ISE url-redirect CWA to Gig1
Hello,
say I want to have five ISE 1.3 nodes behind load balancer, I want only only G0 behind LB, and G1 interfaces will be dedicated for certain things. Specifically I want to use G1 interface for Redirected Web Portal access (could be CWA, device registration, NSP, etc). RADIUS auth will happen through LB on G0 of some specific PSN, and that PSN will url-redirect user to the CWA URL.
How do I tell ISE to use specifically Gig1's IP address or Gig2's IP address? When I check result authorization profile, there is no option there, it's just ip:port. Obviously, that's not the right place, because which PSN is used to processed the policy is unpredictable.
So then I go to guest portal, and specifically Self-Registered Guest Portal that I'm using. So here I see Gig0, Gig1, Gig2, and Gig3 listed. My guess is that if I only leave Gig1 selected then I will achieve my goal, is that correct?
But then, why does it let me choose multiple interfaces, what happens if I select all of them?
Am I missing another spot in ISE admin where I can control this?
Additional question. I know that in ISE 1.2 you could configure "ip host" in ISE's CLI, which would force URL-redirect response to be translated to FQDN:port. Is that still the right method in ISE 1.3?
Thanks!
Take a look at the following document:
http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/installation_guide/b_ise_InstallationGuide13.pdf
Towards the end of the document you will find a section called: "Cisco ISE Infrastructure" and there you will see the following:
• Cisco ISE management is restricted to Gigabit Ethernet 0.
• RADIUS listens on all network interface cards (NICs).
• All NICs can be configured with IP addresses.
So, you can take an interface, give it an IP address and then assign it to the web portal that you are working with.
I hope this helps!
Thank you for rating helpful posts!
Similar Messages
-
Ise: Url redirection not working
everything should be ok on ise and switch
the switch is configured with its own ip on the vlan (22)
PS is on vlan (44)
and ise is configured for web authentication policy to occurr on the logon vlan (33)
the service is reachable by inputting the policy service ip address on port 8443, authentication is successful, acl downloaded and redirect url pushed properly to the switch but redirect never occurrs,
instead a blank page (host not reachable) is displayed
the clients on vlan 33 can resolve dns without problems
the firewall has been set to make the vlan 44 and 33 talk each other on port 80,443,8443
it looks like the switch's http/s-server is not making any difference maybe because it is on another vlan though it is routed
can someone help me?
i would really appreciate a flow chart on how web redirect works in ise and tge role of the http server
ps the switch does not support the ip route commandhowever not everithing is working as it should, sometimes the acl are not pushed properly and the redirect acl does not show any hit (often), sometimes the centralwebauth acl is not pushed properly and the show ip access list interface results in blank output
interface GigabitEthernet1/0/10
description Porte dot1x - voip ISE
switchport access vlan 300
switchport mode access
switchport voice vlan 818
ip access-group ACL-ALLOW in
srr-queue bandwidth share 1 30 35 5
queue-set 2
priority-queue out
authentication event fail action next-method
authentication event server dead action authorize vlan 300
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
mls qos trust cos
dot1x pae authenticator
dot1x timeout tx-period 10
auto qos trust
spanning-tree portfast
spanning-tree bpduguard enable
end
the show auth sessiond for the interface is
Interface: GigabitEthernet1/0/10
MAC Address: 20cf.3017.645b
IP Address: 172.31.105.132
User-Name: 20-CF-30-17-64-5B
Status: Authz Success
Domain: DATA
Oper host mode: multi-domain
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: 300
ACS ACL: xACSACLx-IP-CentralWebAuth-5062f332
URL Redirect ACL: redirect
URL Redirect: https://ISEC3395.omitted.omitted:8443/guestportal/gateway?sessionId=AC1F552F0000000A001A6FD2&action=cwa
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC1F552F0000000A001A6FD2
Acct Session ID: 0x0000000D
Handle: 0x7C00000A -
HI,
I have a layer 3 ISE policy node configuration with my asa for remote access vpn configuration.
my user gets authenticated but when i open the web-browser the the url redirect doesnt happen. i have to manually do this.
is there something which i am missing? please let me know?
any help or ideas will be helpful.
thanks
NiteshNitesh,
In the WLC make sure you have it set to "Redirect to External Server", also, almost always, its a problem with how you have your ACLs configured, because you want to "Force redirection to ISE Guest Server" by using the ACLs, therefore, you must have a redirect ACL in place. -
I made a mistake configuring the domain-name on my ISE appliance. I issued to the no ip domain-name and then added the domain-name I'd like to show up. It seems to have partially worked, as the FQDN on the appliance is now correct but the redirect URL on my wireless LAN controller is still redirecting to the old domain.
