Managing URL redirects/forwards
My business client has a requirement whereby they wish to manage all URL redirect/forwards themselves. They wish to make changes on a regular basis without involving the tech team. Short of giving them access to the Sun Web Server 7.0 Management GUI, I was wondering if there was another means for us to meet their requirements.
Yeah, I've looked at the lookup() option. Unfortunately I seem to have neglected to mention that the business team wants to make these changes directly into production. This method obviously poses some risks since an incorrect URL could break production. I could get my development team to write a Java App that can manage the URLs and also check the validity of the URLs, however I guess what I was looking for was an "out-of-the-box" option, a sort of content management system that would interact with the WebServer.
Similar Messages
-
Hello,
say I want to have five ISE 1.3 nodes behind load balancer, I want only only G0 behind LB, and G1 interfaces will be dedicated for certain things. Specifically I want to use G1 interface for Redirected Web Portal access (could be CWA, device registration, NSP, etc). RADIUS auth will happen through LB on G0 of some specific PSN, and that PSN will url-redirect user to the CWA URL.
How do I tell ISE to use specifically Gig1's IP address or Gig2's IP address? When I check result authorization profile, there is no option there, it's just ip:port. Obviously, that's not the right place, because which PSN is used to processed the policy is unpredictable.
So then I go to guest portal, and specifically Self-Registered Guest Portal that I'm using. So here I see Gig0, Gig1, Gig2, and Gig3 listed. My guess is that if I only leave Gig1 selected then I will achieve my goal, is that correct?
But then, why does it let me choose multiple interfaces, what happens if I select all of them?
Am I missing another spot in ISE admin where I can control this?
Additional question. I know that in ISE 1.2 you could configure "ip host" in ISE's CLI, which would force URL-redirect response to be translated to FQDN:port. Is that still the right method in ISE 1.3?
Thanks!Take a look at the following document:
http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/installation_guide/b_ise_InstallationGuide13.pdf
Towards the end of the document you will find a section called: "Cisco ISE Infrastructure" and there you will see the following:
• Cisco ISE management is restricted to Gigabit Ethernet 0.
• RADIUS listens on all network interface cards (NICs).
• All NICs can be configured with IP addresses.
So, you can take an interface, give it an IP address and then assign it to the web portal that you are working with.
I hope this helps!
Thank you for rating helpful posts! -
ISE & Switch URL redirect not working
Dear team,
I'm setting up Guest portal for Wired user. Everything seems to be okay, the PC is get MAB authz success, ISE push URL redirect to switch. The only problem is when I open browser, it is not redirected.
Here is some output from my 3560C:
Cisco IOS Software, C3560C Software (C3560c405-UNIVERSALK9-M), Version 12.2(55)EX3
SW3560C-LAB#sh auth sess int f0/3
Interface: FastEthernet0/3
MAC Address: f0de.f180.13b8
IP Address: 10.0.93.202
User-Name: F0-DE-F1-80-13-B8
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-domain
Oper control dir: both
Authorized By: Authentication Server
Vlan Group: N/A
URL Redirect ACL: redirect
URL Redirect: https://BYODISE.byod.com:8443/guestportal/gateway?sessionId=0A005DF40000000D0010E23A&action=cwa
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A005DF40000000D0010E23A
Acct Session ID: 0x00000011
Handle: 0xD700000D
Runnable methods list:
Method State
mab Authc Success
SW3560C-LAB#sh epm sess summary
EPM Session Information
Total sessions seen so far : 10
Total active sessions : 1
Interface IP Address MAC Address Audit Session Id:
FastEthernet0/3 10.0.93.202 f0de.f180.13b8 0A005DF40000000D0010E23A
Could you please help to explore the problem? Thank you very much.With switch IOS version later than 15.0 the default interface ACL is not required. For url redirection the dACL is not required as this ACL is part of traffic restrict for "guest" users.
