NAC Framework URL-Redirect supported on ASA ?

Similar Messages

• NAC L2-IP on 6500 . URL Redirection Not working

  Hi,
  We are testing NAC L2-IP on a Cat 6506 running 12.2(18)SXF9.
  When configuring for NAC L2-IP, the switch is able to download the required ACL
  entries. The HTTP Server is enabled in the Switch, however still the HTTP
  redirection is Not working.
  From the Client side, I can see the SYN packets going to port 80 but no
  response (Redirect etc) comes back from the switch.
  This is the Port-ACL
  10 permit udp any eq 21862 any
  11 permit icmp any any echo-reply
  20 permit udp any any eq bootps
  30 permit udp any any eq domain
  40 permit tcp any eq 3389 any
  50 deny ip any any
  This is the ACL as specified in the "url-redirect-acl" attribute
  70 deny tcp any host 10.140.4.116 eq www
  80 deny tcp any host 10.140.4.202 eq www
  90 deny tcp any host 10.1.194.15 eq www
  100 deny tcp any host 172.25.1.15 eq www
  110 permit tcp any any eq www
  Any ideas ?
  +++++++++++++++++
  show eou ip 10.192.99.27
  Address : 10.192.99.27
  MAC Address : 0006.5ba0.5705
  Interface : FastEthernet2/47
  AuthType : CLIENTLESS
  Audit Session ID : 0000002C1387D1FB0000000D0AC0631B
  PostureToken : -------
  Age(min) : 15
  URL Redirect : http://x.x.x/y
  URL Redirect ACL : redirect-policy
  ACL Name : #ACSACL#-IP-NAC_NoCTA_ACL-464b3186
  User Name : UNKNOWN USER
  Revalidation Period : 36000 Seconds
  Status Query Period : 300 Seconds
  Current State : CLIENTLESS
  ++++++++++++++++++++++++++++++++
  Exactly the Same configuration and Secure ACS configuration works for a 3560 Switch.
  Thanks,
  Naman

  Check this bug-id: CSCse02269.

• ISE CWA FLEXCONNECT - No url redirect

  Hi,
  I'm setting up a LAB environment for CWA with ISE(1.2.1), vWLC(8.0.100), ASA5505(9.1.X) and a 2602 AP in flexconnect mode.
  Unfortunately I'm running into problems.
  The AP, WLC and ISE is all running in vlan 1 which terminates in the 5505 as a inside interface. 
  Vlan 2 is a guest network terminating on a separate interface in the ASA.
  The problem that I'm facing is that the url-redirect from the ISE dosent' work. If i check the client summery on the vWLC I can see that the client get applyes the redirect flexconnect ACL and that the URL is present. I've verified that it's not a DNS issue and I'm able to manually connect to ISE so there is no ACL blocking me. The client just dosen't get the redirect. I've tired with multiple devices (windows,ios,android) and it's all the same.
  I've followed the following guides:
  http://www.drchaos.com/flexconnect-local-switching-guestbyod/
  http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html#anc11
  Currently I'm at work but I can provide some debug output later. 
  Have anyone seen this behavior before?

  It is possible that you are hitting the following bug:
  https://tools.cisco.com/bugsearch/bug/CSCue68065
  One thing this bug does not mention is that there is another resolution outside of disabling local switching. The alternative is:
  1. Create a standar ACL on the controller that is named exactly as the FlexConnect ACLs
  2. The standard ACL does not have to have any ACE in it
  I have ran into this issue before and the above workaround has worked for me. The issue was supposed be addressed in version 8.x of the WLC but I think it is still worth giving it a try. 
  Thank you for rating helpful posts!

• Cisco ISE guest portal redirect not working after successful authentiation and URL redirect.