EX: WLC redirect: ise1.xyz.net
ISE FQDN: ise1.abc.net
Any ideas on how to change that?Although you have changed the domain-name on the ISE appliance but still the output on WLC shows the older domain for url redirect.The reason behind is that the domain name(FQDN) which is present as the common name(CN) on the certificate of the server is still the old-domain name.
-
ISE 1.2 CWA Redirect URL
Hi,
Just wondered was there anyway to manipulate what webauth URL is sent to a client in the redirect string. Currently my ISE sends clients the internal machine name, I was wondering if there was anyway I can change this.
I know on local webauth on the WLC you can set external URL's, does this feature exist in the ISE?
TIA
-G
Sent from Cisco Technical Support iPad AppUsers Are Not Appropriately Redirected to URL
Symptoms or Issue
Administrator receives one or more "Bad URL" error messages from Cisco ISE.
Conditions
This scenario applies to 802.1X authentication as well as guest access sessions.
Click the magnifying glass icon in Authentications to launch the Authentication Details. The authentication report should have the redirect URL in the RADIUS response section as well as the session event section (which displays the switch syslog messages).
Possible Causes
Redirection URL is entered incorrectly with invalid syntax or a missing path component.
Resolution
Verify that the redirection URL specified in Cisco ISE via Cisco-av pair "URL Redirect" is correct per the following options:
•CWA Redirection URL: https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cwa
•802.1X Redirection URL: url-redirect=https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cpp -
ISE CWA FLEXCONNECT - No url redirect
Hi,
I'm setting up a LAB environment for CWA with ISE(1.2.1), vWLC(8.0.100), ASA5505(9.1.X) and a 2602 AP in flexconnect mode.
Unfortunately I'm running into problems.
The AP, WLC and ISE is all running in vlan 1 which terminates in the 5505 as a inside interface.
Vlan 2 is a guest network terminating on a separate interface in the ASA.
The problem that I'm facing is that the url-redirect from the ISE dosent' work. If i check the client summery on the vWLC I can see that the client get applyes the redirect flexconnect ACL and that the URL is present. I've verified that it's not a DNS issue and I'm able to manually connect to ISE so there is no ACL blocking me. The client just dosen't get the redirect. I've tired with multiple devices (windows,ios,android) and it's all the same.
I've followed the following guides:
http://www.drchaos.com/flexconnect-local-switching-guestbyod/
http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html#anc11
Currently I'm at work but I can provide some debug output later.
Have anyone seen this behavior before?It is possible that you are hitting the following bug:
https://tools.cisco.com/bugsearch/bug/CSCue68065
One thing this bug does not mention is that there is another resolution outside of disabling local switching. The alternative is:
1. Create a standar ACL on the controller that is named exactly as the FlexConnect ACLs
2. The standard ACL does not have to have any ACE in it
I have ran into this issue before and the above workaround has worked for me. The issue was supposed be addressed in version 8.x of the WLC but I think it is still worth giving it a try.
Thank you for rating helpful posts! -
ISE & Switch URL redirect not working
Dear team,
I'm setting up Guest portal for Wired user. Everything seems to be okay, the PC is get MAB authz success, ISE push URL redirect to switch. The only problem is when I open browser, it is not redirected.
