ISE-Guest Portal Redirection

Similar Messages

• ISE Guest Portal redirection not working

  I have built a lab at home. I have a Win2008 Server for AD/DNS, ISE 1.2 (VM trial), a 3560-cg switch, 2500 WLC and 2602i AP. I have configured everything as per the documentations online. My issue is that when I connect to the open SSID, it gets connected and has the dns server populated as well, but the redirection never takes place. I can search for google or cnn.com but it just stays at looking up host or something. However, if i take the redirect URL from the WLC and then do it on the browser, it does go to the guest portal. Let me know what issues I can see and if there is any other information I can provide.

  Issue resolved.
  Since my lab environment didnt have access to the internet and hence dns servers 8.8.8.8 would not resolve any public ips. But when an address is resolvable by a dns then it redirects nicely. For test I created a dns entry on the dns server itself and tested it.
  Sent from Cisco Technical Support Android App

• Cisco ISE guest portal redirect not working after successful authentiation and URL redirect.

  Hi to all,
  I am having difficulties with an ISE deployment which I am scratching my head over and can't fathom out why this isn't working.
  I have an ISE 3315 doing a captive webportal for my guest users who are on an SSID.  The users are successfully redirected by the WLC to the following URL:https://x.x.x.x:8443/guestportal/Login.action?portalname=XXX_Guest_Portal
  Now when the user passes through the user authentication splash screen they get redirected to https://x.x.x.x:8443/guestportal/guest/redir.html and recieve the following error:
  Error: Resource not found.
  Resource: /guestportal/
  Does anyone have any ideas why the portal is doing this?
  Thanks
  Paul

  Hello,
  As you are not able to  get the guest portal, then you need to assure the following things:-
  1) Ensure that the  two  Cisco av-pairs that are configured on the  authorization profile should  exactly match the example below. (Note: Do  not replace the "IP" with the  actual Cisco ISE IP address.)
  –url-redirect=https://ip:8443/guestportal/gateway?...lue&action=cpp
  –url-redirect-acl=ACL-WEBAUTH-REDIRECT (ensure that this ACL is also  defined on the access switch)
  2) Ensure that the URL redirection portion of the ACL have been  applied  to the session by entering the show epm session ip   command on the switch. (Where the session IP is the IP address  that is  passed to the client machine by the DHCP server.)
  Admission feature : DOT1X
  AAA Policies : #ACSACL#-IP-Limitedaccess-4cb2976e
  URL Redirect ACL : ACL-WEBAUTH-REDIRECT
  URL Redirect :
  https://node250.cisco.com:8443/guestportal/gateway?sessionId=0A000A72
  0000A45A2444BFC2&action=cpp
  3) Ensure that the preposture assessment DACL that is enforced from  the  Cisco ISE authorization profile contains the following command  lines:
  remark Allow DHCP
  permit udp any eq bootpc any eq bootps
  remark Allow DNS
  permit udp any any eq domain
  remark ping
  permit icmp any any
  permit tcp any host 80.0.80.2 eq 443 --> This is for URL redirect
  permit tcp any host 80.0.80.2 eq www --> Provides access to internet
  permit tcp any host 80.0.80.2 eq 8443 --> This is for guest portal
  port
  permit tcp any host 80.0.80.2 eq 8905 --> This is for posture
  communication between NAC agent and ISE (Swiss ports)
  permit udp any host 80.0.80.2 eq 8905 --> This is for posture
  communication between NAC agent and ISE (Swiss ports)
  permit udp any host 80.0.80.2 eq 8906 --> This is for posture
  communication between NAC agent and ISE (Swiss ports)
  deny ip any any
  Note:- Ensure that the above URL Redirect has the proper Cisco ISE FQDN.
  4) Ensure that the ACL with the name "ACL-WEBAUTH_REDIRECT" exists on  the switch as follows:
  ip access-list extended ACL-WEBAUTH-REDIRECT
  deny ip any host 80.0.80.2
  permit ip any any
  5) Ensure that the http and https servers are running on the switch:
  ip http server
  ip http secure-server
  6) Ensure that, if the client machine employs any kind of personal  firewall, it is disabled.
  7) Ensure that the client machine browser is not configured to use any  proxies.
  8) Verify connectivity between the client machine and the Cisco ISE IP  address.
  9) If Cisco ISE is deployed in a distributed environment, make sure  that  the client machines are aware of the Policy Service ISE node FQDN.
  10) Ensure that the Cisco ISE FQDN is resolved and reachable from the  client machine.
  11) Or you need to do re-image again.

