ISE Wired Central Web Authentication no url redirect

Similar Messages

• ISE and central web authentication

  Hello all,
  I have followed the steps in this document in detail:
  http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080ba6514.shtml
  however, my central authentication does not work. I get to the guest portal, i get authenticated through the guest portal,
  but then the "second" MAB authenticatino doesn't happen.
  In the last screencapture of the document, you get a green "Dynamic Authorization" line (third line from below). On my system
  this is a red line with the error message "11213 No response received from Network Access Device".
  (i have a successfull guest authentication in my ise logs, but it seems ise is unable to bounce or initiate the second MAB....)
  Any ideas ?
  regards,
  Geert

  By the way, i feel the document example is a bit too general. For example, if you implement the document, ISE will do web authentication and redirection even when you are using a 802.1X client and are authenticated (and you have no other rules in your Autorization sequence table)
  I managed to prevent this by adding an additional condition to the first rule "MAC not known" that has the CentralWebAuth policy. Only do webautentication if MAC not known AND Wired_MAB is being used.

• Central web authentication

  I have downloaded the new Cisco ISE, I've managed to configure 802.1x and MAB succesfully but I want to configure wired centralized web authentication, but I cannot find any documentation how to configure ISE and Cisco Catalyst (IOS) switches to use this feature (I only find (limited) documentation about local web auth on the switch).
  I want to achieve the following authentication order on a switchport:
  802.1x
  MAB
  central web authentication
  So if a guest user comes with his laptop, 802.1x is not configured on his laptop and he's not in the Mac Bypass DB, he should "failover" to web auth and get the ISE guest portal webpage with his web browser. There he enters a guest username and password (which is of course already in the ISE DB) and he should get web access.
  I've configured the switchport with the following commands
  switchport access vlan 99
  switchport mode access
  switchport voice vlan 50
  authentication event no-response action authorize vlan 32
  authentication host-mode multi-domain
  authentication order dot1x mab webauth
  authentication port-control auto
  authentication violation protect
  authentication fallback webprofile
  mab
  dot1x pae authenticator
  dot1x timeout quiet-period 2
  dot1x timeout tx-period 2
  spanning-tree portfast
  spanning-tree bpduguard enable
  the web-profile with access-list to permit DHCP traffic between the attached device and any DHCP server in the vlan 99, and communications with ISE (also in vlan 99) at the moment "fallback webprofile" is triggered (I don't know if this should be configured with central webauth?)
  SW01T#sh fallback profile webprofile
  Profile Name: webprofile
  Description : webauth profile
  IP Admission Rule : NONE
  IP Access-Group IN: 133
  FYI, the access list:
  Extended IP access list 133
  10 permit ip any host 10.175.0.29
  30 permit udp any any eq bootps
  40 permit udp any eq bootpc any
  In the ISE, I configured DOT1x and MAB. In the MAB profile, I configured "continue" if user is unknown, and then an authorization profile for the web authentication:
  (attributes of the profile):
  Access Type = ACCESS_ACCEPT
  cisco-av-pair = url-redirect-acl=webauth
  cisco-av-pair = url-redirect=https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&portal=https://10.175.0.29:8443/guestportal/gateway?sessionId=SessionIdValue&portal=http&action=cwa&action=cwa
  But it doesn't work. If I attach a device, it tries 802.1x, it tries MAB, then it fails over to "web authentication" but immediately fails with "no-response" message:
  001420: Jul 1 12:09:19: %AUTHMGR-5-START: Starting 'webauth' for client (0011.2
  5d7.6c6c) on Interface Fa1/0/3 AuditSessionID 0AAF003E000000582E866B69
  5d7.6c6c) on Interface Fa1/0/3 AuditSessionID 0AAF003E000000582E866B69
  from 'webauth' for client (0011.25d7.6c6c) on Interface Fa1/0/3 AuditSessionID 0
  AAF003E000000582E866B69
  001422: Jul 1 12:09:19: %AUTHMGR-7-FAILOVER: Failing over from 'webauth' for cl
  ient (0011.25d7.6c6c) on Interface Fa1/0/3 AuditSessionID 0AAF003E000000582E866B
  69
  001423: Jul 1 12:09:19: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication
  methods for client (0011.25d7.6c6c) on Interface Fa1/0/3 AuditSessionID 0AAF003 001420:
  Is there some configuration guide or steps available in order to make this work please?
  kind regards

