ISE CWA redirect redundancy

Similar Messages

• ISE - CWA Redirection

  HI
  i am trying to implement guest portal and i have configure the ISE and switch to redirect guests and i see the whole process goes will when i issue
  show authentication session interface GigabitEthernet1/0/11
              Interface:  GigabitEthernet1/0/11
            MAC Address:  1078.d2fc.698c
             IP Address:  192.168.0.59
              User-Name:  10-78-D2-FC-69-8C
                 Status:  Authz Success
                 Domain:  DATA
         Oper host mode:  multi-domain
       Oper control dir:  both
          Authorized By:  Authentication Server
            Vlan Policy:  81
                ACS ACL:  xACSACLx-IP-TEST-WEBAUTH-DACL-519b76ec
       URL Redirect ACL:  ACL-WEBAUTH-REDIRECT
           URL Redirect:  https://HDOFFISEP01.mycompany.com:8443/guestportal/gateway?sessionId=0A0A6518000000010006F2B5&action=cwa
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  0A0A6518000000010006F2B5
        Acct Session ID:  0x00000003
                 Handle:  0x0D000001
  Runnable methods list:
         Method   State
         mab      Authc Success
         dot1x    Not run
  my problem that the web browser does NOT direct automtically to the portal but it does manually when i copy the URL from the switch, any idea ?
  switch configuration
  boot-start-marker
  boot-end-marker
  logging monitor informational
  enable secret 5 $1$PO2h$G1BUFwkbkA8ywc89FhBso/
  username cisco privilege 15 password 0 cisco
  username ise-rad-alive password 0 CICSOISEalive123
  aaa new-model
  aaa authentication login local local
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  aaa authorization auth-proxy default group radius
  aaa accounting auth-proxy default start-stop group radius
  aaa accounting dot1x default start-stop group radius
  aaa server radius dynamic-author
  client 10.10.20.13 server-key myshared
  client 10.10.20.14 server-key myshared
  aaa session-id common
  switch 1 provision ws-c2960s-24ps-l
  ip dhcp snooping vlan 1-2000
  no ip dhcp snooping information option
  ip dhcp snooping
  ip domain-name mycompany.com
  ip name-server 192.168.10.40
  ip device tracking probe use-svi
  ip device tracking
  ip admission name Webauth proxy http inactivity-time 60
  vtp mode transparent
  epm logging
  dot1x system-auth-control
  fallback profile Webauth
  ip access-group ACL-WEBAUTH-REDIRECT in
  ip admission Webauth
  spanning-tree mode pvst
  spanning-tree extend system-id
  interface GigabitEthernet1/0/11
  switchport mode access
  switchport voice vlan 93
  ip access-group ACL-ALLOW in
  authentication event fail action next-method
  authentication event server dead action reinitialize vlan 777
  authentication event server dead action authorize voice
  authentication host-mode multi-domain
  authentication order mab dot1x
  authentication priority dot1x mab
  authentication port-control auto
  mab
  dot1x pae authenticator
  spanning-tree portfast
  interface Vlan1
  no ip address
  shutdown
  interface Vlan80
  ip address 10.10.101.24 255.255.255.0
  ip default-gateway 10.10.101.1
  ip http server
  ip http secure-server
  ip access-list extended ACL-AGENT-REDIRECT
  remark explicitly prevent DNS from being redirected to address a bug
  deny   udp any any eq domain
  remark redirect HTTP traffic only
  permit tcp any any eq www
  remark all other traffic will be implicitly denied from the redirection
  ip access-list extended ACL-ALLOW
  permit ip any any
  ip access-list extended ACL-DEFAULT
  remark DHCP
  permit udp any eq bootpc any eq bootps
  remark DNS
  permit udp any any eq domain
  remark Ping
  permit icmp any any
  remark PXE / TFTP
  permit udp any any eq tftp
  remark Drop all the rest
  deny   ip any any log
  ip access-list extended ACL-WEBAUTH-REDIRECT
  deny   ip any host 10.10.20.13
  deny   ip any host 10.10.20.14
  deny   ip any host 192.168.10.43
  deny   ip any host 192.168.10.40
  deny   ip any host 192.168.10.41
  deny   ip any host 192.168.10.42
  remark explicitly prevent DNS from being redirected to accommodate certain switches
  deny   udp any any eq domain
  remark redirect all applicable traffic to the ISE Server
  permit tcp any any eq www
  permit tcp any any eq 443
  ip radius source-interface Vlan80
  logging origin-id ip
  logging source-interface Vlan80
  logging host 10.10.20.11 transport udp port 20514
  logging host 10.10.20.12 transport udp port 20514
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 6 support-multiple
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server dead-criteria time 5 tries 3
  radius-server host 10.10.20.13 auth-port 1812 acct-port 1813 key myshared
  radius-server host 10.10.20.14 auth-port 1812 acct-port 1813 key myshared
  radius-server vsa send accounting
  radius-server vsa send authentication

