ISE Guest Portal redirection not working

I have built a lab at home. I have a Win2008 Server for AD/DNS, ISE 1.2 (VM trial), a 3560-cg switch, 2500 WLC and 2602i AP. I have configured everything as per the documentations online. My issue is that when I connect to the open SSID, it gets connected and has the dns server populated as well, but the redirection never takes place. I can search for google or cnn.com but it just stays at looking up host or something. However, if i take the redirect URL from the WLC and then do it on the browser, it does go to the guest portal. Let me know what issues I can see and if there is any other information I can provide.

Issue resolved.
Since my lab environment didnt have access to the internet and hence dns servers 8.8.8.8 would not resolve any public ips. But when an address is resolvable by a dns then it redirects nicely. For test I created a dns entry on the dns server itself and tested it.
Sent from Cisco Technical Support Android App

Similar Messages

  • Cisco ISE guest portal redirect not working after successful authentiation and URL redirect.

    Hi to all,
    I am having difficulties with an ISE deployment which I am scratching my head over and can't fathom out why this isn't working.
    I have an ISE 3315 doing a captive webportal for my guest users who are on an SSID.  The users are successfully redirected by the WLC to the following URL:https://x.x.x.x:8443/guestportal/Login.action?portalname=XXX_Guest_Portal
    Now when the user passes through the user authentication splash screen they get redirected to https://x.x.x.x:8443/guestportal/guest/redir.html and recieve the following error:
    Error: Resource not found.
    Resource: /guestportal/
    Does anyone have any ideas why the portal is doing this?
    Thanks
    Paul

    Hello,
    As you are not able to  get the guest portal, then you need to assure the following things:-
    1) Ensure that the  two  Cisco av-pairs that are configured on the  authorization profile should  exactly match the example below. (Note: Do  not replace the "IP" with the  actual Cisco ISE IP address.)
    –url-redirect=https://ip:8443/guestportal/gateway?...lue&action=cpp
    –url-redirect-acl=ACL-WEBAUTH-REDIRECT (ensure that this ACL is also  defined on the access switch)
    2) Ensure that the URL redirection portion of the ACL have been  applied  to the session by entering the show epm session ip   command on the switch. (Where the session IP is the IP address  that is  passed to the client machine by the DHCP server.)
    Admission feature : DOT1X
    AAA Policies : #ACSACL#-IP-Limitedaccess-4cb2976e
    URL Redirect ACL : ACL-WEBAUTH-REDIRECT
    URL Redirect :
    https://node250.cisco.com:8443/guestportal/gateway?sessionId=0A000A72
    0000A45A2444BFC2&action=cpp
    3) Ensure that the preposture assessment DACL that is enforced from  the  Cisco ISE authorization profile contains the following command  lines:
    remark Allow DHCP
    permit udp any eq bootpc any eq bootps
    remark Allow DNS
    permit udp any any eq domain
    remark ping
    permit icmp any any
    permit tcp any host 80.0.80.2 eq 443 --> This is for URL redirect
    permit tcp any host 80.0.80.2 eq www --> Provides access to internet
    permit tcp any host 80.0.80.2 eq 8443 --> This is for guest portal
    port
    permit tcp any host 80.0.80.2 eq 8905 --> This is for posture
    communication between NAC agent and ISE (Swiss ports)
    permit udp any host 80.0.80.2 eq 8905 --> This is for posture
    communication between NAC agent and ISE (Swiss ports)
    permit udp any host 80.0.80.2 eq 8906 --> This is for posture
    communication between NAC agent and ISE (Swiss ports)
    deny ip any any
    Note:- Ensure that the above URL Redirect has the proper Cisco ISE FQDN.
    4) Ensure that the ACL with the name "ACL-WEBAUTH_REDIRECT" exists on  the switch as follows:
    ip access-list extended ACL-WEBAUTH-REDIRECT
    deny ip any host 80.0.80.2
    permit ip any any
    5) Ensure that the http and https servers are running on the switch:
    ip http server
    ip http secure-server
    6) Ensure that, if the client machine employs any kind of personal  firewall, it is disabled.
    7) Ensure that the client machine browser is not configured to use any  proxies.
    8) Verify connectivity between the client machine and the Cisco ISE IP  address.
    9) If Cisco ISE is deployed in a distributed environment, make sure  that  the client machines are aware of the Policy Service ISE node FQDN.
    10) Ensure that the Cisco ISE FQDN is resolved and reachable from the  client machine.
    11) Or you need to do re-image again.

