
    deny ip any any
  Then the process would look like this:
  1. During dot1x negotiation the acl that is used is this:
  permit ip any any     <<<<<PACL
  2. Once CWA is in effect then the acl looks like this:
  redirect tcp host <host ip> any eq www 443             <<<<<<RACL
  permit tcp host <host ip> host <psn01 ip> eq 8443       <<<<<<DACL
  permit udp host <host ip> host <dns01 ip> eq 53       <<<<<<DACL
  deny ip any any      <<<<<<DACL
  permit ip any any      <<<<<<PACL

• ISE 1.2 CWA with Multiple PSNs - SessionID Replication / Session Expired

  Hi all.
  I have a (2) Policy Services Nodes (PSNs) in an ISE 1.2 deployment running patch 1. We are using Wireless MAB and CWA on 5760 Wireless LAN Controllers running v3.3.3.
  We are hitting an issue wherein a client first passes MAB and then gets redirected to a CWA custom portal. The client then receives a Session Expired message. This seems to be related to the fact that CWA is technically a 2-stage authentication (MAB by the WLC and then CWA by the client). Specifically, it seems to happen when the WLC makes its MAB RADIUS access-request to PSN-1 and then the client comes in to PSN-2 to complete the CWA. This issue does not happen when only one PSN is in use and all authentication traffic (both MAB RADIUS and CWA) is directed at a single PSN.
  Clients resolve the FQDN in the redirect URL using public DNS and a public DNS zone file (call it cwa-portal.example.com). cwa-portal.example.com has two A records for the two PSN nodes. DNS is responding to queries using DNS round-robin.
  I have the PSNs configured in a Node Group for session information replication between PSNs, but this doesn't seem to make a difference in behavior.
  So I ask:
  What is the recommended architecture for CWA when using more than one PSN? It seems that you would need to keep the two authentication flows pinned together so that they both hit the same PSN when using more than one PSN in a deployment. A load balancer balancing on the SessionID string comes to mind (both the RADIUS MAB request and the CWA URL contain this unique per-client SessionID), but that seems terribly overbuilt for a seemingly simple problem. On the other hand, it also seems like using a Node Group setup should easily be able to replicate client SessionIDs to all nodes in the deployment so that this isn't an issue. I.e., if the WLC authenticates MAB on PSN-1, then PSN-1 should tell the Node Group about it such that when the client CWA's on PSN-2, PSN-2 doesn't respond with a Session Expired message.
  Is there any Cisco documentation that talks about this?
  Possibly related:
  https://supportforums.cisco.com/discussion/12131531/ise-12-guest-access-session-expired
  Justin

  Tim,
  Thanks for your reply and confirming my suspicion. Hopefully a future version of ISE will provide automated SessionID synchronization among PSNs so that front-end finagling in a multi-PSN environment won't be necessary.
  For anyone else with this issue who for whatever reason can't implement a load balancer(s), I built an automated EEM applet running on a "watchdog" switch (3750 running 12.2(55)SEE9) using IPSLA tracking that senses when PSN1 is down and then
  modifies an ASA to change its client-facing NAT statement for PSN1 to PSN2
  modifies the primary and HA wireless LAN controllers to change its MAB RADIUS aaa server group to use PSN2
  reverts the ASA and WLCs to using PSN1 when PSN1 is detected up and running again
  The applet ensures the SessionID authentications stay "glued" together so that both WLCs and the client hit the same PSN for both stages of authentication. It's failover only, not a load balancing solution, but it meets our current project's need for an automated HA environment.
  PM me if you want the code. I'm have a little too much going on ATM to sanitize and post it. :)
  Justin