  Hi to all,
  I am having difficulties with an ISE deployment which I am scratching my head over and can't fathom out why this isn't working.
  I have an ISE 3315 doing a captive webportal for my guest users who are on an SSID.  The users are successfully redirected by the WLC to the following URL:https://x.x.x.x:8443/guestportal/Login.action?portalname=XXX_Guest_Portal
  Now when the user passes through the user authentication splash screen they get redirected to https://x.x.x.x:8443/guestportal/guest/redir.html and recieve the following error:
  Error: Resource not found.
  Resource: /guestportal/
  Does anyone have any ideas why the portal is doing this?
  Thanks
  Paul

  Hello,
  As you are not able to  get the guest portal, then you need to assure the following things:-
  1) Ensure that the  two  Cisco av-pairs that are configured on the  authorization profile should  exactly match the example below. (Note: Do  not replace the "IP" with the  actual Cisco ISE IP address.)
  –url-redirect=https://ip:8443/guestportal/gateway?...lue&action=cpp
  –url-redirect-acl=ACL-WEBAUTH-REDIRECT (ensure that this ACL is also  defined on the access switch)
  2) Ensure that the URL redirection portion of the ACL have been  applied  to the session by entering the show epm session ip   command on the switch. (Where the session IP is the IP address  that is  passed to the client machine by the DHCP server.)
  Admission feature : DOT1X
  AAA Policies : #ACSACL#-IP-Limitedaccess-4cb2976e
  URL Redirect ACL : ACL-WEBAUTH-REDIRECT
  URL Redirect :
  https://node250.cisco.com:8443/guestportal/gateway?sessionId=0A000A72
  0000A45A2444BFC2&action=cpp
  3) Ensure that the preposture assessment DACL that is enforced from  the  Cisco ISE authorization profile contains the following command  lines:
  remark Allow DHCP
  permit udp any eq bootpc any eq bootps
  remark Allow DNS
  permit udp any any eq domain
  remark ping
  permit icmp any any
  permit tcp any host 80.0.80.2 eq 443 --> This is for URL redirect
  permit tcp any host 80.0.80.2 eq www --> Provides access to internet
  permit tcp any host 80.0.80.2 eq 8443 --> This is for guest portal
  port
  permit tcp any host 80.0.80.2 eq 8905 --> This is for posture
  communication between NAC agent and ISE (Swiss ports)
  permit udp any host 80.0.80.2 eq 8905 --> This is for posture
  communication between NAC agent and ISE (Swiss ports)
  permit udp any host 80.0.80.2 eq 8906 --> This is for posture
  communication between NAC agent and ISE (Swiss ports)
  deny ip any any
  Note:- Ensure that the above URL Redirect has the proper Cisco ISE FQDN.
  4) Ensure that the ACL with the name "ACL-WEBAUTH_REDIRECT" exists on  the switch as follows:
  ip access-list extended ACL-WEBAUTH-REDIRECT
  deny ip any host 80.0.80.2
  permit ip any any
  5) Ensure that the http and https servers are running on the switch:
  ip http server
  ip http secure-server
  6) Ensure that, if the client machine employs any kind of personal  firewall, it is disabled.
  7) Ensure that the client machine browser is not configured to use any  proxies.
  8) Verify connectivity between the client machine and the Cisco ISE IP  address.
  9) If Cisco ISE is deployed in a distributed environment, make sure  that  the client machines are aware of the Policy Service ISE node FQDN.
  10) Ensure that the Cisco ISE FQDN is resolved and reachable from the  client machine.
  11) Or you need to do re-image again.