  • ISE & Switch URL redirect not working

    Dear team,
    I'm setting up Guest portal for Wired user. Everything seems to be okay, the PC is get MAB authz success, ISE push URL redirect to switch. The only problem is when I open browser, it is not redirected.
    Here is some output from my 3560C:
    Cisco IOS Software, C3560C Software (C3560c405-UNIVERSALK9-M), Version 12.2(55)EX3
    SW3560C-LAB#sh auth sess int f0/3
                Interface:  FastEthernet0/3
              MAC Address:  f0de.f180.13b8
               IP Address:  10.0.93.202
                User-Name:  F0-DE-F1-80-13-B8
                   Status:  Authz Success
                   Domain:  DATA
          Security Policy:  Should Secure
          Security Status:  Unsecure
           Oper host mode:  multi-domain
         Oper control dir:  both
            Authorized By:  Authentication Server
               Vlan Group:  N/A
         URL Redirect ACL:  redirect
             URL Redirect:  https://BYODISE.byod.com:8443/guestportal/gateway?sessionId=0A005DF40000000D0010E23A&action=cwa
          Session timeout:  N/A
             Idle timeout:  N/A
        Common Session ID:  0A005DF40000000D0010E23A
          Acct Session ID:  0x00000011
                   Handle:  0xD700000D
    Runnable methods list:
           Method   State
           mab      Authc Success
    SW3560C-LAB#sh epm sess summary
    EPM Session Information
    Total sessions seen so far : 10
    Total active sessions      : 1
    Interface            IP Address   MAC Address       Audit Session Id:
    FastEthernet0/3       10.0.93.202  f0de.f180.13b8    0A005DF40000000D0010E23A
    Could you please help to explore the problem? Thank you very much.

    With switch IOS version later than 15.0 the default interface ACL is not required. For url redirection the dACL is not required as this ACL is part of traffic restrict for "guest" users.
    In my experiece some users can not get the redirect correctly because anti-spoof ACL on management Vlan or stateful firewall blocks the TCP syn ack.
    It is rare in campus network access layer switches have user SVI configured so the redirect traffic has to be sent from the netman SVI, but trickly the TCP SYN ACK from the HTTP server will be sent back from the netman Vlan without source IP changed. (The switch is spoofing the source IP in my understanding with changing only the MAC address of the packet). In most of the cases there should be a basic ACL resides on the netman SVI on the first hop router, where the TCP SYN ACK may be dropped by the ACL.
    tips:
    1. "debug epm redirect" can make sure your traffic matches the redirect url and will get intercepted by the switch
    2. It will be an ACL or firewall issue if you can see epm is redirecting your http request but can not see the SYN ACK from the requested server.
    Which can win the race: increasing bandwidth with new technologies VS QoS?

  • ISE Guest Activity Report not working (1.2.0.899)

    Recently I upgraded an ISE to 1.2.0.899. I found the Guest Activity Report is not working. Before the upgrade it was working properly (with the limitation of 5000 records by report). Nothing in the ASA was modified, but nothing is reported in the ISE; also I use the tcpdump integrated in the ISE to validate the syslog messages are arriving from the ASA to the ISE. I already enable the Passed Authentication logging category.
    Do I need to modify something else,to have the report?

    Hi
    Please make sure these steps has configured correctly:
    Step 1 Create an alarm, as described in Creating, Editing, and Deleting Alarm Schedules.
    Step 2  Specify a rule for Passed Authentication, Failed Authentications, or Authentication Inactivity for all users of                 type guest, as described in Creating and Assigning an Alarm Rule.
    Step 3 Calculate guest user activity by Monitoring Live Authentications.

