Ise: Url redirection not working
everything should be ok on ise and switch
the switch is configured with its own ip on the vlan (22)
PS is on vlan (44)
and ise is configured for web authentication policy to occurr on the logon vlan (33)
the service is reachable by inputting the policy service ip address on port 8443, authentication is successful, acl downloaded and redirect url pushed properly to the switch but redirect never occurrs,
instead a blank page (host not reachable) is displayed
the clients on vlan 33 can resolve dns without problems
the firewall has been set to make the vlan 44 and 33 talk each other on port 80,443,8443
it looks like the switch's http/s-server is not making any difference maybe because it is on another vlan though it is routed
can someone help me?
i would really appreciate a flow chart on how web redirect works in ise and tge role of the http server
ps the switch does not support the ip route command
however not everithing is working as it should, sometimes the acl are not pushed properly and the redirect acl does not show any hit (often), sometimes the centralwebauth acl is not pushed properly and the show ip access list interface results in blank output
interface GigabitEthernet1/0/10
description Porte dot1x - voip ISE
switchport access vlan 300
switchport mode access
switchport voice vlan 818
ip access-group ACL-ALLOW in
srr-queue bandwidth share 1 30 35 5
queue-set 2
priority-queue out
authentication event fail action next-method
authentication event server dead action authorize vlan 300
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
mls qos trust cos
dot1x pae authenticator
dot1x timeout tx-period 10
auto qos trust
spanning-tree portfast
spanning-tree bpduguard enable
end
the show auth sessiond for the interface is
Interface: GigabitEthernet1/0/10
MAC Address: 20cf.3017.645b
IP Address: 172.31.105.132
User-Name: 20-CF-30-17-64-5B
Status: Authz Success
Domain: DATA
Oper host mode: multi-domain
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: 300
ACS ACL: xACSACLx-IP-CentralWebAuth-5062f332
URL Redirect ACL: redirect
URL Redirect: https://ISEC3395.omitted.omitted:8443/guestportal/gateway?sessionId=AC1F552F0000000A001A6FD2&action=cwa
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC1F552F0000000A001A6FD2
Acct Session ID: 0x0000000D
Handle: 0x7C00000A
Similar Messages
-
ISE & Switch URL redirect not working
Dear team,
I'm setting up Guest portal for Wired user. Everything seems to be okay, the PC is get MAB authz success, ISE push URL redirect to switch. The only problem is when I open browser, it is not redirected.
Here is some output from my 3560C:
Cisco IOS Software, C3560C Software (C3560c405-UNIVERSALK9-M), Version 12.2(55)EX3
SW3560C-LAB#sh auth sess int f0/3
Interface: FastEthernet0/3
MAC Address: f0de.f180.13b8
IP Address: 10.0.93.202
User-Name: F0-DE-F1-80-13-B8
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-domain
Oper control dir: both
Authorized By: Authentication Server
Vlan Group: N/A
URL Redirect ACL: redirect
URL Redirect: https://BYODISE.byod.com:8443/guestportal/gateway?sessionId=0A005DF40000000D0010E23A&action=cwa
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A005DF40000000D0010E23A
Acct Session ID: 0x00000011
Handle: 0xD700000D
Runnable methods list:
Method State
mab Authc Success
SW3560C-LAB#sh epm sess summary
EPM Session Information
Total sessions seen so far : 10
Total active sessions : 1
Interface IP Address MAC Address Audit Session Id:
FastEthernet0/3 10.0.93.202 f0de.f180.13b8 0A005DF40000000D0010E23A
Could you please help to explore the problem? Thank you very much.With switch IOS version later than 15.0 the default interface ACL is not required. For url redirection the dACL is not required as this ACL is part of traffic restrict for "guest" users.
In my experiece some users can not get the redirect correctly because anti-spoof ACL on management Vlan or stateful firewall blocks the TCP syn ack.
It is rare in campus network access layer switches have user SVI configured so the redirect traffic has to be sent from the netman SVI, but trickly the TCP SYN ACK from the HTTP server will be sent back from the netman Vlan without source IP changed. (The switch is spoofing the source IP in my understanding with changing only the MAC address of the packet). In most of the cases there should be a basic ACL resides on the netman SVI on the first hop router, where the TCP SYN ACK may be dropped by the ACL.
tips:
1. "debug epm redirect" can make sure your traffic matches the redirect url and will get intercepted by the switch
2. It will be an ACL or firewall issue if you can see epm is redirecting your http request but can not see the SYN ACK from the requested server.