Here is some output from my 3560C:
Cisco IOS Software, C3560C Software (C3560c405-UNIVERSALK9-M), Version 12.2(55)EX3
SW3560C-LAB#sh auth sess int f0/3
Interface: FastEthernet0/3
MAC Address: f0de.f180.13b8
IP Address: 10.0.93.202
User-Name: F0-DE-F1-80-13-B8
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-domain
Oper control dir: both
Authorized By: Authentication Server
Vlan Group: N/A
URL Redirect ACL: redirect
URL Redirect: https://BYODISE.byod.com:8443/guestportal/gateway?sessionId=0A005DF40000000D0010E23A&action=cwa
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A005DF40000000D0010E23A
Acct Session ID: 0x00000011
Handle: 0xD700000D
Runnable methods list:
Method State
mab Authc Success
SW3560C-LAB#sh epm sess summary
EPM Session Information
Total sessions seen so far : 10
Total active sessions : 1
Interface IP Address MAC Address Audit Session Id:
FastEthernet0/3 10.0.93.202 f0de.f180.13b8 0A005DF40000000D0010E23A
Could you please help to explore the problem? Thank you very much.With switch IOS version later than 15.0 the default interface ACL is not required. For url redirection the dACL is not required as this ACL is part of traffic restrict for "guest" users.
In my experiece some users can not get the redirect correctly because anti-spoof ACL on management Vlan or stateful firewall blocks the TCP syn ack.
It is rare in campus network access layer switches have user SVI configured so the redirect traffic has to be sent from the netman SVI, but trickly the TCP SYN ACK from the HTTP server will be sent back from the netman Vlan without source IP changed. (The switch is spoofing the source IP in my understanding with changing only the MAC address of the packet). In most of the cases there should be a basic ACL resides on the netman SVI on the first hop router, where the TCP SYN ACK may be dropped by the ACL.
tips:
1. "debug epm redirect" can make sure your traffic matches the redirect url and will get intercepted by the switch
2. It will be an ACL or firewall issue if you can see epm is redirecting your http request but can not see the SYN ACK from the requested server.
Which can win the race: increasing bandwidth with new technologies VS QoS? -
ISE Wired Central Web Authentication no url redirect
We are setting up ISE for wired guest accest but are having trouble with the client being redirected. The switch gets the download from ISE and shows that it should use the URL redirect with the correct ACL.
ISEtest3560#show authentication sessions interface fastEthernet 0/2
Interface: FastEthernet0/2
MAC Address: 001d.09cb.78bd
IP Address: Unknown
User-Name: 00-1D-09-CB-78-BD
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Group: N/A
ACS ACL: xACSACLx-IP-ISE-Only-52434fbe
URL Redirect ACL: ACL-WEBAUTH-REDIRECT
URL Redirect: https://REMOVED.Domain.corp:8443/guestportal/gateway?sessionId=0A0003E600000039064485B1&action=cwa
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A0003E600000039064485B1
Acct Session ID: 0x00000293
Handle: 0x95000039
Runnable methods list:
Method State
dot1x Failed over
mab Authc Success
From the client pc I can get name resolution for anything I ping. I also can ping the ise server by name. The ACL that is downloaded it as follows:
Extended IP access list xACSACLx-IP-ISE-Only-52434fbe (per-user)
10 permit udp any eq bootpc any eq bootps
20 permit udp any any eq domain
30 permit ip any host 10.4.37.91
40 deny ip any any log
Extended IP access list ACL-WEBAUTH-REDIRECT
10 deny udp any eq bootpc any eq bootps
20 deny udp any any eq domain
30 deny ip any host 10.4.37.91
40 permit tcp any any eq www (13 matches)
50 permit tcp any any eq 443
51 permit tcp any any eq 8443
60 deny ip any any
The machine passes the Authentication with MAB and hits the CWA Authorization profile, ISE shows the cient as "Pending" then the next entry above that is the log is the dACL getting pushed to the switch. Could part of the issue be that the device shows Unknown for IP address? The command ip device tracking is in the swtich:
ISEtest3560#show running-config | include tracking
ip device tracking
ISEtest3560#
We have 802.1x clients working and the IP address for those do show up..