• ISE Wired guest portal redirect even after authentication

  Hi
  I have configured both Wired and Wireless guest authentication via guest portal. Wireless is working fine, however the when trying with Wired, the redireciton page is keep getting even after user authenticated.
  I'm not seen the redirection authorization policy in my logs however I can see only the user authentication logs (successful). Attached is my configuration and logging output.
  Here is what I see on the interface
  ABQT-3FLR-ACC-01#sh authentication sessions interface gigabitEthernet 4/0/19
              Interface:  GigabitEthernet4/0/19
            MAC Address:  a0b3.ccca.2ab1
             IP Address:  10.1.3.16
              User-Name:  A0-B3-CC-CA-2A-B1
                 Status:  Authz Success
                 Domain:  DATA
         Oper host mode:  multi-auth
       Oper control dir:  both
          Authorized By:  Authentication Server
            Vlan Policy:  N/A
       URL Redirect ACL:  ACL-WEBAUTH-REDIRECT
           URL Redirect:  https://xxxx-TW-ISE-2.xxx.xxx.qa:8443/guestportal/gateway?sessionId=AC14011F000001571E52779F&action=cwa
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  AC14011F000001571E52779F
        Acct Session ID:  0x00000309
                 Handle:  0xE6000158
  Runnable methods list:
         Method   State
         dot1x    Failed over
         mab      Authc Success
  Here is the ACL
  Extended IP access list ACL-WEBAUTH-REDIRECT
      10 deny udp any any eq domain (1344 matches)
      20 deny ip any host 172.20.5.12 (8122 matches)
      30 deny ip any host 172.20.5.14
      40 permit tcp any any eq www (3124 matches)
      50 permit tcp any any eq 443 (202927 matches)
      60 permit tcp any any eq 8080 (114 matches)
      70 permit ip any any (8056 matches)

  Hi Mohannad,
  Thanks for your response.
  Actually the as per the configuration it should work, I'm still trying to find out what is what has gone wrong with this configuration. Infact I have tested with 3560 switch with the same config and it worked. only difference here is we used 2960S switch.
  We need to find out why the next Auth policy is not hitting once user is authenticated.
  Here is the port configuration and the authen status of the port.
  ABQT-3FLR-ACC-01#sh running-config interface gig4/0/19
  Building configuration...
  Current configuration : 427 bytes
  interface GigabitEthernet4/0/19
  switchport access vlan 103
  switchport mode access
  switchport voice vlan 135
  authentication event fail action next-method
  authentication host-mode multi-auth
  authentication order dot1x mab
  authentication priority dot1x mab webauth
  authentication port-control auto
  authentication violation restrict
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 10
  spanning-tree portfast
  end
  ABQT-3FLR-ACC-01#
  Mar 31 12:32:14.127: %AAA-3-BADSERVERTYPEERROR: Cannot process accounting server type tacacs+ (UNKNOWN)
  ABQT-3FLR-ACC-01#
  ABQT-3FLR-ACC-01#sh atuh
  ABQT-3FLR-ACC-01#sh atu
  ABQT-3FLR-ACC-01#sh authe
  ABQT-3FLR-ACC-01#sh authentication se
  ABQT-3FLR-ACC-01#sh authentication sessions in
  ABQT-3FLR-ACC-01#sh authentication sessions interface gi
  ABQT-3FLR-ACC-01#sh authentication sessions interface gigabitEthernet 4/0/19
              Interface:  GigabitEthernet4/0/19
            MAC Address:  0015.c5b4.fd4a
             IP Address:  10.1.3.23
              User-Name:  00-15-C5-B4-FD-4A
                 Status:  Authz Success
                 Domain:  DATA
         Oper host mode:  multi-auth
       Oper control dir:  both
          Authorized By:  Authentication Server
            Vlan Policy:  N/A
       URL Redirect ACL:  ACL-WEBAUTH-REDIRECT
           URL Redirect:  https://ABQ-TW-ISE-2.abq.gov.qa:8443/guestportal/gateway?sessionId=AC14011F0000018A32B4D906&action=cwa
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  AC14011F0000018A32B4D906
        Acct Session ID:  0x00000394
                 Handle:  0x3E00018B
  Runnable methods list:
         Method   State
         dot1x    Failed over
         mab      Authc Success