  Verify that the redirection URL specified in Cisco ISE via Cisco-av pair "URL Redirect" is correct
  CWA Redirection URL: https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cwa
  802.1X Redirection URL: url-redirect=https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cpp

• Cisco ISE - CWA Redirect

  Why are the ISE nodes needed to be defined in the web authentication redirect acl that is configured locally on the switch?
  All the documentation that I've found states this. I've setup my 2yr old ISE environment this way and was advised in the beginning to do so. But after thinking the whole authentication process through and then testing out my theories I don't understand why the ISE nodes need to be defined in the switch redirect acl. I am now testing with a simple "redirect www & 443" acl and it is working as expected.
  The client connects to the network and, for our environment, is requested to do dot1x until that times out and then it shifts to mab. At which point, I do not have an authz rule defined for my test machine and therefore matches my catch-all authz rule of CWA which sends a CWA DACL. The switch lays the acls on the interface in this order: 1. Redirect 2. DACL 3. PACL. In my DACL I have access to the ISE nodes allowed (just to be safe) and the redirection still works because my test machine is not sending any www/443 traffic to the ISE nodes that I'm aware of (CWA is 8443).
  Can someone explain (in detail) why a client machine would send www/443 traffic to the ISE nodes and therefore need to be defined in the CWA redirect acl local to the switch.

  Poonam,
  I appreciate the response. I understand the process and flow of CWA but I still don't see why the ISE nodes need to be defined (as deny statements or at all) in the redirect acl that is locally configured on the switch. Let me try to explain it better (sorry for the novel):
  1. a default PACL is statically applied to an unused interface. For my environment our PACL is a simple "permit ip any any" which allows an open fallback in case communication to ISE fails.
  2. A client plugs in and the switch begins talking dot1x to the client. During this time the PACL is the ONLY acl that is applied to the interface/client.
  3. The client does not run dot1x and therefore the switch eventually fails over to mab. At this time, the CWA authz rule comes into effect and ISE sends the DACL to the switch via radius and also references which RACL (redirect acl) to use.
  4. Not many people seem to understand this part....The switch then rebuilds the ACL that is applied to the interface/user. The switch creates an ACL that consists of ALL THREE ACLs. The first portion of this ACL is the RACL with permit statements (which are the deny RACL statements configured on the switch) and then redirect statements (which are the permit RACL statements configured on the switch) and then the DACL from ISE is the next portion of this new ACL and then the very last portion is the original static PACL that is configured on the port.
  Again, I've tested this out over and over again on several different platforms (6500, 3700, 3800) and because, during the stage where the interface is in CWA state, the ACL that is applied to the interface is ALL THREE ACLs in the order of RACL>DACL>PACL....it doesn't seem to make sense that you need to define the ISE nodes in the RACL because all you need to define is what traffic you want to redirect. You define what traffic you want allowed in the DACL which is where you state access to the ISE nodes (either complete access or only 8443 access).
  Let me give you this example. Say I have the following confgured:
  CONFIGURED SWITCH INTERFACE ACL (PACL)
    ip access-list standard ACL-ALLOW
     permit ip any any
  CONFIGURED SWITCH REDIRECT ACL (RACL)
    ip access-list extended ACL-WEBAUTH-REDIRECT
     permit tcp any any eq www 443
  CONFIGURED ISE DOWNLOADABLE ACL (DACL)
    permit tcp any host <psn01> eq 8443
    permit udp any host <dns01> eq 53
    deny ip any any
  Then the process would look like this:
  1. During dot1x negotiation the acl that is used is this:
  permit ip any any     <<<<<PACL
  2. Once CWA is in effect then the acl looks like this:
  redirect tcp host <host ip> any eq www 443             <<<<<<RACL
  permit tcp host <host ip> host <psn01 ip> eq 8443       <<<<<<DACL
  permit udp host <host ip> host <dns01 ip> eq 53       <<<<<<DACL
  deny ip any any      <<<<<<DACL
  permit ip any any      <<<<<<PACL