  Hi Tarik,
  thank you for the fast reply.
  I've configuried the extra settings you told me (although I thought the ip admission configuration was only for local web authentication (where the switch acts as a http server).
  But it still doesn't work. The pc is getting the ip address from the dhcp server but if I open a browser session, I do not get redirected to the ISE portal in order to log me in with a Guest account.
  If I look at the authentication session of the port, it looks like the ISE has correctly sent the redirect acl and redirect url to the switchport:
  Switch# show auth sessions int fa 1/0/3
             Interface:  FastEthernet1/0/3
           MAC Address:  0011.25d7.6c6c
            IP Address:  10.175.0.229
             User-Name:  001125d76c6c
                Status:  Authz Success
                Domain:  DATA
       Security Policy:  Should Secure
       Security Status:  Unsecure
        Oper host mode:  multi-domain
      Oper control dir:  both
         Authorized By:  Authentication Server
            Vlan Group:  N/A
      URL Redirect ACL:  webauth
          URL Redirect:  https://ISE.onemrva.priv:8443/guestportal/gateway?session
  Id=0AAF003E0000175A43004FE3&action=cwa
       Session timeout:  N/A
          Idle timeout:  N/A
     Common Session ID:  0AAF003E0000175A43004FE3
       Acct Session ID:  0x000018CF
                Handle:  0xEF00075B
  Runnable methods list:
         Method   State
         dot1x    Failed over
         mab      Authc Success
         webauth  Not run
  As you can see, the "web authentication" is the result of a "succesful MAB". This is because I had to configure ISE to continue on MAB if the user was not found (I found that somewhere in documentation). Then I have configured a default authorization profile where the "web authentication" is triggered. This is where I've configured the redirect-url and so on and this is of course sent to the switch as a succesfull MAB:
  authorization profile "webauthentication" with the "centralized web authentication" settings configured (see attributes output):
  Access Type = ACCESS_ACCEPT
  cisco-av-pair = url-redirect-acl=webauth
  cisco-av-pair = url-redirect=https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cwa
  Actually, I really have no idea if I have correctly configured ISE to handle central web authentication...
  If I check the "show ip admission cache", nothing is seen in there.