In my experiece some users can not get the redirect correctly because anti-spoof ACL on management Vlan or stateful firewall blocks the TCP syn ack.
It is rare in campus network access layer switches have user SVI configured so the redirect traffic has to be sent from the netman SVI, but trickly the TCP SYN ACK from the HTTP server will be sent back from the netman Vlan without source IP changed. (The switch is spoofing the source IP in my understanding with changing only the MAC address of the packet). In most of the cases there should be a basic ACL resides on the netman SVI on the first hop router, where the TCP SYN ACK may be dropped by the ACL.
tips:
1. "debug epm redirect" can make sure your traffic matches the redirect url and will get intercepted by the switch
2. It will be an ACL or firewall issue if you can see epm is redirecting your http request but can not see the SYN ACK from the requested server.
Which can win the race: increasing bandwidth with new technologies VS QoS? -
SSL termination and URL redirection
Hi All,
I have configured application in cisco ACE module for which i got more requirement for URL redirection.
Application setup is as below.
VIP : 10.232.92.x/24 which is pointing to 2 Web server 10.232.94.x/24 range. In addition to that app team want APP server also need to be loadbalanced hence new VIP is configured for 10.232.92.x/24 which is pointing to 2 different app server 10.232.94.x/24.
Both Web and App servers are having different IP but in same broadcastdomain. SSL termination is done on ACE.
Issue : 1) After initiating connection i am getting login page but after login its again giveing login page. After 2 to 3 trial its giving me application page but with invalid session error.
2) How to do https connection redirecting to different path.
Ex. https://apps.xyz.com to https://apps.xyz.com/abc
configuration :
probe tcp rem_app_tcp
port 2100
interval 5
passdetect interval 10
passdetect count 2
open 1
probe http rem_itsm_https
port 80
interval 5
passdetect interval 10
passdetect count 2
request method get url /keepalive/https.html
expect status 200 200
open 1
serverfarm host app_tcp
predictor leastconns
probe rem_app_tcp
rserver server1 2100
inservice
rserver server2 2100
inservice
serverfarm host rem_https
predictor leastconns
probe rem_itsm_https
rserver server3 80
inservice
rserver server4 80
inservice
action-list type modify http remurlrewrite
ssl url rewrite location "apps\.xyz\.com"
policy-map type loadbalance first-match app_tcp
class class-default
serverfarm app_tcp
policy-map type loadbalance first-match app_https
class class-default
serverfarm rem_https
action remurlrewrite
class-map match-all VIP_rem_app_tcp
2 match virtual-address 10.232.92.8 any
class-map match-all VIP_rem_itsm_https
2 match virtual-address 10.232.92.9 tcp eq https
class-map match-all real_servers_vlan273
2 match source-address 10.232.94.0 255.255.255.0
policy-map multi-match VIPS
class real_servers_vlan273
nat dynamic 1 vlan 273
class VIP_rem_app_tcp
loadbalance vip inservice
loadbalance policy rem_app_tcp
loadbalance vip icmp-reply
class VIP_rem_itsm_https
loadbalance vip inservice
loadbalance policy rem_itsm_https
loadbalance vip icmp-reply
ssl-proxy server Remedy-SSL-PROXYHi Kanwaljeet,
I have applied below config for HTTPS URL redirection. Seems it dint work for me. Redirect serverfarm and policy map was not hitted.