• ISE CWA redirection problem for Apple devices

  Hi,
  I'm testing some guest scenarios (CWA) in my lab using ISE1.3 and WLC2504 (7.6.130).
  I have noticed that redirection to ISE portal doesn't work for apple devices (iOS 7 and later).All other devices like laptops,androids etc work fine.
  Seems that the workaround on WLC that bypasses the CNA on iDevices doesn't work in my case.The device tries to open the ISE portal and shows just a blank page (attached photo)
  The problem doesn't appear for devices with iOS 6 but only for newer versions.
  I've also tried with version 8.0 on WLC without success.
  Any advise?
  Regards. 

  Captive portal/wispr support for apple ios7
  CSCuj18674
  Description
  Symptom:
  When attempting to access the Guest Portal with an Apple iOS 7 device while the WLC "Captive Portal Bypass" feature is enabled, the web sheet on the device still appears, preventing the user from continuing the flow.
  Conditions:
  The Apple device is running Apple iOS 7.
  Workaround:
  In the ACL on the WLC used for captive portal redirection and exemption of special traffic for the Guest Portal, add exemptions for the IP resources that resolve from "www.appleiphonecell.com" and "captive.apple.com" FQDNs.
  IMPORTANT NOTE: These IP addresses are associated with the FQDNs of "www.appleiphonecell.com" and "captive.apple.com" and are subject to change by the entities hosting those domains. If the IP addresses do change, the ACL would need to reflect that.

• Cisco ISE - CWA redirect in another way than cisco-av-pair?

  Hello.
  I'm trying to set up ISE as a CWA.
  I have made all the rules in both Authenticatin and Authorization, and I also see the clients hitting the right rules. The Authorizaton rule redirects the client to a captive web portal within ISE like this: cisco-av-pair = url-redirect=https://ip:port/portal/gateway?sessionId=SessionIdValue&portal=etc.
  But here is the problem: We use Aerohive as Accesspoints. And Aerohive does not support cisco-av-pair attributtes, since it's Cisco proprietary.
  Therefore, even if ISE says everything is fine, it's not, because Aerohive does not understand what's been sent to it.
  So the big question: Is there way to make the same redirect using standard radius attributes?
  Thank you.

  Unfortunately there isn't. I have done a project with ISE and Aerohive before and outside of basic 802.1x authentications, I was not able to deploy any of the other ISE features. There isn't an interoperability guide for ISE but just a compatibility one:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/compatibility/ise_sdt.html
  If could be wrong here so if someone else has done this before pls chime in.
  Thank you for rating helpful posts! 

• ISE CWA Redirect URL customization

  Hi,
  Just wanted to know if we can change the redirect url. By default it starts with the hostname of ISE. I will have four PSN nodes and want that url is actually the Load Balancer Url rather than ISE node. Since ISE isintegrated with AD  domain.local so public certificate would not be possible. We are planning to install publecrt cert with differnt domain name likke domain.com. If some one has done it before please let me know
  Thanks
  Aijaz

  Hello,
  I went through your query and have found a link which I think would surely help you to solve your query:-
  http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml

• [ISE + CWA] Redundant Guestportal

  Hello Community,
  I try to configure a redundant guest access with 2 ISE und 2 guests anchors. ISE Management and the sponsor portal are connected to eth0 (gig0) with hostname ise1.mydomain.com (ise2.mydomain.com for 2nd ISE). Eth0 is reachable from company network. The web authentication, where guests must enter their login credentials, is only reachable via eth1 (gig1) with hostname ise1-pub.mydomain.com (ise2-pub.mydomain.com for 2nd ISE). 
  The main problem is, that ISE always redirects to ise1.mydomain.com, which is on eth0 and therefore not reachable for wireless guests. I can configure a static hostname for redirection (which is cluster wide), but then I have no redundancy (there is no balancer reachable). So ISE must chose the correct hostname for the redirection URL depending on the ISE who authenticates the guest.
  I tried to define an alias for both ISE on CLI:
  ip host 10.1.1.1 ise1-pub ise1-pub.mydomain.com on primary ISE and
  ip host 10.1.1.2 ise2-pub ise2-pub.mydomain.com on secondary ISE
  and deleted the static ip/host entry in my authorization profile. But ISE always redirects to ise1.mydomain.com (or ise2.mydomain.com). My understanding was, that if I configure an alias, ISE will redirect to the alias IP. 
  Any hints?
  ISE is version 1.2.1 Patch 4
  Guest Anchors are 5760 with 3.6.1

  Instead of having just one authz rule for the cwa redirect as normal, you can create one for each of the servers (still configured on the primary of course).
  What you do is create one rule where your authz profile has the static host redirect set to ise1-pub.mydomain.com and the condition : server : ise1
  Then create a copy of that rule, where you redirect to ise2-pub.mydoamin.com, and use the condition server : ise2
  This will redirect to different names, depending on which of the ise servers the radius request was received by.
  I attached a screenshot of the rules.

• ISE 1.2 CWA Redirect URL

  Hi,
  Just wondered was there anyway to manipulate what webauth URL is sent to a client in the redirect string. Currently my ISE sends clients the internal machine name, I was wondering if there was anyway I can change this.
  I know on local webauth on the WLC you can set external URL's, does this feature exist in the ISE?
  TIA
  -G
  Sent from Cisco Technical Support iPad App

  Users Are Not Appropriately Redirected to URL
  Symptoms or Issue
  Administrator   receives one or more "Bad URL" error messages from Cisco ISE.
  Conditions
  This   scenario applies to 802.1X authentication as well as guest access sessions.
  Click   the magnifying glass icon in Authentications to launch the Authentication   Details. The authentication report should have the redirect URL in the RADIUS   response section as well as the session event section (which displays the   switch syslog messages).
  Possible   Causes
  Redirection   URL is entered incorrectly with invalid syntax or a missing path component.
  Resolution
  Verify   that the redirection URL specified in Cisco ISE via Cisco-av pair "URL   Redirect" is correct per the following options:
  •CWA   Redirection URL:   https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cwa
  •802.1X   Redirection URL:   url-redirect=https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cpp

• IOS CWA Redirect - ISE - Safari

  I do not believe I can be the only one with this issue, not when I have it at two sites and with the original installs being done by different people.
  Is anyone else having issues with Safari properly being redirected to ISE CWA by IOS redirection?
  I have this issue on 3750X for wired clients, and on a 3850 NGWC for wireless clients.  What makes this unique is that the only thing similar to this deployment is the Macbooks running with Safari.
  My troubleshooting seems to point at an issue with Safari not liking the redirect based upon the switch(3850,3750X) certificate.  Firefox and Chrome both work without issues on the test Macbooks.  I'm unable to find anything in the Bugtoolkit about it.
  If using Safari on Cisco switch for CWA is unsupported, please provide a link to Cisco document detailing it.

  This issue has been resolved.  It turned out that the Macbook was trying to do a crl download to confirm that the certificate was valid.  I am pretty sure it was becuase the cheapest GoDaddy certificate was used and the intermediate certificate isn't always found in the default Mac certificate store.  Firefox works because they handle CRL checks differently.
  I had two different resolutions as I had the problem at two different customers/sites.
  First test was allowing access to crl.godaddy.com.  After I excluded this IP address from the redirect and permitted it in the dACL - Safari was able to correctly redirect to the CWA portal page.
  At another site, due to the centralized management of the Macbooks, we utilized Mac OS X Server to create a profile in Profile Manager that included the GoDaddy Intermediate certificate and pushed that out to all macbooks to resolve the issue.
  In addition - and worthy of note.  If you are doing posturing and the ISE certificate is not trusted on Apple, the same sort of CRL check will occur and the NAC Agent will never posture the endpoint.
  tl;dr - Doublecheck Certificate trust settings on Apple because they are evil.