• ISE 1.2 web authentication problem with wired clients

  Hello,
  i am having problems with centralized web authentication using a Catalyst 3650X with IOS 15.0.2 SE01 and ISE 1.2.
  Redirecting the client works fine, but as soon the client opens a web browser and ISE websites open to authenticate the client, the switch port resets, the authentication process restarts and the session ID changes. After the client enters the credentials a session expired messages appears on the client and i get an 86017 Session Missing message in ISE.
  here the output form the debug aaa coa log.
  Any ideas
  thanks in advanced
  Alex
  ! CLIENT CONNECT TO SWITCHPORT
  ISE-TEST-SWITCH#show authentication sessions interface gi0/3
              Interface:  GigabitEthernet0/3
            MAC Address:  001f.297b.bd82
             IP Address:  10.2.12.45
              User-Name:  00-1F-29-7B-BD-82
                 Status:  Authz Success
                 Domain:  DATA
        Security Policy:  Should Secure
        Security Status:  Unsecure
         Oper host mode:  multi-auth
       Oper control dir:  both
          Authorized By:  Authentication Server
            Vlan Policy:  N/A
                ACS ACL:  xACSACLx-IP-PERMIT_ALL_TRAFFIC-537cb1d6
       URL Redirect ACL:  ACL-WEBAUTH-REDIRECT
           URL Redirect:  https://nos-ch-wbn-ise1.nosergroup.lan:8443/guestportal/gateway?sessionId=AC1484640000026B28C02CDC&action=cwa
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  AC1484640000026B28C02CDC
        Acct Session ID:  0x0000029C
                 Handle:  0x8C00026C
  Runnable methods list:
         Method   State
         dot1x    Failed over
         mab      Authc Success
  ! CLIENT OPENS INTERNETEXPLORER -> REDIRECTS TO ISE 
  ! SWITCHPORT GOES IN ADMINISTRATIVE DOWN STARTS AUTHENTICATION AGAIN
  ISE-TEST-SWITCH#
  191526: .Jun 24 10:42:24.340 UTC: COA: 10.0.128.38 request queued
  191527: .Jun 24 10:42:24.340 UTC: RADIUS:  authenticator 7F A9 85 AB F6 4A D0 F3 - B4 E6 F2 56 74 C6 2D 33
  191528: .Jun 24 10:42:24.340 UTC: RADIUS:  NAS-IP-Address      [4]   6   172.20.132.100
  191529: .Jun 24 10:42:24.340 UTC: RADIUS:  Calling-Station-Id  [31]  19  "00:1F:29:7B:BD:82"
  191530: .Jun 24 10:42:24.340 UTC: RADIUS:  Acct-Terminate-Cause[49]  6   admin-reset               [6]
  191531: .Jun 24 10:42:24.340 UTC: RADIUS:  Event-Timestamp     [55]  6   1403606529
  191532: .Jun 24 10:42:24.340 UTC: RADIUS:  Message-Authenticato[80]  18
  191533: .Jun 24 10:42:24.340 UTC: RADIUS:   E0 3C B2 8C 89 47 67 A8 69 F5 3D 08 61 FF 53 6E          [ <Ggi=aSn]
  191534: .Jun 24 10:42:24.340 UTC: RADIUS:  Vendor, Cisco       [26]  43
  191535: .Jun 24 10:42:24.340 UTC: RADIUS:   Cisco AVpair       [1]   37  "subscriber:command=bounce-host-port"
  191536: .Jun 24 10:42:24.340 UTC: COA: Message Authenticator decode passed
  191537: .Jun 24 10:42:24.340 UTC:  ++++++ CoA Attribute List ++++++
  191538: .Jun 24 10:42:24.340 UTC: 06D96C58 0 00000001 nas-ip-address(600) 4 172.20.132.100
  191539: .Jun 24 10:42:24.349 UTC: 06D9AC18 0 00000081 formatted-clid(37) 17 00:1F:29:7B:BD:82
  191540: .Jun 24 10:42:24.349 UTC: 06D9AC4C 0 00000001 disc-cause(434) 4 admin-reset
  191541: .Jun 24 10:42:24.349 UTC: 06D9AC80 0 00000001 Event-Timestamp(445) 4 1403606529(53A95601)
  191542: .Jun 24 10:42:24.349 UTC: 06D9ACB4 0 00000081 ssg-command-code(490) 1 33
  191543: .Jun 24 10:42:24.349 UTC:
  191544: .Jun 24 2014 10:42:24.365 UTC: %EPM-6-IPEVENT: IP 10.2.12.45| MAC 001f.297b.bd82| AuditSessionID AC1484640000026B28C02CDC| AUTHTYPE DOT1X| EVENT IP-RELEASE
  191545: .Jun 24 2014 10:42:24.382 UTC: %EPM-6-IPEVENT: IP 10.2.12.45| MAC 001f.297b.bd82| AuditSessionID AC1484640000026B28C02CDC| AUTHTYPE DOT1X| EVENT IP-WAIT
  191546: .Jun 24 2014 10:42:24.382 UTC: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 001f.297b.bd82| AuditSessionID AC1484640000026B28C02CDC| AUTHTYPE DOT1X| EVENT REMOVE
  191547: .Jun 24 2014 10:42:24.390 UTC: %EPM-6-AUTH_ACL: POLICY Auth-Default-ACL-OPEN| EVENT DETACH-SUCCESS
  191548: .Jun 24 2014 10:42:26.353 UTC: %LINK-5-CHANGED: Interface GigabitEthernet0/3, changed state to administratively down
  191549: .Jun 24 2014 10:42:27.359 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/3, changed state to down
  ISE-TEST-SWITCH#
  191550: .Jun 24 2014 10:42:36.366 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet0/3, changed state to down
  191551: .Jun 24 10:42:40.592 UTC: AAA/BIND(000002A7): Bind i/f
  191552: .Jun 24 2014 10:42:41.129 UTC: %AUTHMGR-5-START: Starting 'dot1x' for client (001f.297b.bd82) on Interface Gi0/3 AuditSessionID AC1484640000026C28C2FA05
  191553: .Jun 24 2014 10:42:42.580 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet0/3, changed state to up
  191554: .Jun 24 2014 10:42:43.586 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/3, changed state to up
  ! SESSION ID CHANGES, USER ENTERS CREDENTIALS 
  ! ERROR MESSAGE AT CLIENT "YOUR SESSION HAS EXPIRED"
  ! ERROR MESSAGE IN ISE "86017 SESSION MISSING"
  ISE-TEST-SWITCH#show authentication sessions interface gi0/3
              Interface:  GigabitEthernet0/3
            MAC Address:  001f.297b.bd82
             IP Address:  10.2.12.45
                 Status:  Running
                 Domain:  UNKNOWN
        Security Policy:  Should Secure
        Security Status:  Unsecure
         Oper host mode:  multi-auth
       Oper control dir:  both
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  AC1484640000026C28C2FA05
        Acct Session ID:  0x0000029D
                 Handle:  0x2C00026D
  Runnable methods list:
         Method   State
         dot1x    Running
         mab      Not run