access-list ANY line 8 extended permit ip any any
probe tcp rem_app_tcp
port 2100
interval 5
passdetect interval 10
passdetect count 2
open 1
probe http rem_itsm_https
port 80
interval 5
passdetect interval 10
passdetect count 2
request method get url /keepalive/https.html
expect status 200 200
open 1
ip domain-name nls.jlrint.com
ip name-server 10.226.0.10
ip name-server 10.226.128.10
rserver redirect REDIRECT-TO-HTTPS
webhost-redirection https://%h/arsys 301
inservice
rserver host serv1
ip address 10.232.94.74
inservice
rserver host serv2
ip address 10.232.94.75
inservice
rserver host serv3
ip address 10.232.94.76
inservice
rserver host serv4
ip address 10.232.94.77
inservice
serverfarm redirect REDIRECT-SERVERFARM
predictor leastconns
rserver REDIRECT-TO-HTTPS
inservice
serverfarm host rem_app_tcp
predictor leastconns
probe rem_app_tcp
rserver serv1 2100
inservice
rserver serv2 2100
inservice
serverfarm host rem_itsm_https
predictor leastconns
probe rem_itsm_https
rserver serv3 80
inservice
rserver serv4 80
inservice
ssl-proxy service Remedy-SSL-PROXY
key Remkey.pem
cert Remcert.pem
class-map type management match-any MANAGEMENT_CLASS
3 match protocol ssh any
4 match protocol snmp any
5 match protocol icmp any
6 match protocol http any
7 match protocol https any
class-map match-all VIP_rem_app_tcp
2 match virtual-address 10.232.92.8 any
class-map match-all VIP_rem_itsm_http
2 match virtual-address 10.232.92.9 tcp eq www
class-map match-all VIP_rem_itsm_https
2 match virtual-address 10.232.92.9 tcp eq https
class-map match-all real_servers_vlan273
2 match source-address 10.232.94.0 255.255.255.0
policy-map type management first-match MANAGEMENT_POLICY
class MANAGEMENT_CLASS
permit
policy-map type loadbalance first-match REDIRECT-PM
class class-default
serverfarm REDIRECT-SERVERFARM
policy-map type loadbalance first-match rem_app_tcp
class class-default
serverfarm rem_app_tcp
policy-map type loadbalance first-match rem_itsm_https
class class-default
serverfarm rem_itsm_https
policy-map multi-match VIPS
class real_servers_vlan273
nat dynamic 1 vlan 273
class VIP_rem_itsm_http
loadbalance vip inservice
loadbalance policy REDIRECT-PM
class VIP_rem_itsm_https
loadbalance vip inservice
loadbalance policy rem_itsm_https
loadbalance vip icmp-reply
ssl-proxy server Remedy-SSL-PROXY
class VIP_rem_app_tcp
loadbalance vip inservice
loadbalance policy rem_app_tcp
loadbalance vip icmp-reply
interface vlan 270
description VIP
ip address 10.232.92.4 255.255.255.0
alias 10.232.92.6 255.255.255.0
peer ip address 10.232.92.5 255.255.255.0
access-group input ANY
service-policy input MANAGEMENT_POLICY
service-policy input VIPS
no shutdown
interface vlan 273
description Real server
ip address 10.232.94.66 255.255.255.192
alias 10.232.94.65 255.255.255.192
peer ip address 10.232.94.67 255.255.255.192
access-group input ANY
nat-pool 1 10.232.92.253 10.232.92.253 netmask 255.255.255.0 pat
service-policy input MANAGEMENT_POLICY
service-policy input VIPS
no shutdown -
I am trying to work out the best way to allow content authors to create and manage 301 redirects within the CMS. We are using GSF for friendly URLs, but they also want to be able to (for example) create a catchy URL to be distributed on print media that will redirect to an existing page within the site (or potentially to a page on an external site).
I know that I cannot change the response headers in the JSP, and so am looking at the best way to do so within the existing software stack. The GSTAlias class appears to be almost what I need, but only supports 302 redirects, not 301.
My current though is that I will implement a custom filter (which will compare the incoming URL against the list of redirects that it retrieves from WCS and send a 301 if needed) and insert it into the filter chain, but I was hoping to get some feedback on this and see if anyone had done this before or knew of a better way to do it.
Cheers,
StephenPreviously I've done redirects exactly like you, using a custom filter which was installed on the Satellite servers.