Which can win the race: increasing bandwidth with new technologies VS QoS? -
ISE posture redirect not working
ISE v1.1.0.665, 3395 h/w.
Single Admin/Monitor/Policy node.
WS-C3560-48TS 12.2(55)SE5 C3560-IPBASEK9-M
For Client Provisioning I created an authorisation policy as follows:
download acl "ACL-POSTURE-REMEDIATION"
apply url redirect "ACL-POSTURE-REDIRECT".
"Debug radius" shows all this is downloaded to the switch but:
- Redirect does not work.
- dACL is not applied if the URL redirect is also configured.
Wireshark on the client shows no direct.
Attached file shows "debug radius" for various combinations of authorisation policy i.e. dACL only, Redirect only, dACL + Redirect.
I've also attached screen shots of these policies and wireshark.Grant,
It looks like you are changing the vlan after your client gets an ip address, it seems like the client gets an ip address of
192.168.16.164 and you are changing the vlan over to 516. I wanted to know if that is there isnt an ip to vlan mismatch before you move forward. If 516 is quarantine vlan you may want to start all clients on that vlan and use dynamic vlan assignment through change of authorization once a client becomes compliant. The reason is is that you can use the web portal, or the nac agent to change the ip address once the vlan is changed.
Thanks,
Tarik Admani -
NAC L2-IP on 6500 . URL Redirection Not working
Hi,
We are testing NAC L2-IP on a Cat 6506 running 12.2(18)SXF9.
When configuring for NAC L2-IP, the switch is able to download the required ACL
entries. The HTTP Server is enabled in the Switch, however still the HTTP
redirection is Not working.
From the Client side, I can see the SYN packets going to port 80 but no
response (Redirect etc) comes back from the switch.
This is the Port-ACL
10 permit udp any eq 21862 any
11 permit icmp any any echo-reply
20 permit udp any any eq bootps
30 permit udp any any eq domain
40 permit tcp any eq 3389 any
50 deny ip any any
This is the ACL as specified in the "url-redirect-acl" attribute
70 deny tcp any host 10.140.4.116 eq www
80 deny tcp any host 10.140.4.202 eq www
90 deny tcp any host 10.1.194.15 eq www
100 deny tcp any host 172.25.1.15 eq www
110 permit tcp any any eq www
Any ideas ?
+++++++++++++++++
show eou ip 10.192.99.27
Address : 10.192.99.27
MAC Address : 0006.5ba0.5705
Interface : FastEthernet2/47
AuthType : CLIENTLESS
Audit Session ID : 0000002C1387D1FB0000000D0AC0631B
PostureToken : -------
Age(min) : 15
URL Redirect : http://x.x.x/y
URL Redirect ACL : redirect-policy
ACL Name : #ACSACL#-IP-NAC_NoCTA_ACL-464b3186
User Name : UNKNOWN USER
Revalidation Period : 36000 Seconds
Status Query Period : 300 Seconds
Current State : CLIENTLESS
++++++++++++++++++++++++++++++++
Exactly the Same configuration and Secure ACS configuration works for a 3560 Switch.
Thanks,
NamanCheck this bug-id: CSCse02269.
-
ACE: URL redirect - not working
Hi,
I've to do url redirection from port 80 to port 443. I've following configured:
rserver redirect url.test.com-rd
webhost-redirection https://url.test.com/
inservice
serverfarm redirect url.test.com:80
description url.test.com - port 80 redirect ***
rserver url.test.com-rd
inservice
class-map match-any url.test.com:80
2 match virtual-address 192.168.1. tcp eq www
policy-map type loadbalance first-match url.test.com:80
class class-default
serverfarm url.test.com:80
policy-map multi-match LOAD_BALANCE
class url.test.com:80
loadbalance vip inservice
loadbalance policy url.test.com:80
loadbalance vip icmp-reply active
===
with above configuration, ACE is redirection port 80 to port 443 but it also rewrites the header. i.e. ACE send me to
"https://url.test.com/" if I type "http://url.test.com/abc" in the browser. It should have redirected to "https://url.test.com/abc" ( it shouldn't have removed "/abc")
could you advice how to accomplish it.