• How to use ISE Guest Portal for AD users

  Hi there,
  As  subject explains all, I want to use ISE Guest Portal for my domain  users. I have tried many different ways to authenticate users and  finally I came to the conclusion that ISE CWA works pretty well and is  very stable. WLC Webauth sucks alot, does not redirect to the login page  always.
  Can  you please share what other ways are stable ways to authenticate AD  users? I know about WPA 802.1x authentication but that requires a CA in  the network which is not available at the moment. So can you please  Suggect?
  Otherwise,  I want to use ISE Guest Portal for my AD users as well. AD is already  integrated to ISE, the issue happens when I attempt to athenticate using  AD user account, the user gets authenticated but the Guest Portal  redirects me to Device Provissioning page and there it shows an error  saying "there is not policy to register the device, contact system  admin"
  Am I missing something??
  I am running WLC 5760 with ISE 1.2
  Thanks in advance..

  Hi,
  Can you post a screenshot of your current policies? Also for 802.1x authentication although it is best practices you do not have to have an internal CA to make this solution work. You can disable the option to "validate server certificate" or you can use a trusted CA to sign the certificate for the eap interface.
  In most cases 802.1x is the method to go because it provides dynamic authentication without forcing users to redirected to a web page multiple times throughout the day, scenarios such as computers that sleep or users that are mobile will not have connectivity until they redirect to the portal if one of the scenarios exist. You also gain WPA encryption on your WLAN, if you are using strictly layer 3 web auth you run into issues where encryption is not used and rely on encryption from the application as your method of data integrity and security.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• Cisco ISE Guest Portal - DNS Issue - External Zone

  Hello,
  I have a customer that has the following sceanrio :
  In a wireless deployment and a Cisco ISE 1.1.3 deployment with CWA, when the wireless guest receives the redictect  URL  from ISE (URL to access the ISE Guest Portal), this URL is based on  the  ISE DNS name, not on its IP address; so, the PC can't resolve  this via DNS name since there is no DNS in the External zone (for guets) or by using the ISP DNS servers addresses provided  by the  DHCP server, and, so, it can't access the Guest Portal at all ;
  I know that in trying to manually code the IP address - this does not work (ie in the CWA Authorization profile, the equivalent URL redirect via the CISCO av-pair as follows :
  cisco-av-pair=url-redirect=https://10.10.10.10:8443/guestportal/gateway?sessionId=sessionIdValue&action=cwa, )
  since the sessionIdValue variable is not replaced by its real value when sent to the wireless client)
  My question is : Has this issue been addressed in version Cisco ISE 1.2 - has anyone tried it if has been addressed? If not in Cisco 1.2 - does anyone know iof this feature will become available?
  Thank-you in advance for your replies.
  Robert C.

  Robert,
  Manual assignment has been made available in ISE 1.2 release.
  M.

• Pb to reach ISE Guest portal due to DNS constraints

  I have set up a Guest Portal with WLC 5508 7.4 and ISE 1.1.1 ;
  everything is OK, except one thing :
  the  Guest VLAN, associated to the Guest SSID is, actually, a DMZ behind my  customer firewall and the DHCP parameters provided to the wireless Guest  equipement connected on this VLAN include the public ISP DNS servers  addresses, not the customer internal DNS serveurs addresses;
  this  seems OK since the idea of this Guest SSID is to give a pure Internet  access to the Guests, and no connection at all towards the customer  internal servers;
  the  problem is that, when the wireless guest receives the redictect URL  from ISE (URL to access the ISE Guest Portal), this URL is based on the  ISE DNS name, not on its IP address; so, the PC can't resolve this  internal DNS name by using the ISP DNS servers addresses provided by the  DHCP server, and, so, it can't access the Guest Portal at all ;
  Apart  from changing those DNS values in the DHCP server (the customer does  not accept this solution), how could we solve this problem ?
  I have tried to code manually , in the CWA Authorization profile, the equivalent URL redirect via the CISCO av-pair as follows :
  cisco-av-pair=url-redirect=https://192.168.1.10:8443/guestportal/gateway?sessionId=sessionIdValue&action=cwa,
  but, it does not work, since the sessionIdValue variable is not replaced by its real value when sent to the wireless client
  any comment welcomed

  We had the same issue. Our solution was to advertise the internal IP address from our external facing DNS server and let it propagate publicly.  Our ISE box is in a DMZ and the firewall rules do not allow outside traffic to it, however the clients will get the correct internal IP address and since they are already inside the firewall on the DMZ segment they are able to get to the ISE box with the publicly resolved internal IP address.  The other option we entertained was a firewall DNS redirect.  That would work by intercepting the DNS request for that specific URL and return the proper internal IP, all other DNS requests would pass through to the public DNS server.