My implementation ended being a bit more complicated since all code using friendly URLs had to be executed within a cached code block due to an earlier design decision. What I ended up with was a setup where the templates could generate some output that could be interpretted by the filter. Like #R#301#http://somepage.com# which the filter picked up. Unfortantely that approach required me to read through the output of the pages and add some caching to often requested URLs in order avoid parsing through the content again.
If you have GSF on your site as well, you might have a look at com.fatwire.gst.foundation.httpstatus.HttpResponseStatusFilter which enables you to communicate status codes from the ContentServer. Note that proper redirects are not supported, or at least not implemented.
Also this requires your code to make the decision in a XML based wrapper, since you cannot communicate response codes from JSP.
If the requirements are quite simple, you can create a basic asset type containing the URL to match and where to redirect to and in your XML wrapper do a very simple sql lookup which should give you enough performance in order to have this executed in an un cached element. The SQL cache will save you for the common requested URLs.
Please note, that if you are running remote satellite servers I am not quite sure how this will work, if they support handling other response codes and if they can handle additional information found in a 301 redirect. -
How to do auto URL redirect in sun web server ?
Hi, i need to do auto url redirect in my sun web server. Currently i'm setup some rules for the reverse proxy in obj.conf file and the syntax looks like:
<Object name="reverse-proxy-/test">
<If $internal and $uri =~ "index.html">
NameTrans fn="redirect" from="/" uri="/examples/abc.html"
</If>
Route fn="set-origin-server" server="http://localhost:8989"
</Object>
The situation is:
1) When users browse "*http://localhost/examples/abc.html*" it will redirect to abc.html
2) When users browse "*http://localhost/test*" it will redirect to the localhost admin GUI (http://localhost:8989/admingui/admingui/serverTaskGeneral)
My desire output should be whenever users browse the "*http://localhost/test*" , it will redirect to abc.html page.
the syntax might be wrong. So, anyone knows how to fix this? I'm keep trying but nothing worked. Please help me.Moderator action: Moved from Servers General Discussion.
db -
Need help with URL Redirect in Sun Web Server 7 u5
All I am trying to do is redirect to a static URL and for the life of me I can not get it to behave the way I would expect. I am new to Sun Web Server so I am just trying to use the Admin Console to set this up.
Here is what I'm trying to do:
Redirect from - http://www.oldsite.com/store/store.html?store_id=2154
To - http://www.newsite.com/Stores/StoreFront.aspx?StoreId=2154
Here's what I tried in the console.
Added a new URL Redirect
Set the Source to be Condition and set it to: '^/store_id=2154$' (quotes included)
Then set the Target to: http://www.newsite.com/Stores/StoreFront.aspx?StoreId=2154
Then for the URL Type I checked Fixed URL
When I tested with: http://www.oldsite.com/store/store.html?store_id=2154 it did redirect as desired
BUT
When I tested with: "http://www.oldsite.com/store/store.html?store_id=5555" it too got redirected to the Target and I can't figure out how this second URL can satisfy the condition to get redirected.
Any help is most appreciated.thanks for choosing sun web server 7
it is simpler if you just edit the configuration files manually
cd <ws7-install-root>/https-<hostname>/config/
edit obj.conf or <hostname>-obj.conf (if there is one for you depending on your configuration so that it look something like)
<Object name="default">
AuthTrans..
#add the folllowing line here
<If defined $query>
<If $urlhost =~ "/oldsite.com" and
$uri =~ "/store/store.html" and
$query =~ "store_id=2154" >
NameTrans fn="redirect" from="/" http://www.newsite.com/Stores/StoreFront.aspx?StoreId=2154
</If>
</If>
..rest of the existing obj.conf. continues
NameTrans...
now, you can either do <ws7-install-root>/https-<hostname>/bin/reconfig -> to reload your configuration without any server downtime or <ws7-install-root>/https-<hostname>/bin/restart -> to restart the server
if it did work out for your, you will need to run the following so that admin server is aware of what you just did
<ws7-install-root>/bin/wadm pull-config user=admin config=<hostname> <hostname.domainname>
hope this helps -
Is there a way to create a popup to a page in URL Redirect ?