Please advise,
Thanks,
JoeISEtest3560#show ip access-lists interface fastEthernet 0/2
ISEtest3560#
Doesn't appear the dacl is being applied.
interface FastEthernet0/2
switchport access vlan 11
switchport mode access
ip access-group ACL-DEFAULT in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 999
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab webauth
authentication priority dot1x mab webauth
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree guard root
Extended IP access list ACL-DEFAULT
10 permit udp any eq bootpc any eq bootps
20 permit udp any any eq domain
30 permit icmp any any
40 permit udp any any eq tftp
41 permit ip any host 10.4.37.91
50 deny ip any any log (1059 matches)
Could the dACL being causing the issue with the Unknown, or is the Unknow causing the issue with the dACL?
Thanks,
Joe -
Cisco ISE - Not use FQDN in url-redirect parameter
Hi,
I am using Cisco ISE Central Web Authentication for Guest Wireless. Clients are redirected for web authentication to: https://ip:port/guestportal/gateway?sessionId=SessionIdValue&action=cwa as it is specified by the url-redirect parameter in the Authorization Profile.
The “ip” field in the url is now replaced by the FQDN of the Cisco ISE, but I want to use the IP address instead of the FQDN. Is there any way to do that?
As far as I know in version 1.2 you can use the “ip host/no ip host” command to indicate what you want to use in the URL. However my Cisco ISE is running version 1.1.1.268.
Thank you very much.
Joana.Available in 1.2, and available as a "bit of a bodge" in 1.1.x (read "a lot of a bodge")
If you only have one PSN then you may be able to get it to work, but after that you lose the ability to get the session to be pointed automatically at whichever PSN they hit initially so it would break.
Copy the settings that are applied when you use CWA, then create your own based on the same settings but using the ip address pasted in there instead. -
Issues getting url-redirect working with Cisco ISE
Hi,
I am currently doing a Proof of Concept using Cisco's new ISE product. I am having issues getting the url-redirect raidus attribute working. I have read the troubleshooting document and everything in it points to it should be working. By debuging the radius information on the switch I can see that its passing the url-redirect to the switch which in my case is was https://DEVLABISE01.devlab.local:8443/guestportal/gateway?sessionId=0A00020A0000001604D3F5BE&action=cwa. Now to remove DNS issues etc from the equasion if I copy and paste this URL into the client browser it takes me to the correct place, and I can login and it changes VLAN's accordingly. Now as far as I know the client should automatticaly be redirected to this URL which is not working. Below I have included one of the debugs to show that the epm is in place.
DEVLABSW01#show epm session ip 10.0.1.104
Admission feature: DOT1X
ACS ACL: xACSACLx-IP-PRE-POSTURE-ACL-4de86e6c
URL Redirect ACL: ACL-WEBAUTH-REDIRECT
URL Redirect: https://DEVLABISE01.devlab.local:8443/guestportal/gateway?sessionId=0A00020A0000001604D3F5BE&action=cwa
I have also attached my switch config. Any help would be greatly appreciated.
DanSo im also doing ISE for the first time and i knew it may have been a bit tough however i didnt forsee my following issue.
everything is working as expected other than every now and then (intermittent) the ISE Central Portal does not display on any device -android, windows, etc..... i checked and checked the configs, had probably about 10 TAC cases open..... this weekend i ripped out the main components, setup in the offfice and tried to replicate the issue....i could...what i noticed is that without Internet the ISE Portal didnt actually display....it sounds weird but thats what im seeing.....As soon as i plug into Internet Link into the equation, the portal page comes up.....im able to replicate it every time... Currently, i placed back into the customer network and im now looking down at the routing/firewall......
my issue is that i cant really explain why the Internet affects the Central Auth Page.... In any event. im working backwards, tomorrow im bringing in a second link and doing NAT on a cisco router to bypass the checkpoint firewall....ill know if its checkpoint or if im barking up the wrong tree....
if anyone can explain why, it would help out a great deal..
My setup BTW is
1. WLC 5760 - Not latest code but latest stable (recommended by the TAC Engineer)
2. ISE 1.2 - Doing simple Wireless only implementation
3. 3650 - Just acting like a switch - no ACLs etc - just a switch
4. Integrated into AD
Ill post back with any findings if i make any headway - BTW, i didnt like this at all as other solutions are so much simpler, BUT, i can now see how powerful this could potentially be for the right type of customer...
thanks again how i can get some feedback -
How does ISE choose which IP to put in URL redirect response?