• GRC 10 - SSO via Portal - how to redirect url in notification variables

  Dears,
  I am in the process of designing our GRC 10 machine to be accessed via SSO in the Enterprise Portal. Yet I cannot find any info on what will happen with the URLs that are placed by ARM MSMP workflow in the variables of notifications/approvals.
  I typically would (as in 5.3) expect a redirect URL to be made available as an option.
  As an example: the Firefighter Log notification standard holds a variable pointing the URL to :
  http://GRC10server:GRC10port/sap/bc/webdynpro/sap/grac_ui_spm_log_email?sap-client=001&sap-language=EN&WF_ID=53FB8FEAC9E260D6E10000000AF90C44&APP_TYPE=1
  Yet now with SSO via the portal we also want this URL to go via the portal instead of directly to the GRC machine. How can we achieve that?
  Is there a configuration way to have GRC10server:GRC10port adjusted to the portal address..
  (mind that the WF_ID segment in this url is dynamically generated, so directly sqeezing in a static portal url is not an option)
  Cheers,
  Jim

  Hi Neeraj,
  Thx for your reaction. This unfortunately will not do the job as pasting the URL in the notification template will make it static. The problem is that the URL inserted by default is a dynamically created one which holds a variable pointer to a workflow object id.
  Now i am researching if a custom build portal redirect application will do the job. But there must be others having the same problem if you want the GRC iview in the portal to be the 'one-stop-shop' for your GRC users...
  Cheers,
  Jim

• Web Auth Type: Customized(downloaded) Redirect URL after login not working.

           5508WLC as anchor controller with WLC1 and WLC2 with WCS. I have 2 public ssids set up to go directly to the internet.
  Everything is working as it should.  I downloaded the web auth bundle from Cisco and  will just use a disclaimer page and then if the user clicks on the accept button they will be redirected to our company web page, and then they can get out to the internet.
  I have edited the aup.html and login.html to say what I want it to.  I have 2 different login.html pages and bundle to a .tar file like the documentation says.  I download it via tftp to the controller and it is successful. The disclaimer page opens up when I connect and it looks as it should.  The problem is I cannot seem to get the accept button to work. It redirects to a web page but it is undefined. 
     I must be missing some setting somewhere, but I just can not seem to find it.  Is there any line I need to edit in the login.html files that will redirect the page.    The config on the Web Login Page  Redirect URL after login is http://www.mccg.org which is our home page.
  Any help will be appreciated.  I cannot seem to fine very good documentation, or I am just overlooking something.
  Thanks
  John   

  Your HTML code is wrong. Attach your code if your okay with it and I can check.
  Sent from Cisco Technical Support iPhone App

• When I add an opendocument login token, it wipes out my parameter/prompt response in the Redirect URL

  I am having this issue and I wonder if anyone has any pointers?
  When I send the URL with the single prompt response &lsSPrompt0=1234567 it works fine but I have to login to InfoView.
  So I created a login token .jsp and that took care of the login for InfoView, but it also killed my prompt value.
  The code that I got from another site that does the same thing I WANT to do seems to create a cookie to store the passed prompt value in, then it creates a login token, then it assembles it all in the redirect URL and sends it to the openDocument.jsp.
  The login token works like a champ, but the prompt value (initially passed in to the cookie as "Prompt0") ends up passing from the Redirect URL to the openDocument.jsp with a value of NULL (lsSPrompt0=NULL).
  In my lack of knowledge, I am thinking maybe it has something to do either with how the cookie is being created, how it is being passed, or how/if it is getting stored at the target.  The cookie/token.jsp and the openDocument.jsp are in different folders on the same domain.
  So, I pass this URL:
  http://server:8080/InfoViewApp/token.jsp?&lsSPrompt0=1234567
  The token.jsp that it hits looks like this:
  So, the redirect winds up hitting the target looking like this:
  http://server:8080/OpenDocument/opendoc/openDocument.jsp?token=logonToken&iDocID=45227708&sKind=FullClient&lsSPrompt0=NULL&NAII=N&buttonrefresh=hide&buttonexport=hide
  Obviously, my problem is this:  lsSPrompt0=NULL
  Any pointers or nuggets of wisdom are GREATLY appreciated?
  Also of note, I wasn't sure if I needed to publish this token.jsp as a Webapp to Tomcat.
  I just placed the .jsp file in the folderTomcat5.5/webapps/InfoViewApp (same location as the client who has it working).
  Do I need to publish it?  Is that part of the problem?
  I am a little out of my realm here but trying to learn!
  We are on BOXI R2, Tomcat 5.5, JAVA, and I am having the same behavior on my personal XI 3.0 server too
  Thanks in advance,
  Randy