  Guest authentication failed: 86017: Session cache entry missing
  try adjusting the UTC timezone during the guest creation in the sponsor portal.
  86017
  Guest
  Session Missing
  Session ID missing. Please contact your System Administrator.
  Info

• OSX 10.10.1 with Cisco ISE guest portal using (CWA) central web authentication issue

  We have Cisco Wireless with ISE (Identity Service Engine) to provide guest access with CWA (central web authentication). The idea is to provide guest access with open authentication, so anyone can connect. Then when the guest trying to browse the internet it will be redirected to guest protal for authentication. So only corporate guest with valid password can pass the portal authentication. This is been working fine for windows machine, android, and apple devices with earlier OS version (working on OSX 10.8.5). For clients that's been upgraded to OSX 10.10.1 or IOS 8 they can no longer load the CWA redirection page.
  Please let us know if there's any setting under the OSX to solve the issue, or plan from apple to fix the issue on the next OSX/IOS release ?
  thanks - ciscosx

  Robert,
  Manual assignment has been made available in ISE 1.2 release.
  M.

• Not Working-central web-authentication with a switch and Identity Service Engine

  on the followup the document "Configuration example : central web-authentication with a switch and Identity Service Engine" by Nicolas Darchis, since the redirection on the switch is not working, i'm asking for your help...
  I'm using ISE Version : 1.0.4.573 and WS-C2960-24PC-L w/software 12.2(55)SE1 and image C2960-LANBASEK9-M for the access.
  The interface configuration looks like this:
  interface FastEthernet0/24
  switchport access vlan 6
  switchport mode access
  switchport voice vlan 20
  ip access-group webauth in
  authentication event fail action next-method
  authentication event server dead action authorize
  authentication event server alive action reinitialize
  authentication order mab
  authentication priority mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  authentication violation restrict
  mab
  spanning-tree portfast
  end
  The ACL's
  Extended IP access list webauth
      10 permit ip any any
  Extended IP access list redirect
      10 deny ip any host 172.22.2.38
      20 permit tcp any any eq www
      30 permit tcp any any eq 443
  The ISE side configuration I follow it step by step...
  When I conect the XP client, e see the following Autenthication session...
  swlx0x0x#show authentication sessions interface fastEthernet 0/24
             Interface:  FastEthernet0/24
            MAC Address:  0015.c549.5c99
             IP Address:  172.22.3.184
              User-Name:  00-15-C5-49-5C-99
                 Status:  Authz Success
                 Domain:  DATA
         Oper host mode:  single-host
       Oper control dir:  both
          Authorized By:  Authentication Server
             Vlan Group:  N/A
       URL Redirect ACL:  redirect
           URL Redirect: https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  AC16011F000000490AC1A9E2
        Acct Session ID:  0x00000077
                 Handle:  0xB7000049
  Runnable methods list:
         Method   State
         mab      Authc Success
  But there is no redirection, and I get the the following message on switch console:
  756005: Mar 28 11:40:30: epm-redirect:IP=172.22.3.184: No redirection policy for this host
  756006: Mar 28 11:40:30: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_qualify ...
  I have to mention I'm using an http proxy on port 8080...
  Any Ideas on what is going wrong?
  Regards
  Nuno