Hello,
does anyone know how does ISE choose which IP to put in URL redirect response if it has more than one interface with an IP address and all interfaces are enabled in the portal configuration?
I have a single ISE 1.3 PSN with all four interfaces configured, enabled, each on unique VLAN, and each with unique IP address.
In the CWA portal configuration, all four interfaces are enabled.
Wired clients connect to NAD, NAD sends RADIUS request to ISE, ISE responds with a RADIUS response including the URL-Redirect parameter which specifies the web redirect URL. ISE configuration uses "ip:port" in the URL.
My question is how does ISE choose which of its four interfaces to put in this URL? Is it always the same interface that RADIUS packets were received on? Or does it always choose the first portal enabled interface? Or is there another logic? Configurable or unconfigurable?
Thanks!ISE uses the first interface enabled for that portal, so if want to use a specific interface, then only enable that interface. If interface is GE0, then default behavior is to redirect with ip value set to node's FQDN. If interface other than GE0, then default behavior is to return the IP address of the associated interface.
Aliases can be configured for each interface using the CLI 'ip host' command to associate a hostname/FQDN to the IP address of a given interface. When configured, ISE will return that value rather than IP address in redirect. This is critical if want to avoid certificate trust warning on connecting clients.
Be sure that certificate assigned to interface includes the correct FQDN or optionally wilcard value in the CN or SAN fields to avoid cert warnings. -
ISE doesn't remove URL redirect
We have an ISE problem, in that the URL redirect sent to the access switch for guest auth is not removed even after successful authentication.
Debug shows RADIUS activity as normal, 802.1X failover to MAB, then rediect to webauth;
003064: Aug 22 17:48:08.340: %AUTHMGR-5-START: Starting 'mab' for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000007201857889
003065: Aug 22 17:48:08.365: %MAB-5-SUCCESS: Authentication successful for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000007201857889
003066: Aug 22 17:48:08.365: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000007201857889
003067: Aug 22 17:48:08.382: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007201857889| AUTHTYPE DOT1X| EVENT APPLY
003068: Aug 22 17:48:08.390: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.60.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007201857889| AUTHTYPE DOT1X| POLICY_TYPE URL Redirect| POLICY_NAME
https://ukhatfnac0001.dtukad.local:8443/guestportal/gateway?sessionId=C0A8D60D0000007201857889&action=cwa
| RESULT SUCCESS
NWS-TSL-HATB3F3-DistSW1#
003069: Aug 22 17:48:08.390: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.60.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007201857889| AUTHTYPE DOT1X| POLICY_TYPE URL Match ACL| POLICY_NAME web_guest_redirect| RESULT SUCCESS
003138: Aug 22 18:01:18.718: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000007401914245
000054: Aug 22 18:01:18.345: %AUTHMGR-5-VLANASSIGN: VLAN 1040 assigned to Interface Gi1/0/4 AuditSessionID C0A8D60D0000007401914245 (NWS-TSL-HATB3F3-DistSW1-2)
003139: Aug 22 18:01:19.490: %EPM-6-IPEVENT: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007401914245| AUTHTYPE DOT1X| EVENT IP-ASSIGNMENT