I have a button (also with a report link column) that is doing a URL Redirect to another page in my app. This works fine.
However, some pages I branch to are small forms and a popup of that form would be more appropriate.
Is there any way to create a URL Redirect that redirects as a popup rather than a page navigation? Similarly, can you branch to a popup page with a report link column?
Thanks,
Reid
Edited by: reidster on Jul 30, 2009 7:10 PMWith your help, I was able to create a popup on a report link column using this:
I just added an "a href" around it.
Thanks again!
Edited by: reidster on Jul 30, 2009 10:18 PM
Edited by: reidster on Jul 30, 2009 10:18 PM -
Set item value at other page via URL-redirect
Hi, I have a button and I want to open a new window with it using an url-target.
</br>
</br>
javascript:window.open ('f?p=&APP_ID.:143:&SESSION.::NO:143:P143_KDT_ID,P143_MESSAGE:&P140_KDT_ID.,&P140_MESSAGE.') </br>
</br>
When I use branching I get an error that there is no page to branch to. I don't understand why. As a workaround I use an url-redirect when the button is pressed, but I'm stuck on getting the current item value into the target page. I tried using $v('P140_MESSAGE') but I can't get the url valid.Jacob,
The problem was that when the HTML for the button is rendered, the value of P1_ITEM from session state was "glued in" to the generated URL at that time. If you then entered a value for the iterm, even though your onChange AJAX technique changed the value in session state it was too late to change the already generated HTML for the button, specifically the URL target for the button.
I created a Set Item2 button on your page with this for the URL attribute:
javascript:window.open('f?p=&APP_ID.:2:&SESSION.::NO::P2_ITEM:' + document.getElementById('P1_ITEM').value);
Let me know if that does what you need.
There is another problem and I don't know the cause. When you click the button, it opens the new window properly but leaves the original page in an error state of some kind. I could not reproduce this in my application using the same js, so I'll be interested in how you solve that.
Scott -
URL redirection config in PI SOAP receiver communication channel
Hi,
I am working on a similar scenario where I my consuming an external web service using https protocol from PI.
I have configured a soap receiver channel to call the target url of this web service as https://portal.xyz.org.uk/webservice_alt.
I am getting an error HTTP 302 suggesting that PI is not able to follow the re-direction to the target URL as the service resides not on that URL but on https://portal1.xyz.org.uk/webservice_alt or https://portal2.xyz.org.uk/webservice_alt.
This is their server fail over handling mechanism which is very common. But PI 7.0 is not able to handle this.
So if I change the target URL on the SOAP receiver channel to https://portal1.xyz.org.uk/web service or https://portal2.xyz.org.uk/webservice_alt , PI works fine without errors . But this is not the right approach because, every time the web service provider takes one of these systems down for upgrade/patching etc, they inform us and then I manually go and change the target URL to the available server on my production PI system config.
My problem is I want to resolve this redirection error in PI. I have tried raising a call with SAP itself and they pointed out to use Axis adapter which is still not working.
So I am here asking for help. any suggestions please from the experts?
Thanks
Jhansi.Hi guys,
I am sorry if I have not been clear so far!!
What I am talking about is a URL redirection capability of PI. what i mean is , when you call any service in general using a browser/soap ui etc, it pings that url and follows the redirection.
For example when i try to test this external web service directly using soap ui tool, it also returns HTTP 302 error. But when I set the 'Follow redirect' property to 'true' , it follows the redirection and calls the service on 'portal1' or 'portal2' .
You assume PI is a test tool like SOAPUI. When the address or URL changed in WSDL and if you load the latest WSDL in soapUI it post the request to the latest URL. YOu import WSDL only in ESR not in IR. Dont forget it. Though WSDL has soap address location, it will not impact the wsdl changes directly in ID.
