topic ISE - CWA Redirection in Network Access Control

ISE - CWA Redirection

eng.malak — Mon, 11 Mar 2019 03:27:14 GMT

i am trying to implement guest portal and i have configure the ISE and switch to redirect guests and i see the whole process goes will when i issue

show authentication session interface GigabitEthernet1/0/11

Interface: GigabitEthernet1/0/11

MAC Address: 1078.d2fc.698c

IP Address: 192.168.0.59

User-Name: 10-78-D2-FC-69-8C

Status: Authz Success

Domain: DATA

Oper host mode: multi-domain

Oper control dir: both

Authorized By: Authentication Server

Vlan Policy: 81

ACS ACL: xACSACLx-IP-TEST-WEBAUTH-DACL-519b76ec

URL Redirect ACL: ACL-WEBAUTH-REDIRECT

URL Redirect: https://HDOFFISEP01.mycompany.com:8443/guestportal/gateway?sessionId=0A0A6518000000010006F2B5&action=cwa

Session timeout: N/A

Idle timeout: N/A

Common Session ID: 0A0A6518000000010006F2B5

Acct Session ID: 0x00000003

Handle: 0x0D000001

Runnable methods list:

Method State

mab Authc Success

dot1x Not run

my problem that the web browser does NOT direct automtically to the portal but it does manually when i copy the URL from the switch, any idea ?

switch configuration

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

boot-start-marker

boot-end-marker

logging monitor informational

enable secret 5 $1$PO2h$G1BUFwkbkA8ywc89FhBso/

username cisco privilege 15 password 0 cisco

username ise-rad-alive password 0 CICSOISEalive123

aaa new-model

aaa authentication login local local

aaa authentication dot1x default group radius

aaa authorization network default group radius

aaa authorization auth-proxy default group radius

aaa accounting auth-proxy default start-stop group radius

aaa accounting dot1x default start-stop group radius

aaa server radius dynamic-author

client 10.10.20.13 server-key myshared

client 10.10.20.14 server-key myshared

aaa session-id common

switch 1 provision ws-c2960s-24ps-l

ip dhcp snooping vlan 1-2000

no ip dhcp snooping information option

ip dhcp snooping

ip domain-name mycompany.com

ip name-server 192.168.10.40

ip device tracking probe use-svi

ip device tracking

ip admission name Webauth proxy http inactivity-time 60

vtp mode transparent

epm logging

dot1x system-auth-control

fallback profile Webauth

ip access-group ACL-WEBAUTH-REDIRECT in

ip admission Webauth

spanning-tree mode pvst

spanning-tree extend system-id

interface GigabitEthernet1/0/11

switchport mode access

switchport voice vlan 93

ip access-group ACL-ALLOW in

authentication event fail action next-method

authentication event server dead action reinitialize vlan 777

authentication event server dead action authorize voice

authentication host-mode multi-domain

authentication order mab dot1x

authentication priority dot1x mab

authentication port-control auto

mab

dot1x pae authenticator

spanning-tree portfast

interface Vlan1

no ip address

shutdown

interface Vlan80

ip address 10.10.101.24 255.255.255.0

ip default-gateway 10.10.101.1

ip http server

ip http secure-server

ip access-list extended ACL-AGENT-REDIRECT

remark explicitly prevent DNS from being redirected to address a bug

deny udp any any eq domain

remark redirect HTTP traffic only

permit tcp any any eq www

remark all other traffic will be implicitly denied from the redirection

ip access-list extended ACL-ALLOW

permit ip any any

ip access-list extended ACL-DEFAULT

remark DHCP

permit udp any eq bootpc any eq bootps

remark DNS

permit udp any any eq domain

remark Ping

permit icmp any any

remark PXE / TFTP

permit udp any any eq tftp

remark Drop all the rest

deny ip any any log

ip access-list extended ACL-WEBAUTH-REDIRECT

deny ip any host 10.10.20.13

deny ip any host 10.10.20.14

deny ip any host 192.168.10.43

deny ip any host 192.168.10.40

deny ip any host 192.168.10.41

deny ip any host 192.168.10.42

remark explicitly prevent DNS from being redirected to accommodate certain switches

