URL Redirect problem in Provider

Hi,
i have written following piece of code in JSPProvider, but it is not directing to the url that i required. Please send a solution
Thanks in advance
Arun
public StringBuffer getContent(
          HttpServletRequest req,
          HttpServletResponse res)
          throws ProviderException {
///some logic
/// the following piece of code is not working
RequestDispatcher dispatcher =
request.getRequestDispatcher("dt?provider=HomeContainer");
dispatcher.forward(request, response);
}

this is not allowed to work:
2 reasons:
- you try to get access to the HTTPSession. this is not allowed, the HTTPSession and so the HTTP Session Object are encapsulated by the Identiy Session, so if you need to get access to this type of information have a look at the Identity Server docs (java docs are installed onto you portal machine)
- the desktop container calls every listed container (in parallel) to include it, looking at the desktop container as a channel means looking at a hierachical structure of channels:
main channel, included channels and at the end the leaf-channel, which itself is the little window with the content.
I could understand that would you try an include of another JSP which provides some content and then the whole stuff will be rendered and included into the overall desktop (main channel).
What you do is you leave the calling JSP and so the main channel (forward the request) and expect to happen what ?
cheers,
/Ulf

Similar Messages

Web service url redirecting problem

I am working on a form developed by LC Designer that will call a web service from our web server.
In the WSDL, the soap address location points to www.domain.com/webservice1,
however our web server will perform load balance by directing all www.domain.com to a new url
either www1.domain.com or www2.domain.com.
The result is that nothing is returned after executing the webservice call, I can't catch any error
after xfa.connectionSet.WebServiceDC.execute(false); just nothing returns after the call.
I suppose it is the problem that the url has been redirected to a different one.
However if the soap address location points directly to either www1 or www2, the call returns result alright.
Is there way or script that I can handle by redirecting a web service to a different URL like that in Adobe Flex?
That is what I found from the web for Adobe Flex :
public function onLoginResult(event:ResultEvent):void {
//Extract the new service endpoint from the login result.
var newServiceURL = event.result.serverUrl;
// Redirect all service operations to the URL received in the login result.
serviceName.endpointURI=newServiceURL;
Best Rgds.

A helpful poster on the House of Fusion forums pointed me to
a work-around:
Apparently ColdFusion just uses the WSDL to create the sub
objects for the web service call, so as long as there is a service
port address secified in the WSDL it doesn't matter where the
actual WSDL file sits. So I just downloaded the WSDL using CFHTTP
(had to use this article to configure CFHTTP for HTTP Compression:
http://www.talkingtree.com/blog/index.cfm/2004/7/28/20040729)
and then I pointed my CF Administrator to the WSDL on my local
machine. And Presto - I can connect to the web service no problem
now.
Only problem is that I have to download the WSDL every time
there is a change to the webservice, but I can schedule a task that
downloads the file once a week or so.

URL redirect problem

Hello,
I am trying to redirect to a URL (preferably in a new browser window), but cant get the URL to be constructed correctly. When I try to use a button and put something like this in to the URL Target field:-
http://emasanwkdfllh0.emea.com:7055/tou/swf/TouClient.html?view=&p4_tou_vil_id.%3A&p4_tou_vil_name.
As suggested in an answer to a similar question in another thread, the URL that gets generated actually contains the strings "&p4_tou_vil_id." and "&p4_tou_vil_name.", rather than the contents of those two page items. I have verified that the items contain the appropriate values using the session button on the developers toolbar, but when I hover over the button, the URL displayed has the above strings, and when I click on the button the app that gets launched fails because it doesn't understand the values passed to it - it is expecting, for example "55" and "COPD", but receives "&p4_tou_vil_id." and "& p4_tou_vil_name."!!
I have tried using ":p4_tou_vil_id" and even "#p4_tou_vil_id#", but these also end up directly in the URL.
I also tried using an HTML region, putting the following (without the "_" in "h_ref") in the region source as follows:-
<a_href="http://emasanwkdfllh0.emea.pfizer.com:7055/tou/swf/TouClient.html?view=&p4_tou_vil_id.%3A&p4_tou_vil_name.">TOU Plot</a>
This suffers from the same problem as above.
What schoolboy error am I making here?
Thanks,
Sid.