• ISE Guest Access- Redirect to URL after successful logon

  Currently, when guest users attempt to browse they get redirected to the guest portal.  After login, they get a message that they can now access the original URL.  Is there a way to automatically redirect to the URL they were trying to access, or remember the URL after they login?

  ISE guest flow :
  The user associates to the web authentication Service Set Identifier (SSID).
  The user opens the browser.
  The WLC redirects to the guest portal (such as ISE or NGS) as soon as a URL is entered.
  The user authenticates on the portal.
  The guest portal redirects back to the WLC with the credentials entered.
  The WLC authenticates the guest user via RADIUS.
  The WLC redirects back to the original URL

• ISE Guest Portal and one more SSID using internal accounts

  Hi Guys,
  I have two SSIDs on WLC, the first is related with ISE Guest Portal and the second is related with employee but i realize that the
  Guest user can access the employee SSID and employee accounts can access the Guest portal page.
  I guess this is happen because i cannot split these databases under "Internal Users" on Authentication Policy.
  How can i restrict the access even if i am using the internal databse?
  thanks a lot

  using the Authorization policy is the right way.  Match the corp ID store to the corp WLAN SSID ID in the AuthZ policy, for example (where Employee is your corp ID store and yyyy is the name of your corp SSID):

• ISE Guest portal CWA - Webauth exit button on Login Successful page not working (Safari and Chrome)

  Hello
  Has anyone else experienced the issue where this exit button works when IE is used to login to the ISE Guest portal, but not when Chrome is used. Same for Safari (from IPAD).
  Sent from Cisco Technical Support iPad App

  Google Chrome is not a fully supported browser  for use with the Administrative User Interface of the Identity Services Engine  (ISE), Version 1.1.3 and earlier.

• ISE - Guest Portal Voucer

  hi all,
  my customer has set Wireless LAN Guest Voucher for 28 days however after 6 days its not working.
  Our customer gives Wireless LAN Guest User a 28 days voucher from ISE Guest Portal Solution. After 6 days of using the accounts will not work. Must be deleted and added new. These accounts are not expired, but the login will fail after 6 days.
  any idea why this is or do I need to escalte this to Cisco?
  regards,
  Lance

  You might have another limiter in there. have are your durations configured?
  //////only if expiring////////////////////////
  You are probably hitting the account duration set on the Sponsor Group that created the voucher.
  this can be set under administration -> sponsorgroups -> click on the sponsor group in question -> authorization levels -> and set the Max duration for accounts.

• 5760 v3.6 guest portal redirect to ISE

  I'm testing a new set of 5760 controllers for a future production rollout, running software version 3.6.  Our current production setup consists of older WISM-1 and 4402 controllers running CUWN 7.0.  Our guest network has an anchor in the DMZ, redirecting to ISE.
  In the recent thread (https://supportforums.cisco.com/discussion/12319151/3850-ise-guestportal-no-redirect-v-334), one of the posters said that guest redirection in 3.6 works similarly to redirection in CUWN, while in 3.3 it is very different.  I found the documentation for 3.3 (http://www.cisco.com/c/en/us/support/docs/wireless/5700-series-wireless-lan-controllers/117717-config-wlc-00.html), which I have to say I don't like very much.  However, I find the configuration and command reference guides for 3.6 are less than helpful on this point. 
  So the question I have is whether guest networking with an external redirect to ISE looks like the following in 3.6?  Or does it work like CUWN, where the SSID is configured with layer 3 security?  If it uses layer 3 security like CUWN, does anybody have a quick configuration sample for how it can work end to end in 3.6?
  ------ From the document http://www.cisco.com/c/en/us/support/docs/wireless/5700-series-wireless-lan-controllers/117717-config-wlc-00.html ---------
  The flow includes these steps:
  The user associates to the web authentication Service Set Identifier (SSID), which is in fact open+macfiltering and no Layer 3 security.
  The user opens the browser.
  The WLC redirects to the guest portal.
  The user authenticates on the portal.
  The ISE sends a RADIUS Change of Authorization (CoA - UDP Port 1700) in order to indicate to the controller that the user is valid, and eventually pushes RADIUS attributes such as the Access Control List (ACL).
  The user is prompted to retry the original URL.