• Ise: Url redirection not working

  everything should be ok on ise and switch
  the switch is configured with its own ip on the vlan (22)
  PS is on vlan (44)
  and ise is configured for web authentication policy to occurr on the logon vlan (33)
  the service is reachable by inputting the policy service ip address on port 8443, authentication is successful, acl downloaded and redirect url pushed properly to the switch but redirect never occurrs,
  instead a blank page (host not reachable) is displayed
  the clients on vlan 33 can resolve dns without problems
  the firewall has been set to make the vlan 44 and 33 talk each other on port 80,443,8443
  it looks like the switch's http/s-server is not making any difference maybe because it is on another vlan though it is routed
  can someone help me?
  i would really appreciate a flow chart on how web redirect works in ise and tge role of the http server
  ps the switch does not support the ip route command

  however not everithing is working as it should, sometimes the acl are not pushed properly and the redirect acl does not show any hit (often), sometimes the centralwebauth acl is not pushed properly and the show ip access list interface results in blank output
  interface GigabitEthernet1/0/10
  description Porte dot1x - voip ISE
  switchport access vlan 300
  switchport mode access
  switchport voice vlan 818
  ip access-group ACL-ALLOW in
  srr-queue bandwidth share 1 30 35 5
  queue-set 2
  priority-queue out
  authentication event fail action next-method
  authentication event server dead action authorize vlan 300
  authentication event server alive action reinitialize
  authentication host-mode multi-domain
  authentication open
  authentication order dot1x mab
  authentication priority dot1x mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  authentication violation restrict
  mab
  mls qos trust cos
  dot1x pae authenticator
  dot1x timeout tx-period 10
  auto qos trust
  spanning-tree portfast
  spanning-tree bpduguard enable
  end
  the show auth sessiond for the interface is
              Interface:  GigabitEthernet1/0/10
            MAC Address:  20cf.3017.645b
             IP Address:  172.31.105.132
              User-Name:  20-CF-30-17-64-5B
                 Status:  Authz Success
                 Domain:  DATA
         Oper host mode:  multi-domain
       Oper control dir:  both
          Authorized By:  Authentication Server
            Vlan Policy:  300
                ACS ACL:  xACSACLx-IP-CentralWebAuth-5062f332
       URL Redirect ACL:  redirect
           URL Redirect:  https://ISEC3395.omitted.omitted:8443/guestportal/gateway?sessionId=AC1F552F0000000A001A6FD2&action=cwa
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  AC1F552F0000000A001A6FD2
        Acct Session ID:  0x0000000D
                 Handle:  0x7C00000A

• ISE Url Redirecting

  HI,
  I have a layer 3 ISE policy node configuration with my asa for remote access vpn configuration.
  my user gets authenticated but when i open the web-browser the the url redirect doesnt happen. i have to manually do this.
  is there something which i am missing? please let me know?
  any help or ideas will be helpful.
  thanks
  Nitesh

  Nitesh,
  In the WLC make sure you have it set to "Redirect to External Server", also, almost always, its a problem with how you have your ACLs configured, because you want to "Force redirection to ISE Guest Server" by using the ACLs, therefore, you must have a redirect ACL in place.

• NAC Framework with 802.1x authentication

  I am having trouble getting support and information on NAC framework. According to the cisco web NAC framework is in Phase 2 and is useable. According to Cisco representitives it is not supported yet. I have ACS 4.1, CTA 2.0, Symantec 10.1.4, and CSA 4.5. I can get NAC to work Layer 2, 802.1x to authenticate, but I cannot get both to work at the same time. Also, I have found no support for Symantec being checked even after I loaded the posture plugin, adf, etc. Is it time to give up on NAC framework? Thanks.

  My friend, i have a customer with whis configuration and worki fine.
  symantec need antivirus version 10 (8 or 9 no !!!!), the symantec posture plug installed in the clients.
  work fine wiht w2k and xp
  cta 2.x work fine. 1.x only work with L3 ip, no 802.1x.
  csa i don?t have experience.
  take care, it is hard to configure, if you need something more ask me to.
  Leo.

• IIS Url Rewriting supported with SharePoint 2010?