Thanks Chris, that worked great for the HTML region.
For the button though?
I figured out I needed to amend the button template, which now looks like this:-
<table cellpadding="0" cellspacing="0" border="0" summary="" class="t16Button">
<tr>
<td><img src="#IMAGE_PREFIX#themes/theme_16/t16Button1Left.gif" width="3" height="18" alt="" /></td>
<td class="M" valign="middle"><a_href="#LINK#" target="_blank">#LABEL#</a></td>
<td><img src="#IMAGE_PREFIX#themes/theme_16/t16Button1Right.gif" width="3" height="18" alt="" /></td>
</tr>
</table>
And the button now opens a new tab - but the tab is blank, and the URL field is empty. Where did the URL go?
Thanks again,
Sid.

URL redirection config in PI SOAP receiver communication channel

Hi,
I am working on a similar scenario where I my consuming an external web service using https protocol from PI.
I have configured a soap receiver channel to call the target url of this web service as https://portal.xyz.org.uk/webservice_alt.
I am getting an error HTTP 302 suggesting that PI is not able to follow the re-direction to the target URL as the service resides not on that URL but on https://portal1.xyz.org.uk/webservice_alt or https://portal2.xyz.org.uk/webservice_alt.
This is their server fail over handling mechanism which is very common. But PI 7.0 is not able to handle this.
So if I change the target URL on the SOAP receiver channel to https://portal1.xyz.org.uk/web service or https://portal2.xyz.org.uk/webservice_alt , PI works fine without errors . But this is not the right approach because, every time the web service provider takes one of these systems down for upgrade/patching etc, they inform us and then I manually go and change the target URL to the available server on my production PI system config.
My problem is I want to resolve this redirection error in PI. I have tried raising a call with SAP itself and they pointed out to use Axis adapter which is still not working.
So I am here asking for help. any suggestions please from the experts?
Thanks
Jhansi.

Hi guys,
I am sorry if I have not been clear so far!!
What I am talking about is a URL redirection capability of PI. what i mean is , when you call any service in general using a browser/soap ui etc, it pings that url and follows the redirection.
For example when i try to test this external web service directly using soap ui tool, it also returns HTTP 302 error. But when I set the 'Follow redirect' property to 'true' , it follows the redirection and calls the service on 'portal1' or 'portal2' .
You assume PI is a test tool like SOAPUI. When the address or URL changed in WSDL and if you load the latest WSDL in soapUI it post the request to the latest URL. YOu import WSDL only in ESR not in IR. Dont forget it. Though WSDL has soap address location, it will not impact the wsdl changes directly in ID.
It makes no sense to complain regarding the behaviour of PI when the reason for the problem is outside (WS provider).
please note that the target url is fixed which is https://portal.xyz.org.uk/webservice_alt.
so we are not talking here about the service provider altering the service and sending us new wsdl's etc.
All users of this webservice have been non-sap users so far and consumers use java, .net etc platforms and are easily able to handle the redirection.because this redirection is a part of failover mechanism.
I hope i am able to picture my problem.
thanks
Jhansi.

ISE CWA FLEXCONNECT - No url redirect

Hi,
I'm setting up a LAB environment for CWA with ISE(1.2.1), vWLC(8.0.100), ASA5505(9.1.X) and a 2602 AP in flexconnect mode.
Unfortunately I'm running into problems.
The AP, WLC and ISE is all running in vlan 1 which terminates in the 5505 as a inside interface.
Vlan 2 is a guest network terminating on a separate interface in the ASA.
The problem that I'm facing is that the url-redirect from the ISE dosent' work. If i check the client summery on the vWLC I can see that the client get applyes the redirect flexconnect ACL and that the URL is present. I've verified that it's not a DNS issue and I'm able to manually connect to ISE so there is no ACL blocking me. The client just dosen't get the redirect. I've tired with multiple devices (windows,ios,android) and it's all the same.
I've followed the following guides:
http://www.drchaos.com/flexconnect-local-switching-guestbyod/
http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html#anc11
Currently I'm at work but I can provide some debug output later.
Have anyone seen this behavior before?

It is possible that you are hitting the following bug:
https://tools.cisco.com/bugsearch/bug/CSCue68065
One thing this bug does not mention is that there is another resolution outside of disabling local switching. The alternative is:
1. Create a standar ACL on the controller that is named exactly as the FlexConnect ACLs
2. The standard ACL does not have to have any ACE in it
I have ran into this issue before and the above workaround has worked for me. The issue was supposed be addressed in version 8.x of the WLC but I think it is still worth giving it a try.
Thank you for rating helpful posts!