  I have a project with a 5760 running 3.6 working to a 5508 anchor controller in a DMZ.
  I have web authentication working to an ISE OK.
  Regards
  Roger

• ISE Wired guest portal redirect even after authentication

  Hi
  I have configured both Wired and Wireless guest authentication via guest portal. Wireless is working fine, however the when trying with Wired, the redireciton page is keep getting even after user authenticated.
  I'm not seen the redirection authorization policy in my logs however I can see only the user authentication logs (successful). Attached is my configuration and logging output.
  Here is what I see on the interface
  ABQT-3FLR-ACC-01#sh authentication sessions interface gigabitEthernet 4/0/19
              Interface:  GigabitEthernet4/0/19
            MAC Address:  a0b3.ccca.2ab1
             IP Address:  10.1.3.16
              User-Name:  A0-B3-CC-CA-2A-B1
                 Status:  Authz Success
                 Domain:  DATA
         Oper host mode:  multi-auth
       Oper control dir:  both
          Authorized By:  Authentication Server
            Vlan Policy:  N/A
       URL Redirect ACL:  ACL-WEBAUTH-REDIRECT
           URL Redirect:  https://xxxx-TW-ISE-2.xxx.xxx.qa:8443/guestportal/gateway?sessionId=AC14011F000001571E52779F&action=cwa
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  AC14011F000001571E52779F
        Acct Session ID:  0x00000309
                 Handle:  0xE6000158
  Runnable methods list:
         Method   State
         dot1x    Failed over
         mab      Authc Success
  Here is the ACL
  Extended IP access list ACL-WEBAUTH-REDIRECT
      10 deny udp any any eq domain (1344 matches)
      20 deny ip any host 172.20.5.12 (8122 matches)
      30 deny ip any host 172.20.5.14
      40 permit tcp any any eq www (3124 matches)
      50 permit tcp any any eq 443 (202927 matches)
      60 permit tcp any any eq 8080 (114 matches)
      70 permit ip any any (8056 matches)

  Hi Mohannad,
  Thanks for your response.
  Actually the as per the configuration it should work, I'm still trying to find out what is what has gone wrong with this configuration. Infact I have tested with 3560 switch with the same config and it worked. only difference here is we used 2960S switch.
  We need to find out why the next Auth policy is not hitting once user is authenticated.
  Here is the port configuration and the authen status of the port.
  ABQT-3FLR-ACC-01#sh running-config interface gig4/0/19
  Building configuration...
  Current configuration : 427 bytes
  interface GigabitEthernet4/0/19
  switchport access vlan 103
  switchport mode access
  switchport voice vlan 135
  authentication event fail action next-method
  authentication host-mode multi-auth
  authentication order dot1x mab
  authentication priority dot1x mab webauth
  authentication port-control auto
  authentication violation restrict
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 10
  spanning-tree portfast
  end
  ABQT-3FLR-ACC-01#
  Mar 31 12:32:14.127: %AAA-3-BADSERVERTYPEERROR: Cannot process accounting server type tacacs+ (UNKNOWN)
  ABQT-3FLR-ACC-01#
  ABQT-3FLR-ACC-01#sh atuh
  ABQT-3FLR-ACC-01#sh atu
  ABQT-3FLR-ACC-01#sh authe
  ABQT-3FLR-ACC-01#sh authentication se
  ABQT-3FLR-ACC-01#sh authentication sessions in
  ABQT-3FLR-ACC-01#sh authentication sessions interface gi
  ABQT-3FLR-ACC-01#sh authentication sessions interface gigabitEthernet 4/0/19
              Interface:  GigabitEthernet4/0/19
            MAC Address:  0015.c5b4.fd4a
             IP Address:  10.1.3.23
              User-Name:  00-15-C5-B4-FD-4A
                 Status:  Authz Success
                 Domain:  DATA
         Oper host mode:  multi-auth
       Oper control dir:  both
          Authorized By:  Authentication Server
            Vlan Policy:  N/A
       URL Redirect ACL:  ACL-WEBAUTH-REDIRECT
           URL Redirect:  https://ABQ-TW-ISE-2.abq.gov.qa:8443/guestportal/gateway?sessionId=AC14011F0000018A32B4D906&action=cwa
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  AC14011F0000018A32B4D906
        Acct Session ID:  0x00000394
                 Handle:  0x3E00018B
  Runnable methods list:
         Method   State
         dot1x    Failed over
         mab      Authc Success

• ISE Guest Portal only redirect HTTPS traffic.