003140: Aug 22 18:01:19.490: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007401914245| AUTHTYPE DOT1X| POLICY_TYPE Named ACL| POLICY_NAME xACSACLx-IP-PERMIT_ALL_TRAFFIC-4f57e406| RESULT SUCCESS
NWS-TSL-HATB3F3-DistSW1#
003141: Aug 22 18:01:19.515: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007401914245| AUTHTYPE DOT1X| POLICY_TYPE URL Redirect| POLICY_NAME
https://ukhatfnac0001.dtukad.local:8443/guestportal/gateway?sessionId=C0A8D60D0000007401914245&action=cwa
| RESULT SUCCESS
003142: Aug 22 18:01:19.515: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007401914245| AUTHTYPE DOT1X| POLICY_TYPE URL Match ACL| POLICY_NAME web_guest_redirect| RESULT SUCCESS
003064: Aug 22 17:48:08.340: %AUTHMGR-5-START: Starting 'mab' for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000007201857889
003065: Aug 22 17:48:08.365: %MAB-5-SUCCESS: Authentication successful for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000007201857889
003066: Aug 22 17:48:08.365: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000007201857889
003067: Aug 22 17:48:08.382: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007201857889| AUTHTYPE DOT1X| EVENT APPLY
003068: Aug 22 17:48:08.390: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.60.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007201857889| AUTHTYPE DOT1X| POLICY_TYPE URL Redirect| POLICY_NAME https://ukhatfnac0001.dtukad.local:8443/guestportal/gateway?sessionId=C0A8D60D0000007201857889&action=cwa
| RESULT SUCCESS
NWS-TSL-HATB3F3-DistSW1#
003069: Aug 22 17:48:08.390: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.60.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007201857889| AUTHTYPE DOT1X| POLICY_TYPE URL Match ACL| POLICY_NAME web_guest_redirect| RESULT SUCCESS
Then after successful authentication, VLAN is moved and xACSACLx-IP-PERMIT_ALL_TRAFFIC is sent, but rediect is sent again from ISE. We've been over configs several times, but can't get to the bottom of this. Can anyone shed any light ?
003138: Aug 22 18:01:18.718: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000007401914245
000054: Aug 22 18:01:18.345: %AUTHMGR-5-VLANASSIGN: VLAN 1040 assigned to Interface Gi1/0/4 AuditSessionID C0A8D60D0000007401914245 (NWS-TSL-HATB3F3-DistSW1-2)
003139: Aug 22 18:01:19.490: %EPM-6-IPEVENT: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007401914245| AUTHTYPE DOT1X| EVENT IP-ASSIGNMENT
003140: Aug 22 18:01:19.490: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007401914245| AUTHTYPE DOT1X| POLICY_TYPE Named ACL| POLICY_NAME xACSACLx-IP-PERMIT_ALL_TRAFFIC-4f57e406| RESULT SUCCESS
NWS-TSL-HATB3F3-DistSW1#
003141: Aug 22 18:01:19.515: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007401914245| AUTHTYPE DOT1X| POLICY_TYPE URL Redirect| POLICY_NAME https://ukhatfnac0001.dtukad.local:8443/guestportal/gateway?sessionId=C0A8D60D0000007401914245&action=cwa| RESULT SUCCESS
003142: Aug 22 18:01:19.515: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007401914245| AUTHTYPE DOT1X| POLICY_TYPE URL Match ACL| POLICY_NAME web_guest_redirect| RESULT SUCCESSFixed it !
Great info from Tarik above, which lead me to the issue. My authz policy for redirect didn't include the Network Access:Usecase=Host Lookup, so this policy still (incorrectly) remained =true after valid guest authentication. As this policy remained =true, ISE was correctly applying URL rediect. Once I sorted the policy, by adding ...AND Network Access:Usecase=Host Lookup, all wored as expected.
After valid guest auth we now see DACL 'PERMIT_GUEST' and move to VL1040 as expected, without the URL rediect.