Is Java Webdynpro Appl deployable in WAS6.20 or URL redirection frm EP6 to7

Hi All,
We have two portals, one ep 6 and another ep 7. we have developed a small webdynpro appl and it is working in ep 7, but we want it to be in EP6, our ep 6 is based on WAS 6.20. So, Can we deploy Webdynpro java application in EP 6 based on WAS 6.20. If not, can we provide a url redirect to that particular iview from EP 6 to EP 7.
Please help us, if anybody has any idea on this...
Thanks & Regards,
Ravi

The system object can be created from system administration role in portal System_admin_role or assign your self super_admin_role in the portal EP6.
Then Go to System Configuration -->Portal Content and there create a system object of type "Sap system with load balancing" after that set Authentication Ticket Type as SAP Logon Ticket, Define Logon Method as SAPLOGONTICKET, Set Message Server of your Java Stack,Remote Host Type as 3,
Set Web AS Host Name with port no > = 50000 ie Java Stack .
System Object name for eacch env can be env specific/different ie DEV, QAL, PRD etc
but create the System alias for the system object created above and keep its name same accross all the env eg (JVA) and use this alias in your ivew for defining system.
Using URL Ivew will work too, but the problem with that is , you will have to do manual config (change server id or URL) in each env to reflect the application of the env in which ivew will be.
Where as using webdynpro Java ivew you will not hardcode the url , and define system as system alias in the iveiw and when ivew get transported to diff env , alias will connect it to the env specific system object.
Edited by: Saurabh Agrawal on Apr 2, 2009 2:27 AM

Set item value at other page via URL-redirect

Hi, I have a button and I want to open a new window with it using an url-target.
</br>
</br>
javascript:window.open ('f?p=&APP_ID.:143:&SESSION.::NO:143:P143_KDT_ID,P143_MESSAGE:&P140_KDT_ID.,&P140_MESSAGE.') </br>
</br>
When I use branching I get an error that there is no page to branch to. I don't understand why. As a workaround I use an url-redirect when the button is pressed, but I'm stuck on getting the current item value into the target page. I tried using $v('P140_MESSAGE') but I can't get the url valid.

Jacob,
The problem was that when the HTML for the button is rendered, the value of P1_ITEM from session state was "glued in" to the generated URL at that time. If you then entered a value for the iterm, even though your onChange AJAX technique changed the value in session state it was too late to change the already generated HTML for the button, specifically the URL target for the button.
I created a Set Item2 button on your page with this for the URL attribute:
javascript:window.open('f?p=&APP_ID.:2:&SESSION.::NO::P2_ITEM:' + document.getElementById('P1_ITEM').value);
Let me know if that does what you need.
There is another problem and I don't know the cause. When you click the button, it opens the new window properly but leaves the original page in an error state of some kind. I could not reproduce this in my application using the same js, so I'll be interested in how you solve that.
Scott

ISE & Switch URL redirect not working

Dear team,
I'm setting up Guest portal for Wired user. Everything seems to be okay, the PC is get MAB authz success, ISE push URL redirect to switch. The only problem is when I open browser, it is not redirected.
Here is some output from my 3560C:
Cisco IOS Software, C3560C Software (C3560c405-UNIVERSALK9-M), Version 12.2(55)EX3
SW3560C-LAB#sh auth sess int f0/3
            Interface: FastEthernet0/3
          MAC Address: f0de.f180.13b8
           IP Address: 10.0.93.202
            User-Name: F0-DE-F1-80-13-B8
               Status: Authz Success
               Domain: DATA
      Security Policy: Should Secure
      Security Status: Unsecure
       Oper host mode: multi-domain
     Oper control dir: both
        Authorized By: Authentication Server
           Vlan Group: N/A
     URL Redirect ACL: redirect
         URL Redirect: https://BYODISE.byod.com:8443/guestportal/gateway?sessionId=0A005DF40000000D0010E23A&action=cwa
      Session timeout: N/A
         Idle timeout: N/A
    Common Session ID: 0A005DF40000000D0010E23A
      Acct Session ID: 0x00000011
               Handle: 0xD700000D
Runnable methods list:
       Method   State
       mab      Authc Success
SW3560C-LAB#sh epm sess summary
EPM Session Information
Total sessions seen so far : 10
Total active sessions      : 1
Interface            IP Address   MAC Address       Audit Session Id:
FastEthernet0/3       10.0.93.202 f0de.f180.13b8    0A005DF40000000D0010E23A
Could you please help to explore the problem? Thank you very much.