  I am currently working for a client that is investigating how they can do vanity domain names for sub sites.  I don't believe this will actually work with SharePoint 2010 and believe it may put the environment in an unsupported state...however I need
  to find some sort of official MS statement saying so.
  Everything I find points me to
  http://technet.microsoft.com/en-us/library/cc261814%28office.12%29.aspx#section2  which states that "Windows SharePoint Services 3.0 does not support asymmetrical paths" however I can't find anything that says the equivalent for 2010.
  I know that web apps and AAM are the typical approaches, and now in 2010 you can do host named site collections, however they want to do sub-sites.
  Can anyone point me to any official MS statement stating that this is not support with SharePoint 2010?
  Tony Testa www.tonytestasworld.com

  We ran into the same question. Since there's no official statement from Microsoft to be found on the internet that takes away the rumors about it being supported, we set out the question with Microsoft to provide their official statement. Their
  reply was that URL rewriting is supported. Find the full reply from Microsoft at my website at
  https://www.zomers.eu/knowledge/sharepoint2010/Pages/Url-rewriting-is-supported-for-SharePoint-2010.aspx
  This link doesn't work and also directly contradicts statements from other Microsoft sources, e.g.
  http://blogs.msdn.com/b/opal/archive/2010/04/23/sharepoint-2010-search-engine-optimization-seo-tips.aspx
  where the following is stated:
  "URL Rewriting is still not supported - however url redirect is supported. We are using url redirect feature in url rewrite model."
  Please provide a link that works and/or back up your claim. Thanks.

• ISE post compliant posture assessment URL redirection

  G'day All,
  Is anyone aware if it is possible for ISE to push a URL redirection to user devices once they have passed the posture assessment?
  I am deploying a wireless BYOD ise deployment with AD auth and posture assessment, and we are hoping to find an easy way to push the compliant users to a new URL once they have passed posture.
  Thanks gang.
  Cheers,
  James.               

  It is not possible to redirect user after authentication and posturing to a specific URL. because ISE does not support this feature till now.
  I think  URL redirection can be done in web authentication if used in case of employee.
  Navigate to Policy > Policy Elements > Results > Authorization and then select Authorization Profiles
  Step 18 Select Add to create a new Authorization Profile for Central Web Authentication:
  Name
  Central_Web_Auth
  Description
  (optional)
  Access-Type
  ACCESS_ACCEPT
  DACL   Name
  CENTRAL_WEB_AUTH
  Centralized   Web Authentication
  ACL:
  ACL-WEBAUTH-REDIRECT
                                                            Redirect : Default
  “ACL-WEBAUTH-REDIRECT” is  configured on  switch  which determines to which destination it will redirect 

• WLC url-redirect

  Using FreeRadius to do Mac authentication Bypass with External URL redirect.  I have confirmed that I'm sending cisco AV-pair for url-redirect, and the WLC shows the client having that url applied(along with the url-redirect-acl that I've applied)
  My issue, the URL presented to the client doesn't have the action_URL appended when I apply it via 802.1x.  If I change the SSID and force external webauth I get a good URL to the client(generally http://<SITE>?action_URL=http://1.1.1.1/login.html or something similar).  How can I use url-redirect to force authentication with the proper action_URL appended?
  WLC 5508 with 7.2 code
  FreeRadius running on CentOS

  Hello Jeremy,
  As per your query i can suggest you the following solution-
  Configure WLC Splash Page Redirect with the information to configure the features described.
  Complete these steps in order to configure the devices to use the splash page redirect feature:
  1.Configure the WLC for RADIUS authentication through the Cisco Secure ACS server.
  2.Configure the WLANs for the Admin and Operations departments.
  3.Configure the Cisco Secure ACS to support the splash page redirect feature.
  For more reference refer to the link-
  http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080956185.shtml#conf
  Hope this will help you.

• How to qualify for NAC Framework?

  Hi, we have been considering NAC for a while and have evaluated NAC Appliance. However, we have a requirement to use 802.1x for posture validation, authentication etc. I have looked at cisco trust agent and there is a statement about needing to be 'approved' to deploy CTA? Any one have any ideas about how to go about this and to be able to deploy NAC framework? We feel framework fits our situation much better than appliance. Many thanks for your time.