003543: Aug 22 19:03:15.169: %EPM-6-POLICY_REQ: IP 192.168.60.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000008501C99767| AUTHTYPE DOT1X| EVENT APPLY
003544: Aug 22 19:03:15.186: %EPM-6-AAA: POLICY xACSACLx-IP-PERMIT_GUEST-50350e3a| EVENT DOWNLOAD-REQUEST
003545: Aug 22 19:03:15.354: %EPM-6-AAA: POLICY xACSACLx-IP-PERMIT_GUEST-50350e3a| EVENT DOWNLOAD-SUCCESS
003546: Aug 22 19:03:15.354: %EPM-6-IPEVENT: IP 0.0.0.0| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000008501C99767| AUTHTYPE DOT1X| EVENT IP-WAIT
NWS-TSL-HATB3F3-DistSW1#
003547: Aug 22 19:03:15.849: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000008501C99767
000069: Aug 22 19:03:15.241: %AUTHMGR-5-VLANASSIGN: VLAN 1040 assigned to Interface Gi1/0/4 AuditSessionID C0A8D60D0000008501C99767 (NWS-TSL-HATB3F3-DistSW1-2)
NWS-TSL-HATB3F3-DistSW1#
003548: Aug 22 19:03:17.560: %EPM-6-IPEVENT: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000008501C99767| AUTHTYPE DOT1X| EVENT IP-ASSIGNMENT
003549: Aug 22 19:03:17.560: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000008501C99767| AUTHTYPE DOT1X| POLICY_TYPE Named ACL| POLICY_NAME xACSACLx-IP-PERMIT_GUEST-50350e3a| RESULT SUCCESS
003543: Aug 22 19:03:15.169: %EPM-6-POLICY_REQ: IP 192.168.60.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000008501C99767| AUTHTYPE DOT1X| EVENT APPLY
003544: Aug 22 19:03:15.186: %EPM-6-AAA: POLICY xACSACLx-IP-PERMIT_GUEST-50350e3a| EVENT DOWNLOAD-REQUEST
003545: Aug 22 19:03:15.354: %EPM-6-AAA: POLICY xACSACLx-IP-PERMIT_GUEST-50350e3a| EVENT DOWNLOAD-SUCCESS
003546: Aug 22 19:03:15.354: %EPM-6-IPEVENT: IP 0.0.0.0| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000008501C99767| AUTHTYPE DOT1X| EVENT IP-WAIT
NWS-TSL-HATB3F3-DistSW1#
003547: Aug 22 19:03:15.849: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000008501C99767
000069: Aug 22 19:03:15.241: %AUTHMGR-5-VLANASSIGN: VLAN 1040 assigned to Interface Gi1/0/4 AuditSessionID C0A8D60D0000008501C99767 (NWS-TSL-HATB3F3-DistSW1-2)
NWS-TSL-HATB3F3-DistSW1#
003548: Aug 22 19:03:17.560: %EPM-6-IPEVENT: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000008501C99767| AUTHTYPE DOT1X| EVENT IP-ASSIGNMENT
003549: Aug 22 19:03:17.560: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000008501C99767| AUTHTYPE DOT1X| POLICY_TYPE Named ACL| POLICY_NAME xACSACLx-IP-PERMIT_GUEST-50350e3a| RESULT SUCCESS -
Cisco ISE guest portal redirect not working after successful authentiation and URL redirect.
Hi to all,
I am having difficulties with an ISE deployment which I am scratching my head over and can't fathom out why this isn't working.
I have an ISE 3315 doing a captive webportal for my guest users who are on an SSID. The users are successfully redirected by the WLC to the following URL:https://x.x.x.x:8443/guestportal/Login.action?portalname=XXX_Guest_Portal
Now when the user passes through the user authentication splash screen they get redirected to https://x.x.x.x:8443/guestportal/guest/redir.html and recieve the following error:
Error: Resource not found.
Resource: /guestportal/
Does anyone have any ideas why the portal is doing this?
Thanks
PaulHello,
As you are not able to get the guest portal, then you need to assure the following things:-
1) Ensure that the two Cisco av-pairs that are configured on the authorization profile should exactly match the example below. (Note: Do not replace the "IP" with the actual Cisco ISE IP address.)
–url-redirect=https://ip:8443/guestportal/gateway?...lue&action=cpp
–url-redirect-acl=ACL-WEBAUTH-REDIRECT (ensure that this ACL is also defined on the access switch)
2) Ensure that the URL redirection portion of the ACL have been applied to the session by entering the show epm session ip command on the switch. (Where the session IP is the IP address that is passed to the client machine by the DHCP server.)