With switch IOS version later than 15.0 the default interface ACL is not required. For url redirection the dACL is not required as this ACL is part of traffic restrict for "guest" users.
In my experiece some users can not get the redirect correctly because anti-spoof ACL on management Vlan or stateful firewall blocks the TCP syn ack.
It is rare in campus network access layer switches have user SVI configured so the redirect traffic has to be sent from the netman SVI, but trickly the TCP SYN ACK from the HTTP server will be sent back from the netman Vlan without source IP changed. (The switch is spoofing the source IP in my understanding with changing only the MAC address of the packet). In most of the cases there should be a basic ACL resides on the netman SVI on the first hop router, where the TCP SYN ACK may be dropped by the ACL.
tips:
1. "debug epm redirect" can make sure your traffic matches the redirect url and will get intercepted by the switch
2. It will be an ACL or firewall issue if you can see epm is redirecting your http request but can not see the SYN ACK from the requested server.
Which can win the race: increasing bandwidth with new technologies VS QoS?

URL redirection in a mutinode 12.1.3 environment

Hi,
     We have a multinode (2 Apps Tier Nodes) implementation of Oracle E-Business Suite Version 12.1.3 with a shared APPL_TOP. Here is the configuration information
DB Tier Node
Server Name : UXD012
Operating System : HP-UX Itanium 11.31 64-Bit
Oracle Version : Oracle Enterprise Server 10.2.0.5
App Tier Node 1:
Server Name : LXD025
Operating System : Red Hat Enterprise Linux 5 Update 8 64-bit
URL for application access : http://lxd025:8080/
App Tier Node 1:
Server Name : LXD026
Operating System : Red Hat Enterprise Linux 5 Update 8 64-bit
URL for application access : http://lxd026:8080/
The problem we have is that when I access the application using the second node URL i.e. http://lxd026:8080/
I get this before the Application Login screen comes up
The E-Business Home Page is located at http://lxd026.epcor.ca:8080/OA_HTML/AppsLogin
If your browser doesn't automatically redirect to its new location, click here.
After the Application Login Screen is displayed, the URL in the address bar of the browser changes to the URL of the Primary node as follows
http://lxd025.epcor.ca:8080/OA_HTML/RF.jsp?function_id=29813&resp_id=-1&resp_appl_id=-1&security_group_id=0&lang_code=US&params=34TTDySDJrBCslCg2s18sCvY3.CBaABnIhKvw2689Is&oas=AkQ7RmOw8Fdj-ZLQKwH4Zw..
Please help me in identifying and fixing this redirection problems
Thanks in advance

We are not using the hardware load balancer on this instanceYou need to use a load balancer.
but I tried the method suggested in the Note ID mentioned in another instance which was also a multi-node instance by changing the values for these variables in the context file on each application node and running autoconfig on all the nodes. Each web host had different entry points even then i observed the rediredirection.
     a.     s_login_page
     b.     s_external_url
     c.     s_endUserMonitoringURL
     d.     s_chronosURL
     e.     s_webentryhost
     f.     s_webentrydomainYou cannot connect to both nodes at the same time without using a load balancer even if you can update the above context variables on each node and run AutoConfig since profile option values can have one value for each profile option (either LXD025 or LXD026).
If you run AutoConfig on LXD025 then on LXD026 then you will be able to connect to LXD026 if you access it directly and if you try to access LXD025 it will forward you to LXD026.
If you run AutoConfig on LXD026 then on LXD025 then you will be able to connect to LXD025 if you access it directly and if you try to access LXD026 it will forward you to LXD025.
Thanks,
Hussein

Cisco ISE guest portal redirect not working after successful authentiation and URL redirect.