  Exact statement would be
  "The Cisco Trust Agent is available for download only by customers approved to deploy the NAC Framework solution. If you are not approved, please contact your Cisco account team about Cisco NAC solutions. Deprecated versions of Cisco Trust Agent - CLITE client may be found at http://www.cisco.com/cgi-bin/tablebuild.pl/cta-deprecated "
  From the URL http://www.cisco.com/cgi-bin/tablebuild.pl/cta

• I have a cisco ironport c170, i want set up URL redirect? But i don't khow how to ? Can you help me?

  I have a cisco ironport c170, i want set up URL redirect? But i don't khow how to ? Can you help me?

  The C170 does not support URL redirection prior to OS release 8.5. What exactly do you need to accomplish?

• NAC Framework Windows HotFixes

  Hello,
  I have implemented NAC Framework and i want know how i can manage the windows hotfixes. I want detect if the user have all hotfixes and if is missed return Checkup Posture-Token.
  Regards.

  The following url has enough information ,
  http://www.cisco.com/en/US/netsol/ns617/networking_solutions_sub_solution_home.html

• NAC framework NAC-L2-802.1x, CTA 2.1, CSSC, ACS 4.2 not working???

  Hi
  I'm trying to setup my first crack at the NAC framework, using NAC-L2-802.1x. For this, the equipment I'm using is;
  Cisco 2950 switch (IOS /c2950-i6q4l2-mz.121-22.EA11.bin)
  Cisco 1811 router (inter-vlan routing)
  Cisco Secure ACS (90 day trial) 4.2
  CTA 2.1.103
  CSSC 5.1.0.39
  Windows XP SP3 client machine
  So I've tried to follow the Network Admission Control Framework Guide for the NAC-L2-802.1x section and all seems to have gone as laid out in the document, except when I get to the point where I actually test the config by bringing up the client port. I do the 'no shut' on the port, the light on the switch port goes amber and the CSSC client says its waiting for an ip address, it never pops up asking for credentials as shown in that document. I check the RADIUS server logs and there is no passes or fails for this host. I know RADIUS is working from this switch as I have it setup for login authentication which works just fine. I am completely stumped and the only thing I can think of is trying to install a full certificate server and going that way, instead of the Self Signed Cert which CSACS has generated and I've copied the .cer file to the client and installed it and verified it is installed with the Certificates MMC. Please, somebody provide some better reading on this matter, or some assistance. Thanks very much.
  Jason
  aaa new-model
  aaa authentication login default group radius local
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  aaa accounting dot1x default start-stop group radius
  dot1x system-auth-control
  Client port;
  interface FastEthernet0/1
  switchport mode access
  dot1x port-control auto
  dot1x timeout reauth-period server
  dot1x reauthentication

  You can refer to the below URL for future reference:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/3.3/user/guide/nac.html
  http://www.cisco.com/en/US/netsol/ns617/networking_solutions_sub_solution_home.html

• How to do auto URL redirect in sun web server ?

  Hi, i need to do auto url redirect in my sun web server. Currently i'm setup some rules for the reverse proxy in obj.conf file and the syntax looks like:
  <Object name="reverse-proxy-/test">
  <If $internal and $uri =~ "index.html">
  NameTrans fn="redirect" from="/" uri="/examples/abc.html"
  </If>
  Route fn="set-origin-server" server="http://localhost:8989"
  </Object>
  The situation is:
  1) When users browse "*http://localhost/examples/abc.html*" it will redirect to abc.html
  2) When users browse "*http://localhost/test*" it will redirect to the localhost admin GUI (http://localhost:8989/admingui/admingui/serverTaskGeneral)
  My desire output should be whenever users browse the "*http://localhost/test*" , it will redirect to abc.html page.
  the syntax might be wrong. So, anyone knows how to fix this? I'm keep trying but nothing worked. Please help me.

  Moderator action: Moved from Servers General Discussion.
  db