• ISE CWA WebAuth with WLC

  Hi all,
  I have a few questions regarding WebAuth or Guest access with ISE. I have setup a guest portal to do CWA and use ISE guest portal
  as the redirect page.
  I'm using ISE 1.1.2 and WLC version 7.3.101
  1- I have an issue authenticating with Chrome on W7 and android. I receive the splash page, i can authenticate but i always receive this error message. With IE and firefox i can accept and add an exception and authenticate successfully.

  Hi,
  Your best bet is to run true CWA and not use the redirect feature on the controller. Just allow dns and access to port 8443 in the ACL that is referenced by ISE when it sends the CWA redirect. You can use mac filtering as your L2 authentication.
  This will help in your redundant scenario so that when one ise goes down the second ise can send the CWA over to it.
  As far as certs if you are using mobile devices you may want to consider 3rd party certs.
  Let me know if that helps.
  Tarik Admani
  *Please rate helpful posts*

• CWA redirect failure

  I have a situation where DNS cannot be used for redirecting on CWA, so I have had to create a auth profile that has manual entries in it that redirects the guest to the IP address of the guest portal, rather than the DNS name.
  The attribute is configured with the following:
  cisco-av-pair = url-redirect=https://x.x.x.x:8443/guestportal/Login.action
  cisco-av-pair = url-redirect-acl=cwa
  The redirection works, and the guest is prompted with a login screen, but as soon as they are authenticated they receive a error page stating that the resource is not found, with the resource being /guestportal.
  The URL that it is trying to reach is https://x.x.x.x:8443/guestportal/guest/redir.html
  Has anyone managed to configure CWA to use the IP address rather than the DNS name, and go around this issue?

  Hi
  You can configure custom portal to perform Client Provisioning and Posture. If you select this option, the guest login flow performs a CWA and the guest portal will be redirected to Client Provisioning after performing AUP and change password checks. In this case, the posture subsystem performs a CoA to the NAD to re-authenticate the client connection once the posture has been assessed.
  If Vlan Dhcp Release is selected under Multi-Portal Configurations, posture will perform the client side IP release and renew operation. Check the Vlan Dhcp Release option to refresh Windows clients IP address after VLAN change in both wired or wireless environments for Guest with posture.
  This affects the CWA user login flow when the network access during the final authorization switches the guest VLAN to a new VLAN. In this case, the old IP of the guest needs to be released before the VLAN change and a new guest IP needs to be requested through DHCP once the new VLAN access is in place. The Cisco ISE server redirects the guest browser to download an applet to perform the IP release renew operation.

• Dual Node CWA Redirect

  Hi,
  we are using two ISE nodes for guest authentication (CWA) in our wireless network. We have an inside interface (eth0) on the ISE and a public interface (eth1), accessable for the wireless clients.
  At the moment i make a redirect to the ip address of the primary ISE: 
  For backup purposes, this is not a good idea. So I tried to configure an ip host 10.x.x.x FQDN with the ip address of eth1 and the FQDN of eth1 and removed the static host parameter in the common tasks of the CWA configuration page.
  But then the wireless guests will be redirected to the FQDN of eth0, which is the wrong IP and not reachable for him.
  What am i doing wrong?
  ISE Version is 1.2.1 and i restarted the services after configuring the ip host part.

  Hi
  You can configure custom portal to perform Client Provisioning and Posture. If you select this option, the guest login flow performs a CWA and the guest portal will be redirected to Client Provisioning after performing AUP and change password checks. In this case, the posture subsystem performs a CoA to the NAD to re-authenticate the client connection once the posture has been assessed.
  If Vlan Dhcp Release is selected under Multi-Portal Configurations, posture will perform the client side IP release and renew operation. Check the Vlan Dhcp Release option to refresh Windows clients IP address after VLAN change in both wired or wireless environments for Guest with posture.
  This affects the CWA user login flow when the network access during the final authorization switches the guest VLAN to a new VLAN. In this case, the old IP of the guest needs to be released before the VLAN change and a new guest IP needs to be requested through DHCP once the new VLAN access is in place. The Cisco ISE server redirects the guest browser to download an applet to perform the IP release renew operation.