Thanks in advance...Hi,
thanks pablo. but that isn't expected response. redirected url shows the load balanced server. i.e. for the following serverfarm of port 443:
serverfarm host url.test.com:443
description url.test.com - Port 7777 ***
failaction purge
probe url.test.com:7777
rserver server1.test.com 7777
inservice
redirected url comes as "http://server1.test.com:7777/abc/" ...instead of what I expect .i.e. i expect "
https://url.test.com/abc/" -
URL Does Not Work in Firefox, but DOES Work in Other Browsers
The following URL does NOT work in Firefox. However, it DOES work in Internet Explorer and Google Chrome:
https://www.ascap.com/ace/
The main ASCAP URL works just fine. The problem seems to be confined to this link alone. Please fix; thank you!There is a server redirect on this URL.
<pre><nowiki>
https://www.ascap.com/ace/
GET /ace/ HTTP/1.1
Host: www.ascap.com
HTTP/1.1 302 Found
Location: https://www.ascap.com/Home/ace-title-search/index.aspx</nowiki></pre>
If you use a bookmark then try to navigate to the want page starting with the main (home) page.
You can reload web page(s) and bypass the cache to refresh possibly outdated or corrupted files.
*Hold down the Shift key and left-click the Reload button
*Press "Ctrl + F5" or press "Ctrl + Shift + R" (Windows,Linux)
*Press "Command + Shift + R" (Mac)
Clear the cache and remove cookies only from websites that cause problems.
"Clear the Cache":
*Firefox/Tools > Options > Advanced > Network > Cached Web Content: "Clear Now"
"Remove Cookies" from sites causing problems:
*Firefox/Tools > Options > Privacy > "Use custom settings for history" > Cookies: "Show Cookies" -
Multilingual URL is not working in IE11
Multilingual URL is not working in IE11 same URL is working with other browser. Would like to know whether Arabic URL is supported in IE11?
Hello,
See this http://windows.microsoft.com/en-gb/windows-vista/change-your-internet-explorer-language-settings and follow the steps given
there. After that let us know whether it is working now or still not.
"Solution is to enable Send
IDN server names for non-Intranet URLs under
advanced settings. " This is also a solution.
Thanks Prakash
Varghese!
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. -
Windows 7 (Ent) Sp1 on server 2012 R2 HyperV, RFX USB redirection not working
Hello,
I currently have windows server 2012 R2 with HyperV installed. I have built two virtual machines. A windows 8.1 and Windows 7 sp1. Both are enterprise editions
For RemoteFX the hypervisor is using a Zotec GTX 760 GPU. It recognizes it and uses it to apply remoteFX adapter on my Windows 7 Sp1 VM.
As you are aware I do not need to use a GPU to enable RFX on my Windows 8.1 it can do this without the need of a GPU.
Using an RDP client( v8.1) I can connect to my Windows 8.1 VM with a USB headset,memory Key or a printer and they all enumerate on the Virtual machine. The driver for each device installs
and I can use the device without any issues.
However this issue lies with the Windows 7 SP1 VM. I can connect to it via RDP( Same client) but I cannot redirect any devices to it. I have installed the latest integration services available on the VM. I have ran all updates available.
Because I have ran all updates the rdp version on the VM is running v8.1.
Previous to installing the updates USBr still was not working
I have enabled the following group polices under remote desktop services on the Windows 7 SP1 VM :
RDP 8.0 -- Enabled
Configure RFX -- Enabled
Is there a known issue with USB redirection not working on a Windows 7sp1 virtual machine hosted on server 2012 Hypervisor ??
Many Thanks
BrianHi,
According to the log above, I found that we run the script on both Server6 and Server7. Errors as below:
Server6: Conversion is not supported in restricted language mode or a Data section.
Server7: Couldn't figure out valid servers from the specified destination scope. Check your parameters and try again.
Since we can only run the RollAlternateserviceAccountPassword.ps1 Script on CAS server, the script not works well if Server6 is MBX server.