  I believe it's storing the info in a cookie so that it can be used later.  You don't mention which version of BO you're using, but I've sometimes found that the logon tokens created in 4.x contain special characters and may need to be URL encoded.  Also, I've found that it helps to put the logon token at the end of the URL after any parameters instead of in the middle before the parameters.
  -Dell

• Getting Warning about Redirection url

  Hi,
  we have the the portal application running on the weblogic 11g and upon login, home page of our app is loaded, but I do see the following warning message on the portal server logs. Any idea how we can supress this warning?
  <Warning> <netuix> <BEA-423420> <Redirect is executed in begin or refresh action. Redirect url is https://<servername>.arccorp.com:443/PortalApp/ARCGateway.portal?_nfpb=true&amp;_st=&amp;_pageLabel=ARC_Home&amp;_nfls=false
  Thanks
  sravi

  Hi Sravi,
  I am not sure if this is your situation or not, but hopefully it could be helpful for you.
  It is not supported for a remote pageflow portlet (WSRP producer) to redirect from its pageflow begin or refresh action. Because of this limitation, WebLogic Portal logs a warning when any portlet's pageflow attempts to redirect from either of these two actions.
  It is legal to redirect from these actions if the portlet is not a WSRP producer. If this is the case, Oracle has added a utility method that can be called prior to the redirect which can suppress these warning messages:
  - Class: com.bea.netuix.servlets.controls.content.PageflowLoggingHelper
  - Method: public static void dontLogRedirectWarning(HttpServletRequest req)
  Calling this method from the pageflow's begin or refresh action prior to the redirect will suppress the Netuix redirect warnings.
  Thanks,
  Cris

• No destination URL is defined. Use the followind redirect URL in Transactio

  Hi,
  I am new BSP, I have to display logon screen in my BSP application, i was copied SYSTEM bsp application and tried to run it, but it is throwing error "No destination URL is defined. Use the followind redirect URL in Transaction SICF:  /sap(====)/public/bsp/sap/login/default.htm?sap-url= " . Please let us know what has to be done for the same
  Message was edited by:
          Rams BSP

  Hi Rams,
  see http://help.sap.com/saphelp_47x200/helpdata/en/33/8351f1f3351c41853ea3508cbef0cf/frameset.htm
  and
  http://help.sap.com/saphelp_47x200/helpdata/en/1d/13c73cee4fb55be10000000a114084/frameset.htm
  It sounds like you have not configured the redirect correctly in the ICF.
  Cheers
  Graham

• Multiple redirect URLs for mutliple guest VLANs

  We are trying to implement 2 guest WLANs tunnneled to our DMZ and want to redirect users to 2 different URLs (one for each WLAN) when they click the "Accept" button. We are running 6.0.182 on the DMZ controllers and have a customized web passthrough page currently working for the 1st WLAN.
  It appears that only 1 redirect URL can be configured via the command line (config custom-web redirectUrl), and we haven't had much luck modifying the web page for the 2nd WLAN to redirect correctly. Is this supported? Thanks

  Since you are on version 6, the config guide mentions the following in Chapter 10 (and talks about how to do a "global override" per WLAN):
  Assigning Login, Login Failure, and Logout Pages per WLAN
  You can display different web authentication login, login failure, and logout pages to users per WLAN.
  This feature enables user-specific web authentication pages to be displayed for a variety of network
  users, such as guest users or employees within different departments of an organization.
  Different login pages are available for all web authentication types (internal, external, and customized).
  However, different login failure and logout pages can be specified only when you choose customized as
  the web authentication type.