  OK, so I upgraded the IOS to version
  SW Version: 12.2(55)SE5, SW Image: C2960-LANBASEK9-M
  I tweak with ACL's to the following:
  Extended IP access list redirect
      10 permit ip any any (13 matches)
  and created a DACL that is downloaded along with the authentication
  Extended IP access list xACSACLx-IP-redirect-4f743d58 (per-user)
      10 permit ip any any
  I can see the epm session
  swlx0x0x#show epm session ip 172.22.3.74
       Admission feature:  DOT1X
       ACS ACL:  xACSACLx-IP-redirect-4f743d58
       URL Redirect ACL:  redirect
       URL Redirect:  https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
  And authentication
  swlx0x0x#show authentication sessions interface fastEthernet 0/24
       Interface:  FastEthernet0/24
       MAC Address:  0015.c549.5c99
       IP Address:  172.22.3.74
       User-Name:  00-15-C5-49-5C-99
       Status:  Authz Success
       Domain:  DATA
       Oper host mode:  multi-auth
       Oper control dir:  both
       Authorized By:  Authentication Server
       Vlan Group:  N/A
       ACS ACL:  xACSACLx-IP-redirect-4f743d58
       URL Redirect ACL:  redirect
       URL Redirect:  https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
       Session timeout:  N/A
       Idle timeout:  N/A
       Common Session ID:  AC16011F000000160042BD98
       Acct Session ID:  0x0000001B
       Handle:  0x90000016
       Runnable methods list:
       Method   State
       mab      Authc Success
  on the logging, I get the following messages...
  017857: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_qualify ...
  017858: Mar 29 11:27:04: epm-redirect:epm_redirect_cache_gen_hash: IP=172.22.3.74 Hash=271
  017859: Mar 29 11:27:04: epm-redirect:IP=172.22.3.74: CacheEntryGet Success
  017860: Mar 29 11:27:04: epm-redirect:IP=172.22.3.74: Ingress packet on [idb= FastEthernet0/24] matched with [acl=redirect]
  017861: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: Enqueue the packet with if_input=FastEthernet0/24
  017862: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_process ...
  017863: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: Not an HTTP(s) packet
  What I'm I missing?

• Local Web Authentication Started after Central Web Authentication

  Hi everyone,
  We have a DMZ based anchor WLC for a guest WLAN. I have this WLAN configured for central web authentication using ISE 1.2, this works correctly and can login using the guest portal.
  However, after logging when browsing to a website everything is redirected to the local web authentication page and the policy manager state for the client goes in to a WEBAUTH_REQD state. I currently don't have any layer 3 security configured for this WLAN, so from my understanding it should just be using the central authentication provided by ISE.
  Thanks for your help.
  Mark

  Hi Mark,
  Thanks - that looks very similar to ours, though I'm doing the 3850 via the CLI as the web UI keeps dying when I click into things.
  I've realsed that I unticked the Authentication servers box instead of the Accounting as I miss-read the WLC page, however while the LWA no-longer kicks in, I'm unable to pass anything except DNS traffic.  The Anchor says that the client is in "Webauth" state so it looks like it's expecting something, but ISE says it's all ok and I can see the 3850 traffic going through the process flow.
  If I attach an AP to the WLC directly and have the accounting box ticked, then it all works exactly as I'd expect - this is just, well, odd....
  Warmest
  Kev

• Wlc flexconnect wlan local authentication and central web authentication maximum rtt

  Hi
  From the below link below it mentioned that "Round-trip latency must not exceed 300 milliseconds (ms) between the AP and the controller. If the 300 milliseconds round-trip latency cannot be achieved, configure the AP to perform local authentication."
  http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Mobility/emob73dg/emob73/ch7_HREA.html#wp1094148.
  Is this limitation refer to web authentication also?
  Thanks
  Anyone???