For Server7, based on the error message, it seems you still have no right to run the script/cmdlet.
Please add your account to Organization Management Role group(ADUC->domain.com->Microsoft Exchange Security Groups) to test if possible.
By the way, from Technet:
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Client Access Security" entry in the Client Access Permissions topic.
Client Access Permissions
http://technet.microsoft.com/en-us/library/dd638131.aspx
Feel free to contact me if there is any problem.
Thanks
Mavis
If you have feedback for TechNet Subscriber Support, contact
[email protected]
Mavis Huang
TechNet Community Support -
Windows 7 64 bit and X-Fi XtremeGamer - Bass Redirection Not Working (No Subwoofer)
SWindows 7 64 bit and X-Fi XtremeGamer - Bass Redirection Not Working (No Subwoofer)% Greetings,
Today I ugraded to Windows 7 Ultimate 64 bit edition and am having a problem with my 5. surround sound that previously worked perfectly in Windows Vista Ultimate.
I am using an X-Fi XtremeGamer PCIe card and the problem is that I have full working surround sound, but the bass/ subwoofer isn't working.
Previously in Vista I enabled bass redirection in the Creative Console and this would make the subwoofer work. In Windows 7 in the console there is a bass redirection option but it doesn't work. Also in the Creative Audio Control panel there is NO option for bass redirection either.
Audio sounds tinny and I am 99.9% everything is set up correctley, I think this is a driver problem. At this moment I'm unsure if this issue plagues both the 32bit and 64bit versions of Windows 7 or just the 64bit version (since the console launcher is 32bit).
Anyone had a similar problem and cracked it's Apart from this small glitch Windows 7 is great!
Thanks!WRe: Windows 7 64 bit and X-Fi XtremeGamer - Bass Redirection Not Working (No Subwoofer)h heya, I have exactly the same problem.
running 64-bit windows 7, X-Fi Xtreme Audio sound card, Trust 5. speakers.
the bass used to work in XP because I could enable bass redirection and alter crossover frequency.
these options are now no longer available in the windows 7 drivers (.4.90) and my bass is not working at all.
it is very annoying, there has been no comment from creative than i can find because it only appears to happen to a small percentage of speakers.
basically if someone from creative can't help fix the problem,?people with this problem?will unfortunately be forced to purchase a different brand of sound card because my speakers certainly aren't broken and work with the on-board sound fine.
so if anyone else has the same problem or any advice on how to fix the problem, please comment. -
Cisco ISE guest portal redirect not working after successful authentiation and URL redirect.
Hi to all,
I am having difficulties with an ISE deployment which I am scratching my head over and can't fathom out why this isn't working.
I have an ISE 3315 doing a captive webportal for my guest users who are on an SSID. The users are successfully redirected by the WLC to the following URL:https://x.x.x.x:8443/guestportal/Login.action?portalname=XXX_Guest_Portal
Now when the user passes through the user authentication splash screen they get redirected to https://x.x.x.x:8443/guestportal/guest/redir.html and recieve the following error:
Error: Resource not found.
Resource: /guestportal/
Does anyone have any ideas why the portal is doing this?
Thanks
PaulHello,
As you are not able to get the guest portal, then you need to assure the following things:-
1) Ensure that the two Cisco av-pairs that are configured on the authorization profile should exactly match the example below. (Note: Do not replace the "IP" with the actual Cisco ISE IP address.)
–url-redirect=https://ip:8443/guestportal/gateway?...lue&action=cpp
–url-redirect-acl=ACL-WEBAUTH-REDIRECT (ensure that this ACL is also defined on the access switch)
2) Ensure that the URL redirection portion of the ACL have been applied to the session by entering the show epm session ip command on the switch. (Where the session IP is the IP address that is passed to the client machine by the DHCP server.)