It makes no sense to complain regarding the behaviour of PI when the reason for the problem is outside (WS provider).
please note that the target url is fixed which is https://portal.xyz.org.uk/webservice_alt.
so we are not talking here about the service provider altering the service and sending us new wsdl's etc.
All users of this webservice have been non-sap users so far and consumers use java, .net etc platforms and are easily able to handle the redirection.because this redirection is a part of failover mechanism.
I hope i am able to picture my problem.
thanks
Jhansi. -
Button URL Redirect - Issue passing %null% from LOV
I have issue when attempting to pass %null% from a LOV to a subsequent target page. The URL Redirect works fine when a value in selected in the LOV but passes gibberish "?ll" when no value is selected from the LOV. Can anyone shed some light on what's is going on?
Redirect looks like this:
f?p=112:411:508326687872582::NO:RP,411:P411_AGENCY,P411_CATEGORY,P411_BUDGET_YEAR,P411_OIT_OFFICE,P411_DESCRIPTION:002,%null%,2012,1665,webJeff
Edited by: jwellsnh on Jun 2, 2010 4:42 PMsvk1965,
Thank you for your response, I read many other threads and you are definitely on the right track. Got impatient though and took my project on a different track which ended being a better solution for me after all.
Jeff -
Later - save and manage URLs to be opened later
later is a small (242 sloc) perl script that saves and manages URLs to be opened later.
GitHub repo
AUR package (-git)
dependencies
perl
optional dependencies (see -t command-line option)
curl
perl-html-parser
command-line options
later [options] [URL] [memo ...]
General options:
-h, --help print this message and exit
-v, --version print version and exit
-q, --quiet disable output
-f FILE file on which to operate (default is $HOME/.later)
Add options:
-a append entry to FILE (default is prepend)
-t add URL title to entry (requires curl, HTML::Parser)
Open options:
-o NUMBERS* open entries with given NUMBERS
-O ENTRY open given ENTRY
-k keep entries after opening (default is remove)
Manipulate options:
-l [d] list contents of FILE with numbered lines,
descending if d is given (default is ascending)
-r NUMBERS* remove from FILE entries with given NUMBERS
*accepts a range of numbers separated by a hyphen (e.g. 1-9)
example entry
arch linux is best linux >>> Arch Linux >>> https://www.archlinux.org/ >>> Sat, 26 Jan 2013 00:04:44 EST
potentially useful scripts
Copy URL from clipboard and use dmenu to prompt for memo:
#!/bin/bash
later -q -t "$(xsel -b)" "$(dmenu -p memo: <&-)"
Pipe file into dmenu and open selected entry:
#!/bin/bash
if [[ -f "$1" ]]; then
FILE="$1"
else
FILE="$HOME/.later"
fi
later -q -O "$(dmenu -l 30 < $FILE)"
I bind both of the above scripts to keys using my window manager of choice.
Hopefully someone else will find this useful!It's a good idea that should be submitted to Apple's developers. (Submitting ideas in these forums might or might not get to the right people, while submitting feedback via Apple's forms will get channeled appropriately.)
In a pinch, you could approximate what you're looking for by bookmarking all of your open tabs into a new folder in your bookmarks, then using the option to "Open in Tabs" when accessing that folder in the Bookmarks menu. That's certainly clumsy compared to a simple one-click "save state" method that you're requesting, but it's something.... -
Report field substibution on URL Redirect
I am using ApEx 2.0
I have a page with two report regions based on SQL queries, joined by a common column. The master region is read only and in detail region, I changed the attribute of one field to display as text.
So, for example, the Master region has two columns:
M_COL1, M_COL2
The detail region has 3 columns:
M_COL1, D_COL1, D_COL2
The regions as joined on M_COL1 and D_COL2 is the Text field.