  Central Web Auth (CWA) works different on controllers/APs running in FlexConnect mode. Please check this guide and confirm that you have similar setup. 
  http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html
  If so, please post screen shots with your configs (Redirect ACLs, policies in ISE and the WLC SSD settings). 
  Also, the version of code that you are running in ISE and your controller. 
  Thank you for rating helpful posts!

• Cisco Ise Central Web authentication not working

  Hello Guys,
  CWA is not working. It says that authentication suceeded but posture status is pending. No error in my Monitor--authentication. Checking it in my Windows 7, it does not shows the CWA portal.
  What might be the possible problem of this.?
  thanks

  Kindly review the below links:
  http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080ba6514.shtml
  http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml

• Central Web Authentication Fail - This device has not been registered.

  Dear All,
  I have problem when apply the cwa. i have wlc and ise,
  I want all user (all type device) that want access to my network by Wifi, will authenticated by AD.
  but user cant connect to network evenly only authenticate.
  My ISE Authorization rule:
  if
  (Wireless_MAB AND AD1:ExternalGroups EQUALS example.com/Users/Domain Users)
  Anyone, have experience like this before, please share..
  nb : my ise licese is Base Package
  Thanks!!

  I had follow the configuration guide from here:
  http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml
  but, my authentication always fail with redirect to device registration,
  when user connect the ssid and input the username and password based on active directory,
  then browser will show up like this :
  1. Access with Windows :
  Device Registration
  This device has not been registered.
  You need to manually configure your device. Contact your system administrator for assistance.
  Your device configuration is not supported by the setup wizard.
  Device ID        : my-workstation-mac-address- 
  Description     :
  2. Access with Android
  Device Registration
  This device has not been registered.
  You need to manually configure your device. Contact your system administrator for assistance.
  Unsopported operating system type encountered.
  Device ID        : my-android-mac-address- 
  Description     :
  Thanks,

• WLC 7.5 Sleeping clients with ISE and Central WEB Auth(CWA)

  Hi there,
  Is it possibe to use sleeping clients when using ISE and CWA?
  I was thinking of enabling layer3 auth with web auth on mac auth failure, but will that work with CWA?
  Or is the only solution to use LWA?

  Controller-> General-> User Idle Timeout (seconds) = 50 000 sec.
  And your users will be connected all this time even if they going in sleepmode
  be carefull with CPU loading

• Cisco ISE - Not use FQDN in url-redirect parameter

  Hi,
  I am using Cisco ISE Central Web Authentication for Guest Wireless. Clients are redirected for web authentication to: https://ip:port/guestportal/gateway?sessionId=SessionIdValue&action=cwa as it is specified by the url-redirect parameter in the Authorization Profile.
  The “ip” field in the url is now replaced by the FQDN of the Cisco ISE, but I want to use the IP address instead of the FQDN. Is there any way to do that?
  As far as I know in version 1.2 you can use the “ip host/no ip host” command to indicate what you want to use in the URL. However my Cisco ISE is running version 1.1.1.268.
  Thank you very much.
  Joana.

  Available in 1.2, and available as a "bit of a bodge" in 1.1.x  (read "a lot of a bodge")
  If you only have one PSN then you may be able to get it to work, but after that you lose the ability to get the session to be pointed automatically at whichever PSN they hit initially so it would break.
  Copy the settings that are applied when you use CWA, then create your own based on the same settings but using the ip address pasted in there instead.