  • ISE Guest Port Direction not working

    Hi Guys,
    Got a problem here with ISE guest authentication.
    My configuration in the WLC is as bellows:
    And the configuration in my ISE is as bellows:
    After my device connects to the SSID, I cannot be redirected to the guest portal, no redirection URL showed up in my browser, while the URL is pushed to the WLC client as bellows:
    DNS A record has been added before and I can open the FQDN.
    Can anyone help me about this? Thanks!
    Best Regards,
    Savi

    Are you able to ping / nslookup to ISE.wuscnad.com from the test client?
    Also, please provide a screen shot of the set of ACL's CWA-Guest from the WLC?
    Here is a document you can go through to configure wireless CWA  
    http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html
    Regards,
    Jatin

  • NAC guest server hangs and guest portal is not working

    Hi all ,
    Our guest nac server NAC3315 is oftenly getting hung state . And our guest wireless network is not working . We are able to ping the NAC server but web page is not opening for the clients if they connected to guest network.
    Any clue on this ....
    Thanks!,
    Regards,
    Vijay.

    All  actions within the Cisco NAC Guest Server are logged into the database.  This enables you to see any action that occurred as part of the normal  operating process of the application.
    To access the system log from the administration interface select Server > System Log from the left hand menu
    Please check the Error Logs for troubleshooting of NGS

  • ISE-Guest Portal Redirection

    Dears
    i have configured everything right for the Gusset login and everything is going the way i want except one thing that the switch doesn’t force the quest to web directed to the ISE login paged however the ouput of the below command looks perfect and when i copy the url manually it works .. so how can i make it automatically ?
    ISE-SWITCH#sh authen se int f0/12 
                Interface:  FastEthernet0/12
              MAC Address:  c80a.a96a.47b1
               IP Address:  Unknown
                User-Name:  C8-0A-A9-6A-47-B1
                   Status:  Authz Success
                   Domain:  DATA
          Security Policy:  Should Secure
          Security Status:  Unsecure
           Oper host mode:  multi-auth
         Oper control dir:  both
            Authorized By:  Authentication Server
               Vlan Group:  N/A
                  ACS ACL:  xACSACLx-IP-CENTRAL_WEB_AUTH-50683952
         URL Redirect ACL:  ACL-WEBAUTH-REDIRECT
             URL Redirect:  https://EG1SHQ06.HEIWAY.NET:8443/guestportal/gateway?sessionId=0A8B080600000005001ECF63&action=cwa
          Session timeout:  N/A
             Idle timeout:  N/A
        Common Session ID:  0A8B080600000005001ECF63
          Acct Session ID:  0x00000007
                   Handle:  0xD9000005
    Runnable methods list:
           Method   State
           mab      Authc Success
           dot1x    Not run
    ISE-SWITCH#sh ip access-l
    Extended IP access list ACL-WEBAUTH-REDIRECT
        10 deny ip any host 10.139.8.216
        11 permit tcp any any eq www
        12 permit tcp any any eq 443
    Extended IP access list Auth-Default-ACL-OPEN
        10 permit ip any any (314 matches)
    Extended IP access list xACSACLx-IP-CENTRAL_WEB_AUTH-50683952 (per-user)
        10 permit udp any any eq domain
        20 permit icmp any any
        30 permit tcp any any eq www
        40 permit tcp any any eq 443
        50 permit tcp any host 10.139.8.216 eq 8443