Hi to all,
I am having difficulties with an ISE deployment which I am scratching my head over and can't fathom out why this isn't working.
I have an ISE 3315 doing a captive webportal for my guest users who are on an SSID. The users are successfully redirected by the WLC to the following URL:https://x.x.x.x:8443/guestportal/Login.action?portalname=XXX_Guest_Portal
Now when the user passes through the user authentication splash screen they get redirected to https://x.x.x.x:8443/guestportal/guest/redir.html and recieve the following error:
Error: Resource not found.
Resource: /guestportal/
Does anyone have any ideas why the portal is doing this?
Thanks
Paul

Hello,
As you are not able to get the guest portal, then you need to assure the following things:-
1) Ensure that the two Cisco av-pairs that are configured on the authorization profile should exactly match the example below. (Note: Do not replace the "IP" with the actual Cisco ISE IP address.)
–url-redirect=https://ip:8443/guestportal/gateway?...lue&action=cpp
–url-redirect-acl=ACL-WEBAUTH-REDIRECT (ensure that this ACL is also defined on the access switch)
2) Ensure that the URL redirection portion of the ACL have been applied to the session by entering the show epm session ip command on the switch. (Where the session IP is the IP address that is passed to the client machine by the DHCP server.)
Admission feature : DOT1X
AAA Policies : #ACSACL#-IP-Limitedaccess-4cb2976e
URL Redirect ACL : ACL-WEBAUTH-REDIRECT
URL Redirect :
https://node250.cisco.com:8443/guestportal/gateway?sessionId=0A000A72
0000A45A2444BFC2&action=cpp
3) Ensure that the preposture assessment DACL that is enforced from the Cisco ISE authorization profile contains the following command lines:
remark Allow DHCP
permit udp any eq bootpc any eq bootps
remark Allow DNS
permit udp any any eq domain
remark ping
permit icmp any any
permit tcp any host 80.0.80.2 eq 443 --> This is for URL redirect
permit tcp any host 80.0.80.2 eq www --> Provides access to internet
permit tcp any host 80.0.80.2 eq 8443 --> This is for guest portal
port
permit tcp any host 80.0.80.2 eq 8905 --> This is for posture
communication between NAC agent and ISE (Swiss ports)
permit udp any host 80.0.80.2 eq 8905 --> This is for posture
communication between NAC agent and ISE (Swiss ports)
permit udp any host 80.0.80.2 eq 8906 --> This is for posture
communication between NAC agent and ISE (Swiss ports)
deny ip any any
Note:- Ensure that the above URL Redirect has the proper Cisco ISE FQDN.
4) Ensure that the ACL with the name "ACL-WEBAUTH_REDIRECT" exists on the switch as follows:
ip access-list extended ACL-WEBAUTH-REDIRECT
deny ip any host 80.0.80.2
permit ip any any
5) Ensure that the http and https servers are running on the switch:
ip http server
ip http secure-server
6) Ensure that, if the client machine employs any kind of personal firewall, it is disabled.
7) Ensure that the client machine browser is not configured to use any proxies.
8) Verify connectivity between the client machine and the Cisco ISE IP address.
9) If Cisco ISE is deployed in a distributed environment, make sure that the client machines are aware of the Policy Service ISE node FQDN.
10) Ensure that the Cisco ISE FQDN is resolved and reachable from the client machine.
11) Or you need to do re-image again.

Does using self-signed cert. on ISE server has anthing to do with url redirect being not working

Hi,
I am setting up wired ISE environment. Everything is going fine, except url redirect is not working.
I just wondering, if using self-signed certificate on ISE server has anothing to do with the problem ?.
Appreciate your input.
Thanks

Hi,
As long as you have not changed the hostname or the domain name (and dns is accurate). You should only receive the certificate warning but still get redirected without any issues.
Thanks,
Tarik Admani
*Please rate helpful posts*