  I have a wireless deployment consisting of the following:
  5760 WLC & ISE 1.2
  Am I missing something here
  I have 4 similar deployments, and never had these issues:
  On Android / Apple devices, the guest portal does not pop up automatically &
  On a Windows Laptop only https traffic directs to the guest portal.
  Thanx

  i think you need to recheck the configuration also check the link for step by step config
  http://www.cisco.com/c/en/us/solutions/enterprise/design-zone-security/landing_DesignZone_TrustSec.html

• ISE Guest Portal Failover For New Requests

  I have one controller and two ISE 1.2 nodes (primary and secondary)  for resiliency, not capacity.  Each ISE node has one interface for Management and one interface for Guest Portal.  PSN is active on both nodes.  The WLC chooses the ISE node (with fallback) for authentication.  For guest authentication, the user should be redirected to one of the two Guest Portals. What is the best method for choosing and correctly redirecting the user to the Guest Portal (including when one is down).  Is there another/simpler solution than a load-balancer for this scenario. Node Groups are for pending sessions and I need a solution for new sessions.
  Thanks.             

  You dont need to do that, once the WLC has deemed a PSN down, new mab requests are sent to the next psn in your radius list on the wlc, and the other psn will reply with its own hostname in the redirect url.

• ISE Guest Portal - Error Resource not found

  Hello,
  When I create a guest user through the sponsor portal, then try to login with this guest user through the Guest Portal, after I press login button, the following error message occurs and do not know what to do to solve.
  Error: Resource not found.
  Resource: /guestportal/
  None of the messages on the forum about it helped me to solve the problem.
  I am using ISE 1.1.3.124 and this is a new re-image appliance.
  Can anyone help?                  

  Hello,
  As you are not able to  get the guest portal, then you need to assure the following things:-
  1) Ensure that the  two  Cisco av-pairs that are configured on the authorization profile should  exactly match the example below. (Note: Do not replace the "IP" with the  actual Cisco ISE IP address.)
  –url-redirect=https://ip:8443/guestportal/gateway?...lue&action=cpp
  –url-redirect-acl=ACL-WEBAUTH-REDIRECT (ensure that this ACL is also  defined on the access switch)
  2) Ensure that the URL redirection portion of the ACL have been applied  to the session by entering the show epm session ip   command on the switch. (Where the session IP is the IP address that is  passed to the client machine by the DHCP server.)
  Admission feature : DOT1X
  AAA Policies : #ACSACL#-IP-Limitedaccess-4cb2976e
  URL Redirect ACL : ACL-WEBAUTH-REDIRECT
  URL Redirect :
  https://node250.cisco.com:8443/guestportal/gateway?sessionId=0A000A72
  0000A45A2444BFC2&action=cpp
  3) Ensure that the preposture assessment DACL that is enforced from the  Cisco ISE authorization profile contains the following command lines:
  remark Allow DHCP
  permit udp any eq bootpc any eq bootps
  remark Allow DNS
  permit udp any any eq domain
  remark ping
  permit icmp any any
  permit tcp any host 80.0.80.2 eq 443 --> This is for URL redirect
  permit tcp any host 80.0.80.2 eq www --> Provides access to internet
  permit tcp any host 80.0.80.2 eq 8443 --> This is for guest portal
  port
  permit tcp any host 80.0.80.2 eq 8905 --> This is for posture
  communication between NAC agent and ISE (Swiss ports)
  permit udp any host 80.0.80.2 eq 8905 --> This is for posture
  communication between NAC agent and ISE (Swiss ports)
  permit udp any host 80.0.80.2 eq 8906 --> This is for posture
  communication between NAC agent and ISE (Swiss ports)
  deny ip any any
  Note:- Ensure that the above URL Redirect has the proper Cisco ISE FQDN.
  4) Ensure that the ACL with the name "ACL-WEBAUTH_REDIRECT" exists on  the switch as follows:
  ip access-list extended ACL-WEBAUTH-REDIRECT
  deny ip any host 80.0.80.2
  permit ip any any
  5) Ensure that the http and https servers are running on the switch:
  ip http server
  ip http secure-server
  6) Ensure that, if the client machine employs any kind of personal  firewall, it is disabled.
  7) Ensure that the client machine browser is not configured to use any  proxies.
  8) Verify connectivity between the client machine and the Cisco ISE IP  address.
  9) If Cisco ISE is deployed in a distributed environment, make sure that  the client machines are aware of the Policy Service ISE node FQDN.
  10) Ensure that the Cisco ISE FQDN is resolved and reachable from the  client machine.
  11) Or you need to do re-image again.