    i did this changes and even upgraded the switch IOS to 12.2(58)SE2 but no luck ,
    any other idea?
    ISE-SWITCH#sh ip access-l               
    Extended IP access list ACL-DEFAULT
        10 permit udp any eq bootpc any eq bootps
        20 permit udp any any eq domain
        30 permit icmp any any
        40 permit udp any any eq tftp
        50 permit tcp any host 10.139.8.216 eq www
        60 permit tcp any host 10.139.8.216 eq 443
        70 permit tcp any host 10.139.8.216 eq 8443
        80 permit tcp any host 10.139.8.216 eq 8905
        90 permit udp any host 10.139.8.216 eq 8905
        100 permit udp any host 10.139.8.216 eq 8906
        110 permit tcp any host 10.139.8.216 eq 8080
        120 permit udp any host 10.139.8.216 eq 9996
        130 deny ip any any log
    Extended IP access list ACL-POSTURE-REDIRECT
        10 deny udp any any eq domain
        20 deny udp any host 10.139.8.216 eq 8905
        30 deny udp any host 10.139.8.216 eq 8906
        40 deny tcp any host 10.139.8.216 eq 8443
        50 deny tcp any host 10.139.8.216 eq 8905
        60 deny tcp any host 10.1.252.21 eq www
        70 permit ip any any
    Extended IP access list ACL-WEBAUTH-REDIRECT
        10 deny ip any host 10.139.8.216
        20 permit tcp any any eq www
        30 permit tcp any any eq 443
    Extended IP access list Auth-Default-ACL-OPEN
        10 permit udp any eq bootpc any eq bootps
        20 permit udp any any eq domain
        30 permit icmp any any
        40 permit udp any any eq tftp
        50 permit tcp any host 10.139.8.216 eq www
        60 permit tcp any host 10.139.8.216 eq 443
        70 permit tcp any host 10.139.8.216 eq 8443
        80 permit tcp any host 10.139.8.216 eq 8905
        90 permit udp any host 10.139.8.216 eq 8905
        100 permit udp any host 10.139.8.216 eq 8906
        110 permit tcp any host 10.139.8.216 eq 8080
        120 permit udp any host 10.139.8.216 eq 9996
        130 deny ip any any
    Extended IP access list xACSACLx-IP-CENTRAL_WEB_AUTH-50683952 (per-user)
        10 permit udp any any eq domain
        20 permit icmp any any
        30 permit tcp any any eq www
        40 permit tcp any any eq 443
        50 permit tcp any host 10.139.8.216 eq 8443

  • ISE Guest portal CWA - Webauth exit button on Login Successful page not working (Safari and Chrome)

    Hello
    Has anyone else experienced the issue where this exit button works when IE is used to login to the ISE Guest portal, but not when Chrome is used. Same for Safari (from IPAD).
    Sent from Cisco Technical Support iPad App

    Google Chrome is not a fully supported browser  for use with the Administrative User Interface of the Identity Services Engine  (ISE), Version 1.1.3 and earlier.

  • ISE Guest Portal only redirect HTTPS traffic.

    I have a wireless deployment consisting of the following:
    5760 WLC & ISE 1.2
    Am I missing something here
    I have 4 similar deployments, and never had these issues:
    On Android / Apple devices, the guest portal does not pop up automatically &
    On a Windows Laptop only https traffic directs to the guest portal.
    Thanx

    i think you need to recheck the configuration also check the link for step by step config
    http://www.cisco.com/c/en/us/solutions/enterprise/design-zone-security/landing_DesignZone_TrustSec.html

  • How to use ISE Guest Portal for AD users

    Hi there,
    As  subject explains all, I want to use ISE Guest Portal for my domain  users. I have tried many different ways to authenticate users and  finally I came to the conclusion that ISE CWA works pretty well and is  very stable. WLC Webauth sucks alot, does not redirect to the login page  always.
    Can  you please share what other ways are stable ways to authenticate AD  users? I know about WPA 802.1x authentication but that requires a CA in  the network which is not available at the moment. So can you please  Suggect?
    Otherwise,  I want to use ISE Guest Portal for my AD users as well. AD is already  integrated to ISE, the issue happens when I attempt to athenticate using  AD user account, the user gets authenticated but the Guest Portal  redirects me to Device Provissioning page and there it shows an error  saying "there is not policy to register the device, contact system  admin"
    Am I missing something??
    I am running WLC 5760 with ISE 1.2
    Thanks in advance..

    Hi,
    Can you post a screenshot of your current policies? Also for 802.1x authentication although it is best practices you do not have to have an internal CA to make this solution work. You can disable the option to "validate server certificate" or you can use a trusted CA to sign the certificate for the eap interface.
    In most cases 802.1x is the method to go because it provides dynamic authentication without forcing users to redirected to a web page multiple times throughout the day, scenarios such as computers that sleep or users that are mobile will not have connectivity until they redirect to the portal if one of the scenarios exist. You also gain WPA encryption on your WLAN, if you are using strictly layer 3 web auth you run into issues where encryption is not used and rely on encryption from the application as your method of data integrity and security.
    Thanks,
    Tarik Admani
    *Please rate helpful posts*