ISE doesn't remove URL redirect

We have an ISE problem, in that the URL redirect sent to the access switch for guest auth is not removed even after successful authentication.
Debug shows RADIUS activity as normal, 802.1X failover to MAB, then rediect to webauth;
003064: Aug 22 17:48:08.340: %AUTHMGR-5-START: Starting 'mab' for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000007201857889
003065: Aug 22 17:48:08.365: %MAB-5-SUCCESS: Authentication successful for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000007201857889
003066: Aug 22 17:48:08.365: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000007201857889
003067: Aug 22 17:48:08.382: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007201857889| AUTHTYPE DOT1X| EVENT APPLY
003068: Aug 22 17:48:08.390: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.60.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007201857889| AUTHTYPE DOT1X| POLICY_TYPE URL Redirect| POLICY_NAME
https://ukhatfnac0001.dtukad.local:8443/guestportal/gateway?sessionId=C0A8D60D0000007201857889&action=cwa
| RESULT SUCCESS
NWS-TSL-HATB3F3-DistSW1#
003069: Aug 22 17:48:08.390: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.60.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007201857889| AUTHTYPE DOT1X| POLICY_TYPE URL Match ACL| POLICY_NAME web_guest_redirect| RESULT SUCCESS
003138: Aug 22 18:01:18.718: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000007401914245
000054: Aug 22 18:01:18.345: %AUTHMGR-5-VLANASSIGN: VLAN 1040 assigned to Interface Gi1/0/4 AuditSessionID C0A8D60D0000007401914245 (NWS-TSL-HATB3F3-DistSW1-2)
003139: Aug 22 18:01:19.490: %EPM-6-IPEVENT: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007401914245| AUTHTYPE DOT1X| EVENT IP-ASSIGNMENT
003140: Aug 22 18:01:19.490: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007401914245| AUTHTYPE DOT1X| POLICY_TYPE Named ACL| POLICY_NAME xACSACLx-IP-PERMIT_ALL_TRAFFIC-4f57e406| RESULT SUCCESS
NWS-TSL-HATB3F3-DistSW1#
003141: Aug 22 18:01:19.515: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007401914245| AUTHTYPE DOT1X| POLICY_TYPE URL Redirect| POLICY_NAME
https://ukhatfnac0001.dtukad.local:8443/guestportal/gateway?sessionId=C0A8D60D0000007401914245&action=cwa
| RESULT SUCCESS
003142: Aug 22 18:01:19.515: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007401914245| AUTHTYPE DOT1X| POLICY_TYPE URL Match ACL| POLICY_NAME web_guest_redirect| RESULT SUCCESS
003064: Aug 22 17:48:08.340: %AUTHMGR-5-START: Starting 'mab' for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000007201857889
003065: Aug 22 17:48:08.365: %MAB-5-SUCCESS: Authentication successful for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000007201857889
003066: Aug 22 17:48:08.365: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000007201857889
003067: Aug 22 17:48:08.382: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007201857889| AUTHTYPE DOT1X| EVENT APPLY
003068: Aug 22 17:48:08.390: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.60.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007201857889| AUTHTYPE DOT1X| POLICY_TYPE URL Redirect| POLICY_NAME https://ukhatfnac0001.dtukad.local:8443/guestportal/gateway?sessionId=C0A8D60D0000007201857889&action=cwa
| RESULT SUCCESS
NWS-TSL-HATB3F3-DistSW1#
003069: Aug 22 17:48:08.390: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.60.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007201857889| AUTHTYPE DOT1X| POLICY_TYPE URL Match ACL| POLICY_NAME web_guest_redirect| RESULT SUCCESS
Then after successful authentication, VLAN is moved and xACSACLx-IP-PERMIT_ALL_TRAFFIC is sent, but rediect is sent again from ISE. We've been over configs several times, but can't get to the bottom of this. Can anyone shed any light ?
003138: Aug 22 18:01:18.718: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000007401914245
000054: Aug 22 18:01:18.345: %AUTHMGR-5-VLANASSIGN: VLAN 1040 assigned to Interface Gi1/0/4 AuditSessionID C0A8D60D0000007401914245 (NWS-TSL-HATB3F3-DistSW1-2)
003139: Aug 22 18:01:19.490: %EPM-6-IPEVENT: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007401914245| AUTHTYPE DOT1X| EVENT IP-ASSIGNMENT
003140: Aug 22 18:01:19.490: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007401914245| AUTHTYPE DOT1X| POLICY_TYPE Named ACL| POLICY_NAME xACSACLx-IP-PERMIT_ALL_TRAFFIC-4f57e406| RESULT SUCCESS
NWS-TSL-HATB3F3-DistSW1#
003141: Aug 22 18:01:19.515: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007401914245| AUTHTYPE DOT1X| POLICY_TYPE URL Redirect| POLICY_NAME https://ukhatfnac0001.dtukad.local:8443/guestportal/gateway?sessionId=C0A8D60D0000007401914245&action=cwa| RESULT SUCCESS
003142: Aug 22 18:01:19.515: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000007401914245| AUTHTYPE DOT1X| POLICY_TYPE URL Match ACL| POLICY_NAME web_guest_redirect| RESULT SUCCESS