Admission feature : DOT1X
AAA Policies : #ACSACL#-IP-Limitedaccess-4cb2976e
URL Redirect ACL : ACL-WEBAUTH-REDIRECT
URL Redirect :
https://node250.cisco.com:8443/guestportal/gateway?sessionId=0A000A72
0000A45A2444BFC2&action=cpp
3) Ensure that the preposture assessment DACL that is enforced from the Cisco ISE authorization profile contains the following command lines:
remark Allow DHCP
permit udp any eq bootpc any eq bootps
remark Allow DNS
permit udp any any eq domain
remark ping
permit icmp any any
permit tcp any host 80.0.80.2 eq 443 --> This is for URL redirect
permit tcp any host 80.0.80.2 eq www --> Provides access to internet
permit tcp any host 80.0.80.2 eq 8443 --> This is for guest portal
port
permit tcp any host 80.0.80.2 eq 8905 --> This is for posture
communication between NAC agent and ISE (Swiss ports)
permit udp any host 80.0.80.2 eq 8905 --> This is for posture
communication between NAC agent and ISE (Swiss ports)
permit udp any host 80.0.80.2 eq 8906 --> This is for posture
communication between NAC agent and ISE (Swiss ports)
deny ip any any
Note:- Ensure that the above URL Redirect has the proper Cisco ISE FQDN.
4) Ensure that the ACL with the name "ACL-WEBAUTH_REDIRECT" exists on the switch as follows:
ip access-list extended ACL-WEBAUTH-REDIRECT
deny ip any host 80.0.80.2
permit ip any any
5) Ensure that the http and https servers are running on the switch:
ip http server
ip http secure-server
6) Ensure that, if the client machine employs any kind of personal firewall, it is disabled.
7) Ensure that the client machine browser is not configured to use any proxies.
8) Verify connectivity between the client machine and the Cisco ISE IP address.
9) If Cisco ISE is deployed in a distributed environment, make sure that the client machines are aware of the Policy Service ISE node FQDN.
10) Ensure that the Cisco ISE FQDN is resolved and reachable from the client machine.
11) Or you need to do re-image again. -
URL-rewriting not working with redirect/
I couldn't find an answer to the following problem in any of the threads:
When navigating between pages via internal forwards, I can safely turn off cookies in my browser; the session id will be written into the requested URL, and so session state is being maintained properly. But when I use <redirect/> in a navigation rule in faces-config.xml to force Faces to redirect the request to the target page via an HTTP redirect, the URL is not being rewritten properly - the session id is missing, and so session state is not being maintained. This results in the loss of all user/session specific data for the current browser session.
I suspect that using <redirect/> results in the Faces Lifecycle being terminated by calling responseComplete() before rendering the view, and that at this point, instead of calling encodeRedirectURL() before redirecting, the URL is being redirected without being rewritten to contain the session id.
My question thus are: Is my suspicion correct? And is there any solution to this problem?What I forgot to mention: I'm using Sun's RI of JSF running on Tomcat 5.0.19.
Any help is appreciated!
Wolfgang -
Hello,
say I want to have five ISE 1.3 nodes behind load balancer, I want only only G0 behind LB, and G1 interfaces will be dedicated for certain things. Specifically I want to use G1 interface for Redirected Web Portal access (could be CWA, device registration, NSP, etc). RADIUS auth will happen through LB on G0 of some specific PSN, and that PSN will url-redirect user to the CWA URL.
How do I tell ISE to use specifically Gig1's IP address or Gig2's IP address? When I check result authorization profile, there is no option there, it's just ip:port. Obviously, that's not the right place, because which PSN is used to processed the policy is unpredictable.
So then I go to guest portal, and specifically Self-Registered Guest Portal that I'm using. So here I see Gig0, Gig1, Gig2, and Gig3 listed. My guess is that if I only leave Gig1 selected then I will achieve my goal, is that correct?
But then, why does it let me choose multiple interfaces, what happens if I select all of them?
Am I missing another spot in ISE admin where I can control this?
Additional question. I know that in ISE 1.2 you could configure "ip host" in ISE's CLI, which would force URL-redirect response to be translated to FQDN:port. Is that still the right method in ISE 1.3?
Thanks!Take a look at the following document:
http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/installation_guide/b_ise_InstallationGuide13.pdf
Towards the end of the document you will find a section called: "Cisco ISE Infrastructure" and there you will see the following:
• Cisco ISE management is restricted to Gigabit Ethernet 0.
• RADIUS listens on all network interface cards (NICs).
• All NICs can be configured with IP addresses.