  • Cisco ISE Guest Portal - DNS Issue - External Zone

    Hello,
    I have a customer that has the following sceanrio :
    In a wireless deployment and a Cisco ISE 1.1.3 deployment with CWA, when the wireless guest receives the redictect  URL  from ISE (URL to access the ISE Guest Portal), this URL is based on  the  ISE DNS name, not on its IP address; so, the PC can't resolve  this via DNS name since there is no DNS in the External zone (for guets) or by using the ISP DNS servers addresses provided  by the  DHCP server, and, so, it can't access the Guest Portal at all ;
    I know that in trying to manually code the IP address - this does not work (ie in the CWA Authorization profile, the equivalent URL redirect via the CISCO av-pair as follows :
    cisco-av-pair=url-redirect=https://10.10.10.10:8443/guestportal/gateway?sessionId=sessionIdValue&action=cwa, )
    since the sessionIdValue variable is not replaced by its real value when sent to the wireless client)
    My question is : Has this issue been addressed in version Cisco ISE 1.2 - has anyone tried it if has been addressed? If not in Cisco 1.2 - does anyone know iof this feature will become available?
    Thank-you in advance for your replies.
    Robert C.

    Robert,
    Manual assignment has been made available in ISE 1.2 release.
    M.

  • Pb to reach ISE Guest portal due to DNS constraints

    I have set up a Guest Portal with WLC 5508 7.4 and ISE 1.1.1 ;
    everything is OK, except one thing :
    the  Guest VLAN, associated to the Guest SSID is, actually, a DMZ behind my  customer firewall and the DHCP parameters provided to the wireless Guest  equipement connected on this VLAN include the public ISP DNS servers  addresses, not the customer internal DNS serveurs addresses;
    this  seems OK since the idea of this Guest SSID is to give a pure Internet  access to the Guests, and no connection at all towards the customer  internal servers;
    the  problem is that, when the wireless guest receives the redictect URL  from ISE (URL to access the ISE Guest Portal), this URL is based on the  ISE DNS name, not on its IP address; so, the PC can't resolve this  internal DNS name by using the ISP DNS servers addresses provided by the  DHCP server, and, so, it can't access the Guest Portal at all ;
    Apart  from changing those DNS values in the DHCP server (the customer does  not accept this solution), how could we solve this problem ?
    I have tried to code manually , in the CWA Authorization profile, the equivalent URL redirect via the CISCO av-pair as follows :
    cisco-av-pair=url-redirect=https://192.168.1.10:8443/guestportal/gateway?sessionId=sessionIdValue&action=cwa,
    but, it does not work, since the sessionIdValue variable is not replaced by its real value when sent to the wireless client
    any comment welcomed

    We had the same issue. Our solution was to advertise the internal IP address from our external facing DNS server and let it propagate publicly.  Our ISE box is in a DMZ and the firewall rules do not allow outside traffic to it, however the clients will get the correct internal IP address and since they are already inside the firewall on the DMZ segment they are able to get to the ISE box with the publicly resolved internal IP address.  The other option we entertained was a firewall DNS redirect.  That would work by intercepting the DNS request for that specific URL and return the proper internal IP, all other DNS requests would pass through to the public DNS server.

  • ISE - Guest Portal Voucer

    hi all,
    my customer has set Wireless LAN Guest Voucher for 28 days however after 6 days its not working.
    Our customer gives Wireless LAN Guest User a 28 days voucher from ISE Guest Portal Solution. After 6 days of using the accounts will not work. Must be deleted and added new. These accounts are not expired, but the login will fail after 6 days.
    any idea why this is or do I need to escalte this to Cisco?
    regards,
    Lance

    You might have another limiter in there. have are your durations configured?
    //////only if expiring////////////////////////
    You are probably hitting the account duration set on the Sponsor Group that created the voucher.
    this can be set under administration -> sponsorgroups -> click on the sponsor group in question -> authorization levels -> and set the Max duration for accounts.

  • ISE Guest Access- Redirect to URL after successful logon

    Currently, when guest users attempt to browse they get redirected to the guest portal.  After login, they get a message that they can now access the original URL.  Is there a way to automatically redirect to the URL they were trying to access, or remember the URL after they login?