Fixed it !
Great info from Tarik above, which lead me to the issue. My authz policy for redirect didn't include the Network Access:Usecase=Host Lookup, so this policy still (incorrectly) remained =true after valid guest authentication. As this policy remained =true, ISE was correctly applying URL rediect. Once I sorted the policy, by adding ...AND Network Access:Usecase=Host Lookup, all wored as expected.
After valid guest auth we now see DACL 'PERMIT_GUEST' and move to VL1040 as expected, without the URL rediect.
003543: Aug 22 19:03:15.169: %EPM-6-POLICY_REQ: IP 192.168.60.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000008501C99767| AUTHTYPE DOT1X| EVENT APPLY
003544: Aug 22 19:03:15.186: %EPM-6-AAA: POLICY xACSACLx-IP-PERMIT_GUEST-50350e3a| EVENT DOWNLOAD-REQUEST
003545: Aug 22 19:03:15.354: %EPM-6-AAA: POLICY xACSACLx-IP-PERMIT_GUEST-50350e3a| EVENT DOWNLOAD-SUCCESS
003546: Aug 22 19:03:15.354: %EPM-6-IPEVENT: IP 0.0.0.0| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000008501C99767| AUTHTYPE DOT1X| EVENT IP-WAIT
NWS-TSL-HATB3F3-DistSW1#
003547: Aug 22 19:03:15.849: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000008501C99767
000069: Aug 22 19:03:15.241: %AUTHMGR-5-VLANASSIGN: VLAN 1040 assigned to Interface Gi1/0/4 AuditSessionID C0A8D60D0000008501C99767 (NWS-TSL-HATB3F3-DistSW1-2)
NWS-TSL-HATB3F3-DistSW1#
003548: Aug 22 19:03:17.560: %EPM-6-IPEVENT: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000008501C99767| AUTHTYPE DOT1X| EVENT IP-ASSIGNMENT
003549: Aug 22 19:03:17.560: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000008501C99767| AUTHTYPE DOT1X| POLICY_TYPE Named ACL| POLICY_NAME xACSACLx-IP-PERMIT_GUEST-50350e3a| RESULT SUCCESS
003543: Aug 22 19:03:15.169: %EPM-6-POLICY_REQ: IP 192.168.60.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000008501C99767| AUTHTYPE DOT1X| EVENT APPLY
003544: Aug 22 19:03:15.186: %EPM-6-AAA: POLICY xACSACLx-IP-PERMIT_GUEST-50350e3a| EVENT DOWNLOAD-REQUEST
003545: Aug 22 19:03:15.354: %EPM-6-AAA: POLICY xACSACLx-IP-PERMIT_GUEST-50350e3a| EVENT DOWNLOAD-SUCCESS
003546: Aug 22 19:03:15.354: %EPM-6-IPEVENT: IP 0.0.0.0| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000008501C99767| AUTHTYPE DOT1X| EVENT IP-WAIT
NWS-TSL-HATB3F3-DistSW1#
003547: Aug 22 19:03:15.849: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0026.b9a6.dd90) on Interface Gi1/0/4 AuditSessionID C0A8D60D0000008501C99767
000069: Aug 22 19:03:15.241: %AUTHMGR-5-VLANASSIGN: VLAN 1040 assigned to Interface Gi1/0/4 AuditSessionID C0A8D60D0000008501C99767 (NWS-TSL-HATB3F3-DistSW1-2)
NWS-TSL-HATB3F3-DistSW1#
003548: Aug 22 19:03:17.560: %EPM-6-IPEVENT: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000008501C99767| AUTHTYPE DOT1X| EVENT IP-ASSIGNMENT
003549: Aug 22 19:03:17.560: %EPM-6-POLICY_APP_SUCCESS: IP 192.168.40.10| MAC 0026.b9a6.dd90| AuditSessionID C0A8D60D0000008501C99767| AUTHTYPE DOT1X| POLICY_TYPE Named ACL| POLICY_NAME xACSACLx-IP-PERMIT_GUEST-50350e3a| RESULT SUCCESS

Ise: Url redirection not working

everything should be ok on ise and switch
the switch is configured with its own ip on the vlan (22)
PS is on vlan (44)
and ise is configured for web authentication policy to occurr on the logon vlan (33)
the service is reachable by inputting the policy service ip address on port 8443, authentication is successful, acl downloaded and redirect url pushed properly to the switch but redirect never occurrs,
instead a blank page (host not reachable) is displayed
the clients on vlan 33 can resolve dns without problems
the firewall has been set to make the vlan 44 and 33 talk each other on port 80,443,8443
it looks like the switch's http/s-server is not making any difference maybe because it is on another vlan though it is routed
can someone help me?
i would really appreciate a flow chart on how web redirect works in ise and tge role of the http server
ps the switch does not support the ip route command