So, you can take an interface, give it an IP address and then assign it to the web portal that you are working with.
I hope this helps!
Thank you for rating helpful posts! -
URL Mapping not working inside MOSS
hi,
I want to achieve broken URL redirection in old web application developed in MOSS.
For this purpose, i have to use URL mapping inside web.config -
For Example -
<urlMappings enabled="true" >
<add url="~/brokenpath" mappedUrl="/subsite/Pages/Home.aspx" />
</urlMappings>
I have checked that '/subsite/Pages/Home.aspx' url is not broken but still getting 404 exception.
Similar tag is working under dev/local environment but not working in the production,
Can anybody please let me know the problem or any configuration missing.
Thanks in advance.Hi Saurabh, can you provide the actual broken path, both in your web.config as well as the absolute URL?
Dimitri Ayrapetov (MCSE: SharePoint) -
URL Encoder not working in Netscape
Hi All,
I am using url encoding in my servlet for redirecting a request. The query string values has some spaces in them. The code I have used is shown below
String mname = "Jason Perry"
response.sendRedirect
("http://194.216.8.238:8081/merchant/merch.merchant?msgid=RP&mctid=1111242&totcp="+price.toString()+"&mname="+URLEncoder.encode(mname)+"&mtxnid=UY675432");
Please note that 194.216.8.238:8081 is an IP of another server located outside our network.
In Netscape the url is shown as http://194.216.8.238:8081/merchant/merch.merchant?msgid=RP&mctid=1111242&totcp=15
&mname=Jason Perry&mtxnid=UY675432
The space is not getting replaced with the plus.
But I have observed that if the redirection is to the same server on which the servlet is running, it works fine.
I am at loss as to why url encode is not working when routing the request to another server. I am using Netscape 4.77 .
This is works in IE fine.
Your inputs are appreciated.
Thanks
MaliniYeah had this problem before, use the java.net.URLEncoder class:
<%@ page language="java" import="java.net.URLEncoder"%>
<%
String url = "http://194.216.8.238:8081/merchant/merch.merchant?msgid=RP&mctid=1111242&totcp=15
&mname=Jason Perry&mtxnid=UY675432"
String encodedUrl = URLEncoder.encode(url);
response.sendRedirect(encodedUrl);
%> -
I made a mistake configuring the domain-name on my ISE appliance. I issued to the no ip domain-name and then added the domain-name I'd like to show up. It seems to have partially worked, as the FQDN on the appliance is now correct but the redirect URL on my wireless LAN controller is still redirecting to the old domain.
EX: WLC redirect: ise1.xyz.net
ISE FQDN: ise1.abc.net
Any ideas on how to change that?Although you have changed the domain-name on the ISE appliance but still the output on WLC shows the older domain for url redirect.The reason behind is that the domain name(FQDN) which is present as the common name(CN) on the certificate of the server is still the old-domain name.
Maybe you are looking for
-
How do I reverse sync from 4s to MacBook Pro?
So I got nearly 200 songs, not much. So I wanna sync them from my phone, which is a 4S, to my brand new MacBook Pro (I got it last night xD). Problem is, about 160 of them are not iTunes purchased, they were downloaded from YouTube to my desktop, and
-
Random lock ups on my 17" 1.33....please help!
Well ive had my powerbook 17" for probably about 6 months and every so often it just decides to lock up forcing me to hold down the power button to reset it. Im not doing any heavy task i could be doing anything really, browsing a webpage or just cha
-
WINDOW 8.1 ON SLEEP MODE SHUTS DOWN
Please i have been having issues with my Windows 8.1. I find it very difficult to put my system on sleep mode , when using this boot option my system automatically restarts itself and all unsaved information or documents is lost. How do i reset this
-
hello, I am not an expert in all those Airplay devices. I appreciate your help. I want to buy below Soundlink System with Airplay (just came out so no help so far online) and connect it to iMac and mobile devices. iMac can play music from this speake
-
HT4436 I have created an Apple ID and it verified But Can't Create a icloud ID
I have just set up icloud on my PC. I have created an Apple ID and it verified. When I attempt to open icloud I receive an error message that I have an Apple ID but I need an icloud ID. When I attempt to create an icloud ID I receive a message that m