Admission feature : DOT1X
AAA Policies : #ACSACL#-IP-Limitedaccess-4cb2976e
URL Redirect ACL : ACL-WEBAUTH-REDIRECT
URL Redirect :
https://node250.cisco.com:8443/guestportal/gateway?sessionId=0A000A72
0000A45A2444BFC2&action=cpp
3) Ensure that the preposture assessment DACL that is enforced from the Cisco ISE authorization profile contains the following command lines:
remark Allow DHCP
permit udp any eq bootpc any eq bootps
remark Allow DNS
permit udp any any eq domain
remark ping
permit icmp any any
permit tcp any host 80.0.80.2 eq 443 --> This is for URL redirect
permit tcp any host 80.0.80.2 eq www --> Provides access to internet
permit tcp any host 80.0.80.2 eq 8443 --> This is for guest portal
port
permit tcp any host 80.0.80.2 eq 8905 --> This is for posture
communication between NAC agent and ISE (Swiss ports)
permit udp any host 80.0.80.2 eq 8905 --> This is for posture
communication between NAC agent and ISE (Swiss ports)
permit udp any host 80.0.80.2 eq 8906 --> This is for posture
communication between NAC agent and ISE (Swiss ports)
deny ip any any
Note:- Ensure that the above URL Redirect has the proper Cisco ISE FQDN.
4) Ensure that the ACL with the name "ACL-WEBAUTH_REDIRECT" exists on the switch as follows:
ip access-list extended ACL-WEBAUTH-REDIRECT
deny ip any host 80.0.80.2
permit ip any any
5) Ensure that the http and https servers are running on the switch:
ip http server
ip http secure-server
6) Ensure that, if the client machine employs any kind of personal firewall, it is disabled.
7) Ensure that the client machine browser is not configured to use any proxies.
8) Verify connectivity between the client machine and the Cisco ISE IP address.
9) If Cisco ISE is deployed in a distributed environment, make sure that the client machines are aware of the Policy Service ISE node FQDN.
10) Ensure that the Cisco ISE FQDN is resolved and reachable from the client machine.
11) Or you need to do re-image again. -
Hi,
I am setting up wired ISE environment. Everything is going fine, except url redirect is not working.
I just wondering, if using self-signed certificate on ISE server has anothing to do with the problem ?.
Appreciate your input.
ThanksHi,
As long as you have not changed the hostname or the domain name (and dns is accurate). You should only receive the certificate warning but still get redirected without any issues.
Thanks,
Tarik Admani
*Please rate helpful posts* -
ISE post compliant posture assessment URL redirection
G'day All,
Is anyone aware if it is possible for ISE to push a URL redirection to user devices once they have passed the posture assessment?
I am deploying a wireless BYOD ise deployment with AD auth and posture assessment, and we are hoping to find an easy way to push the compliant users to a new URL once they have passed posture.
Thanks gang.
Cheers,
James.It is not possible to redirect user after authentication and posturing to a specific URL. because ISE does not support this feature till now.
I think URL redirection can be done in web authentication if used in case of employee.
Navigate to Policy > Policy Elements > Results > Authorization and then select Authorization Profiles
Step 18 Select Add to create a new Authorization Profile for Central Web Authentication:
Name
Central_Web_Auth
Description
(optional)
Access-Type
ACCESS_ACCEPT
DACL Name
CENTRAL_WEB_AUTH
Centralized Web Authentication
ACL:
ACL-WEBAUTH-REDIRECT
Redirect : Default
“ACL-WEBAUTH-REDIRECT” is configured on switch which determines to which destination it will redirect
Maybe you are looking for
-
How do I sync multiple cameras in FCPX
I have been using pluraleyes in FCP7 to sync multiple cameras to a master sound clip. How can I do this in FCPX?
-
Hi all I am able to create,change,view PO and also do MIRO but I am not able to do GR through MIGO.Error message - "PO has no items". Where have I done the mistake? Prasad
-
32-bit Windows 7 app on 64-bit platform oddity
An application compiled for a 32-bit platform runs correctly with an SDK that is compiled for 32-bit only, either in debug or release mode from Visual C++ Express 2008, on a 64-bit computer. The target platform in the compiler options is set as X86.
-
Hi Experts, I am using the standard feature for displaying customer address in my Smartforms. Is there any way I can change the font for the address? Thanks and Regards, Ravi
-
Apple Magic Mouse Double Finger Usage
Hi Guys, I just got myself a magic mouse and tried the 2 finger swipe. Now, the problem; it works fine in Safari and and iPhoto, but doesn't work in iTunes cover flow - which was advertised on the video on the apple website. May i please ask anyone w