however not everithing is working as it should, sometimes the acl are not pushed properly and the redirect acl does not show any hit (often), sometimes the centralwebauth acl is not pushed properly and the show ip access list interface results in blank output
interface GigabitEthernet1/0/10
description Porte dot1x - voip ISE
switchport access vlan 300
switchport mode access
switchport voice vlan 818
ip access-group ACL-ALLOW in
srr-queue bandwidth share 1 30 35 5
queue-set 2
priority-queue out
authentication event fail action next-method
authentication event server dead action authorize vlan 300
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
mls qos trust cos
dot1x pae authenticator
dot1x timeout tx-period 10
auto qos trust
spanning-tree portfast
spanning-tree bpduguard enable
end
the show auth sessiond for the interface is
            Interface: GigabitEthernet1/0/10
          MAC Address: 20cf.3017.645b
           IP Address: 172.31.105.132
            User-Name: 20-CF-30-17-64-5B
               Status: Authz Success
               Domain: DATA
       Oper host mode: multi-domain
     Oper control dir: both
        Authorized By: Authentication Server
          Vlan Policy: 300
              ACS ACL: xACSACLx-IP-CentralWebAuth-5062f332
     URL Redirect ACL: redirect
         URL Redirect: https://ISEC3395.omitted.omitted:8443/guestportal/gateway?sessionId=AC1F552F0000000A001A6FD2&action=cwa
      Session timeout: N/A
         Idle timeout: N/A
    Common Session ID: AC1F552F0000000A001A6FD2
      Acct Session ID: 0x0000000D
               Handle: 0x7C00000A

ISE Url Redirecting

HI,
I have a layer 3 ISE policy node configuration with my asa for remote access vpn configuration.
my user gets authenticated but when i open the web-browser the the url redirect doesnt happen. i have to manually do this.
is there something which i am missing? please let me know?
any help or ideas will be helpful.
thanks
Nitesh

Nitesh,
In the WLC make sure you have it set to "Redirect to External Server", also, almost always, its a problem with how you have your ACLs configured, because you want to "Force redirection to ISE Guest Server" by using the ACLs, therefore, you must have a redirect ACL in place.

URL redirect - how to switch from https to http

Hi, all.
We have some requirement that the portal session be switched to https on some iviews while the rest of the contents are in http. I am thinking of using url redirect on the web dispatcher.
What I found is that the url redirect from http to https works great. Now if I want to switch back to http, the redirect doesn't work. Note that the http port is 80 and https port is 443 on the web dispatcher. To test, here is the parameter I did to switch from http to https. This works and transforms the url from http://ozonehomeep3.xxxxxxxxx/irj/portal/zsap_xxxxx to https://ozonehomeep3.xxxxxxxxx/irj/portal/zsap_xxxxxxxxxxxx
icm/HTTP/redirect_0 = PREFIX=/, FROM=/irj/portal/zsap_, FOR=ozonehomeep3, FROMPROT=http, PROT=https, HOST=ozonehomeep3.XXXXXX
If I flip it back the other way:
icm/HTTP/redirect_0 = PREFIX=/, FROM=/irj/portal/zsap_, FOR=ozonehomeep3, FROMPROT=https, PROT=http, HOST=ozonehomeep3.XXXXXX
When I connect using the url https://ozonehomeep3.xxxxxxxxx/irj/portal/zsap_xxxxxxxxxxxx, it ignores the parameter and the redirect to http did not happen.
What is wrong?
Thanks,
Jonathan.

Hello,
I've had a similar problem for one of my customers.
I've tried to do it on a root level, just Https://FQDN:port_https/ to http://FQDN:Port_http/
I've used this parameter to solve it:
icm/HTTP/redirect_0 = PREFIX=/, FOR=FQDN, FROMPROT=HTTPS, HOST=FQDN, PORT=80, PROT=http
maby you should try:
icm/HTTP/redirect_0 = PREFIX=/, FROM=/irj/portal/zsap_, FOR=FQDN, FROMPROT=HTTPS, HOST=FQDN, PORT=80, PROT=http, TO=/irj/portal/zsap_
You should also verify that the standard http port (80) are open in the firewall from the outside, just take a telnet session to FQDN and port 80
to quickly determined if the firewall policy are right.
Good luck!
Kind Regards
Håvard Fjukstad.

URL Redirect problem in Provider

Similar Messages

Maybe you are looking for