• ISE CWA Time Profiles

  Hi
  Trying to make ISE CWA with WLC2500 to work according to guest time profiles.
  - When suspend guest users in ISE they still can connect and it seems that there is no communications between WLC and ISE (i suspect that ISE will communicate to WLC regarding this)
  - Then creating a guest user with "OnlyFirstLogin".... the user is still connected after shutdown/restart..
  I'm aware of the WLC timeout settings, but not sure if there are in play with CWA
  Any who knows about these time profiles in ISE regards to WLC
  Thx
  Kasper

  Please review the below links which might be helpful:
  http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Smart_Business_Architecture/February2012/SBA_Ent_BN_BYOD-GuestWirelessAccessDeploymentGuide-February2012.pdf
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_guest_pol.html
  http://www.cisco.com/en/US/docs/security/ise/1.0.4/user_guide/ise10_guest_pol.pdf

• Is it possible to make the ISE guest server redundant ?

  Hi,
  We've an ISE cluster of two ISE nodes.
  The ISE guest server works fine on the primairy ISE node.
  MAC address of the guest client is set in the map 'GuestDevices' after accepting the AUP policy.
  The the ISE sents the COA and the client authenticates again and is punt in the guest vlan.
  But when the primairy ISE is offline, I see the guest portal AUP page on the secondairy ISE node.
  I can accept the AUP policy, and I get an error message.
  On the secondairy ISE I see that the COA to the switch is sent, to clear the session to the primairy ISE....
  But the COA request should ask to clear the session to the secondairy ISE ( the primairy ISE is offline ).
  Should it be possible to configure the ISE guest functionality redundant in an ISE cluster?
  /SB

  The Guest portal can run on a node that assumes the Policy Services persona when the primary node with Administration persona is offline. However, it has the following restrictions:
  •Self registration is not allowed
  •Device Registration is not allowed
  •The AUP is shown at every login even if first login is selected
  •Change Password is not allowed and accounts are given access with the old password.
  •Maximum Failed Login is not be enforced
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_guest_pol.html#wp1126706

• ISE url-redirect CWA to Gig1

  Hello,
  say I want to have five ISE 1.3 nodes behind load balancer, I want only only G0 behind LB, and G1 interfaces will be dedicated for certain things. Specifically I want to use G1 interface for Redirected Web Portal access (could be CWA, device registration, NSP, etc). RADIUS auth will happen through LB on G0 of some specific PSN, and that PSN will url-redirect user to the CWA URL.
  How do I tell ISE to use specifically Gig1's IP address or Gig2's IP address? When I check result authorization profile, there is no option there, it's just ip:port. Obviously, that's not the right place, because which PSN is used to processed the policy is unpredictable.
  So then I go to guest portal, and specifically Self-Registered Guest Portal that I'm using. So here I see Gig0, Gig1, Gig2, and Gig3 listed. My guess is that if I only leave Gig1 selected then I will achieve my goal, is that correct?
  But then, why does it let me choose multiple interfaces, what happens if I select all of them?
  Am I missing another spot in ISE admin where I can control this?
  Additional question. I know that in ISE 1.2 you could configure "ip host" in ISE's CLI, which would force URL-redirect response to be translated to FQDN:port. Is that still the right method in ISE 1.3?
  Thanks!

  Take a look at the following document:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/installation_guide/b_ise_InstallationGuide13.pdf
  Towards the end of the document you will find a section called: "Cisco ISE Infrastructure" and there you will see the following:
  • Cisco ISE management is restricted to Gigabit Ethernet 0.
  • RADIUS listens on all network interface cards (NICs).
  • All NICs can be configured with IP addresses.
  So, you can take an interface, give it an IP address and then assign it to the web portal that you are working with. 
  I hope this helps!
  Thank you for rating helpful posts!