• Cisco vWLC and Central Web Authetication ISE Issue

  Hello!
  I have an issue with Wireless Central Web Authentication. Wired CWA woking fine.
  My APs woking in FlexConnect mode with local switching. When I connect to the WLAN with CWA, web page with guest portal in not opening, but I see, that redirect is working...
  When I try to ping ISE, and have a strange result:
  y@5733Z:~$ ping 10.10.2.47
  PING 10.10.2.47 (10.10.2.47) 56(84) bytes of data.
  64 bytes from 10.10.2.47: icmp_seq=5 ttl=63 time=1.45 ms
  64 bytes from 10.10.2.47: icmp_seq=8 ttl=63 time=2.22 ms
  64 bytes from 10.10.2.47: icmp_seq=10 ttl=63 time=1.43 ms
  ^C
  --- 10.10.2.47 ping statistics ---
  21 packets transmitted, 3 received, 85% packet loss, time 20106ms
  rtt min/avg/max/mdev = 1.430/1.703/2.223/0.367 ms
  When I change the security method on the WLAN to open or any other, ping to ISE working fine. Please help!

  Central Web Auth (CWA) works different on controllers/APs running in FlexConnect mode. Please check this guide and confirm that you have similar setup. 
  http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html
  If so, please post screen shots with your configs (Redirect ACLs, policies in ISE and the WLC SSD settings). 
  Also, the version of code that you are running in ISE and your controller. 
  Thank you for rating helpful posts!

• ISE post compliant posture assessment URL redirection

  G'day All,
  Is anyone aware if it is possible for ISE to push a URL redirection to user devices once they have passed the posture assessment?
  I am deploying a wireless BYOD ise deployment with AD auth and posture assessment, and we are hoping to find an easy way to push the compliant users to a new URL once they have passed posture.
  Thanks gang.
  Cheers,
  James.               

  It is not possible to redirect user after authentication and posturing to a specific URL. because ISE does not support this feature till now.
  I think  URL redirection can be done in web authentication if used in case of employee.
  Navigate to Policy > Policy Elements > Results > Authorization and then select Authorization Profiles
  Step 18 Select Add to create a new Authorization Profile for Central Web Authentication:
  Name
  Central_Web_Auth
  Description
  (optional)
  Access-Type
  ACCESS_ACCEPT
  DACL   Name
  CENTRAL_WEB_AUTH
  Centralized   Web Authentication
  ACL:
  ACL-WEBAUTH-REDIRECT
                                                            Redirect : Default
  “ACL-WEBAUTH-REDIRECT” is  configured on  switch  which determines to which destination it will redirect 

• ISE url-redirect CWA to Gig1

  Hello,
  say I want to have five ISE 1.3 nodes behind load balancer, I want only only G0 behind LB, and G1 interfaces will be dedicated for certain things. Specifically I want to use G1 interface for Redirected Web Portal access (could be CWA, device registration, NSP, etc). RADIUS auth will happen through LB on G0 of some specific PSN, and that PSN will url-redirect user to the CWA URL.
  How do I tell ISE to use specifically Gig1's IP address or Gig2's IP address? When I check result authorization profile, there is no option there, it's just ip:port. Obviously, that's not the right place, because which PSN is used to processed the policy is unpredictable.
  So then I go to guest portal, and specifically Self-Registered Guest Portal that I'm using. So here I see Gig0, Gig1, Gig2, and Gig3 listed. My guess is that if I only leave Gig1 selected then I will achieve my goal, is that correct?
  But then, why does it let me choose multiple interfaces, what happens if I select all of them?
  Am I missing another spot in ISE admin where I can control this?
  Additional question. I know that in ISE 1.2 you could configure "ip host" in ISE's CLI, which would force URL-redirect response to be translated to FQDN:port. Is that still the right method in ISE 1.3?
  Thanks!

  Take a look at the following document:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/installation_guide/b_ise_InstallationGuide13.pdf
  Towards the end of the document you will find a section called: "Cisco ISE Infrastructure" and there you will see the following:
  • Cisco ISE management is restricted to Gigabit Ethernet 0.
  • RADIUS listens on all network interface cards (NICs).
  • All NICs can be configured with IP addresses.
  So, you can take an interface, give it an IP address and then assign it to the web portal that you are working with. 
  I hope this helps!
  Thank you for rating helpful posts!