    ISE guest flow :
    The user associates to the web authentication Service Set Identifier (SSID).
    The user opens the browser.
    The WLC redirects to the guest portal (such as ISE or NGS) as soon as a URL is entered.
    The user authenticates on the portal.
    The guest portal redirects back to the WLC with the credentials entered.
    The WLC authenticates the guest user via RADIUS.
    The WLC redirects back to the original URL

  • Windows 7 (Ent) Sp1 on server 2012 R2 HyperV, RFX USB redirection not working

    Hello, 
    I currently have  windows server 2012 R2 with HyperV installed. I have built two virtual machines. A windows 8.1 and Windows 7 sp1. Both are enterprise editions  
    For RemoteFX the hypervisor is using a Zotec GTX 760 GPU. It recognizes it and uses it to apply remoteFX adapter on my Windows 7 Sp1 VM. 
    As you are aware I do not need to use a GPU to enable RFX on my Windows 8.1 it can do this without the need of a GPU.    
    Using an RDP client( v8.1)  I can connect to my Windows 8.1 VM with a USB headset,memory Key or a printer and they all enumerate on the Virtual machine. The driver for each device installs 
    and I can use the device without any issues. 
    However this issue lies with the Windows 7 SP1 VM. I can connect to it via RDP( Same client)  but I cannot redirect any devices to it. I have installed the latest integration services available on the VM. I have ran all updates available.
    Because I have ran all updates the rdp version on the VM is running v8.1.
    Previous to installing the updates USBr still was not working
    I have enabled the following group polices under remote desktop services on the Windows 7 SP1 VM : 
    RDP 8.0 -- Enabled
    Configure RFX -- Enabled
    Is there a known issue with USB redirection not working on a Windows 7sp1 virtual machine hosted on server 2012 Hypervisor ??
    Many Thanks 
    Brian 

    Hi,
    According to the log above, I found that we run the script on both Server6 and Server7. Errors as below:
    Server6: Conversion is not supported in restricted language mode or a Data section.
    Server7: Couldn't figure out valid servers from the specified destination scope. Check your parameters and try again.
    Since we can only run the RollAlternateserviceAccountPassword.ps1 Script on CAS server, the script not works well if Server6 is MBX server.
    For Server7, based on the error message, it seems you still have no right to run the script/cmdlet.
    Please add your account to Organization Management Role group(ADUC->domain.com->Microsoft Exchange Security Groups) to test if possible.
    By the way, from Technet:
    You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Client Access Security" entry in the Client Access Permissions topic.
    Client Access Permissions
    http://technet.microsoft.com/en-us/library/dd638131.aspx
    Feel free to contact me if there is any problem.
    Thanks
    Mavis
    If you have feedback for TechNet Subscriber Support, contact
    [email protected]
    Mavis Huang
    TechNet Community Support

Maybe you are looking for

  • PSE 7 with windows 7 cannot get edited pics just  not back in Org ?

    Since installinng windows 7 I have not been able to edit pictures and have them back in Organizer just have a blank icon this happend after installing windows photo gallery. went to default tried to put defalt as Adobe photoshop elements organizer bu

  • Adobe needs to inform people when links are not supported in Firefox or Safari

    A few months ago, I was unable to download Robohelp skins from the gallery. A customer service rep informed me that I couldn't download them from Mozilla Firefox. I was able to download them after I launched the Skins Gallery from Internet Explorer.

  • How to execute a function in oracle plsql object, when object dies

    I have a plsql object with a member function as exec_last. I want this procedure to be called when plsql object is cleaned or when the session hosting this object dies. In C, we have a system call as atexit(). Is there any such feature in Oracle 10g

  • Clear selection screen

    hi friends, i have created one report i have four parameter fields in my selection screen there are two ways to give inputs. one is selection screen another one is input from upload file. when i chose inputs from file at time my selection screen file

  • Paviolion G6-2030SL Graphic Card upgrade

    Hi, I would upgrade my graphic card AMD Radeon HD 7670M, but I didn't find anything about on internet. Can I upgrade my gpu? In case of, which gpu can I mount? This question was solved. View Solution.