deny udp any any eq domain

remark redirect all applicable traffic to the ISE Server

permit tcp any any eq www

permit tcp any any eq 443

ip radius source-interface Vlan80

logging origin-id ip

logging source-interface Vlan80

logging host 10.10.20.11 transport udp port 20514

logging host 10.10.20.12 transport udp port 20514

radius-server attribute 6 on-for-login-auth

radius-server attribute 6 support-multiple

radius-server attribute 8 include-in-access-req

radius-server attribute 25 access-request include

radius-server dead-criteria time 5 tries 3

radius-server host 10.10.20.13 auth-port 1812 acct-port 1813 key myshared

radius-server host 10.10.20.14 auth-port 1812 acct-port 1813 key myshared

radius-server vsa send accounting

radius-server vsa send authentication

ISE - CWA Redirection

Richard Atkin — Tue, 28 May 2013 21:23:04 GMT

Does DNS work correctly? Do you have any proxy servers in the way? Can you post the content of the DACL please?

ISE - CWA Redirection

eng.malak — Tue, 28 May 2013 21:37:07 GMT

DNS works perfectly , you can ping HDOFFISEP01.mycompany.com from the PC and switch

NO proxy configured on PC

ACS ACL: permit ip any any

URL Redirect ACL

deny ip any host "ISE server"

deny udp an an eq 53

permit tcp an an eq 80

permit tcp an an eq 443

Re: ISE - CWA Redirection

bikespace — Thu, 06 Jun 2013 00:09:58 GMT

When the switch sends a redirect, it has to do it from a configured SVI, in your case vlan 80, even though it spoofs the original destination IP. If your switch tried to route from its vlan 80 interface to your clients on vlan 81, where would it go? Does it have to go off through a firewall?
If it does, the firewall may be breaking the redirect process.
Is this the case?

Sent from Cisco Technical Support iPhone App

Re: ISE - CWA Redirection

Saurav Lodh — Thu, 06 Jun 2013 02:08:55 GMT

Just to help you,

http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080ba6514.shtml

ISE - CWA Redirection

hermodfinjord — Wed, 18 Sep 2013 10:33:34 GMT

Did you find the reason for this error? I have the same problem using a 2960G-8TC-L switch with IOS version

15.0(2)SE4.

No traffic is redirected to the ISE. I have used the same ACL as you have, but with my own ISE ip 😛

ISE - CWA Redirection

Venkatesh Attuluri — Wed, 18 Sep 2013 14:12:08 GMT

Verify that the redirection URL specified in Cisco ISE via Cisco-av pair "URL Redirect" is correct

CWA Redirection URL: https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cwa

802.1X Redirection URL: url-redirect=https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cpp

ISE - CWA Redirection

hermodfinjord — Wed, 18 Sep 2013 14:20:22 GMT

The redirection URL is correct. If i copy the redirect URL from the switch and paste it in to my browser, I come to the Guest Portal.

It looks to me that the switch does not inform the client about the redirection...

In my setup all the devices is in the same VLAN. Client, ISE, switch, AD servers all have IP in the same IP range.

ISE - CWA Redirection

hermodfinjord — Wed, 18 Sep 2013 14:22:41 GMT

The redirection URL is correct. If i copy the redirect URL from the switch and paste it in to my browser, I come to the Guest Portal.

It looks to me that the switch does not inform the client about the redirection...

In my setup all the devices is in the same VLAN. Client, ISE, switch, AD servers all have IP in the same IP range.

BRO FINALLY YOU RESOLVED THE

claudioparker — Thu, 26 Jun 2014 19:31:17 GMT

BRO FINALLY YOU RESOLVED THE ISSUE? I HAVE SAME PROBLEM, COPY PASTE MANUAL LINK AND WORK!!

Bro i have same problem,

claudioparker — Thu, 26 Jun 2014 19:36:27 GMT

Bro i have same problem, finally you resolved the issue?