Next, i added a button to this detail region. When clicked I want this button to launch a URL whose parameters are sourced from some of the existing report column/fields on this page.
I cannot seem to get the substitution to work in the URL Redirect field of the button definition.
I want something to the effect of :
http://someserver:port/some_path/something?param1=&M_COL1¶m2=&D_COL2
I tried putting #M_COL1#, :M_COL1 etc. but it doesn't work.
Any ideas/pointers?
Thanks,
ManishHi,
5. Pop-up reports:
- Go to any report with link column to a form. It is a very common situation.
- Go to the link column Column Attributes/Column Link/Target and change it to URL.
- javascript: popupURL('f?p=&APP_ID.:205:&SESSION.::&DEBUG.::::YES','Help','scrollbars=yes,resizable=yes,width=625,height=350,left=25,top=150');
- Replace 205 (It is my page number) with the number of the page which you are working on.
- Apply/Apply/Run the page.
- One would see the printer friendly version of ones page in separate window without loosing original one.
This is a very simple, easy to use and understand example.
One can replace “205” with any report showing Address … for the client.
6. One Master and many Detail tables:
Suppose that there are relations One to Many between one master and two or more details tables.
One can use two regions on a page. One should be a form region for the master table and second one should be a report region with several links.
6.1. Create a view of those two or more details tables. That is one master and one details view.
6.2. Create a Master Details form. The details form should be one of details tables.
6.3. Go to Edit Region (Details Region) and change SQL Query (updatable query) to SQL Query.
The Details form became Details Report.
6.4. Change Report Region Source from details table query to the view query.
6.5. Duplicate columns which are links and reorder them. Replace their header names with “ ” for instance.
6.6. Into Column Attributes/Column Link/Link Text pick an icon.
6.7. Select for Attributes/Column Link/Target “URL”.
6.8. Into URL field type
javascript: popupURL('f?p=&APP_ID.:205:&SESSION.::&DEBUG.::::NO','Link','scrollbars=yes,resizable=yes,width=625,height=350,left=25,top=150');
and replace 205 with the appropriate page number.
Now the page has one form with Next and Previous buttons for the master table and one report for the Details view with two or more links. Pop-up window with an edit detail table form appears when one click on a link (icon).
Konstantin Gudjev
[email protected] -
ISE Wired Central Web Authentication no url redirect
We are setting up ISE for wired guest accest but are having trouble with the client being redirected. The switch gets the download from ISE and shows that it should use the URL redirect with the correct ACL.
ISEtest3560#show authentication sessions interface fastEthernet 0/2
Interface: FastEthernet0/2
MAC Address: 001d.09cb.78bd
IP Address: Unknown
User-Name: 00-1D-09-CB-78-BD
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Group: N/A
ACS ACL: xACSACLx-IP-ISE-Only-52434fbe
URL Redirect ACL: ACL-WEBAUTH-REDIRECT
URL Redirect: https://REMOVED.Domain.corp:8443/guestportal/gateway?sessionId=0A0003E600000039064485B1&action=cwa
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A0003E600000039064485B1
Acct Session ID: 0x00000293
Handle: 0x95000039
Runnable methods list:
Method State
dot1x Failed over
mab Authc Success
From the client pc I can get name resolution for anything I ping. I also can ping the ise server by name. The ACL that is downloaded it as follows:
Extended IP access list xACSACLx-IP-ISE-Only-52434fbe (per-user)
10 permit udp any eq bootpc any eq bootps
20 permit udp any any eq domain
30 permit ip any host 10.4.37.91
40 deny ip any any log
Extended IP access list ACL-WEBAUTH-REDIRECT
10 deny udp any eq bootpc any eq bootps
20 deny udp any any eq domain
30 deny ip any host 10.4.37.91
40 permit tcp any any eq www (13 matches)
50 permit tcp any any eq 443
51 permit tcp any any eq 8443
60 deny ip any any
The machine passes the Authentication with MAB and hits the CWA Authorization profile, ISE shows the cient as "Pending" then the next entry above that is the log is the dACL getting pushed to the switch. Could part of the issue be that the device shows Unknown for IP address? The command ip device tracking is in the swtich:
ISEtest3560#show running-config | include tracking
ip device tracking
ISEtest3560#
We have 802.1x clients working and the IP address for those do show up..
Please advise,
Thanks,
JoeISEtest3560#show ip access-lists interface fastEthernet 0/2
ISEtest3560#
Doesn't appear the dacl is being applied.
interface FastEthernet0/2
switchport access vlan 11
switchport mode access
ip access-group ACL-DEFAULT in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 999
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab webauth
authentication priority dot1x mab webauth
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
spanning-tree guard root
Extended IP access list ACL-DEFAULT
10 permit udp any eq bootpc any eq bootps
20 permit udp any any eq domain
30 permit icmp any any
40 permit udp any any eq tftp
41 permit ip any host 10.4.37.91
50 deny ip any any log (1059 matches)
Could the dACL being causing the issue with the Unknown, or is the Unknow causing the issue with the dACL?
Thanks,
Joe -
ISE CWA FLEXCONNECT - No url redirect
Hi,
I'm setting up a LAB environment for CWA with ISE(1.2.1), vWLC(8.0.100), ASA5505(9.1.X) and a 2602 AP in flexconnect mode.
Unfortunately I'm running into problems.
The AP, WLC and ISE is all running in vlan 1 which terminates in the 5505 as a inside interface.
Vlan 2 is a guest network terminating on a separate interface in the ASA.
The problem that I'm facing is that the url-redirect from the ISE dosent' work. If i check the client summery on the vWLC I can see that the client get applyes the redirect flexconnect ACL and that the URL is present. I've verified that it's not a DNS issue and I'm able to manually connect to ISE so there is no ACL blocking me. The client just dosen't get the redirect. I've tired with multiple devices (windows,ios,android) and it's all the same.
I've followed the following guides:
http://www.drchaos.com/flexconnect-local-switching-guestbyod/
http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html#anc11
Currently I'm at work but I can provide some debug output later.
Have anyone seen this behavior before?It is possible that you are hitting the following bug:
https://tools.cisco.com/bugsearch/bug/CSCue68065
One thing this bug does not mention is that there is another resolution outside of disabling local switching. The alternative is:
1. Create a standar ACL on the controller that is named exactly as the FlexConnect ACLs
2. The standard ACL does not have to have any ACE in it
I have ran into this issue before and the above workaround has worked for me. The issue was supposed be addressed in version 8.x of the WLC but I think it is still worth giving it a try.
Thank you for rating helpful posts!
Maybe you are looking for
-
Gcc issues /usr/lib/libstdc++.so.6:could not read symbols
Error i get when compiling an openGL, bullet program. I just started getting this on both my arch computers after updating. gcc Timer.o Ball.o main.o -I/usr/include -lGL -lGLU -lBulletCollision -lBulletDynamics -lLinearMath -I/usr/include/bullet -L/u
-
Hi all, We have three BSP applications running on Production Environment, but after applying Support Patches only two are running , and the third one is not running. But all three applications are running fine in Development, and Consolidation. Here
-
White Background or Black Background?
In the world of compression, which is easier to compress: a white background or a black background? Or is there a difference?
-
How to reload proxy configuration with Next Generation Java Plug-in
When using the Next Generation Java Plug-in, I no longer see an option in the console to reload the proxy from the browser by pressing p. If the proxy information is changed in the browser after the Java console loads, is there a way to reload the pr
-
I'm having some trouble getting my bezier mask tool to work correctly. At one time the tool worked as follows: Say I had an image of a dog walking on the grass. If I wanted to isolate the dog by deleting the grassy background I would select the bezie