topic ISE & Switch URL redirect not working in Network Access Control

ISE & Switch URL redirect not working

Hiep Nguyen — Mon, 11 Mar 2019 03:12:55 GMT

Dear team,

I'm setting up Guest portal for Wired user. Everything seems to be okay, the PC is get MAB authz success, ISE push URL redirect to switch. The only problem is when I open browser, it is not redirected.

Here is some output from my 3560C:

Cisco IOS Software, C3560C Software (C3560c405-UNIVERSALK9-M), Version 12.2(55)EX3

SW3560C-LAB#sh auth sess int f0/3

Interface: FastEthernet0/3

MAC Address: f0de.f180.13b8

IP Address: 10.0.93.202

User-Name: F0-DE-F1-80-13-B8

Status: Authz Success

Domain: DATA

Security Policy: Should Secure

Security Status: Unsecure

Oper host mode: multi-domain

Oper control dir: both

Authorized By: Authentication Server

Vlan Group: N/A

URL Redirect ACL: redirect

URL Redirect: https://BYODISE.byod.com:8443/guestportal/gateway?sessionId=0A005DF40000000D0010E23A&action=cwa

Session timeout: N/A

Idle timeout: N/A

Common Session ID: 0A005DF40000000D0010E23A

Acct Session ID: 0x00000011

Handle: 0xD700000D

Runnable methods list:

Method State

mab Authc Success

SW3560C-LAB#sh epm sess summary

EPM Session Information

-----------------------

Total sessions seen so far : 10

Total active sessions : 1

Interface IP Address MAC Address Audit Session Id:

-----------------------------------------------------------------------------

FastEthernet0/3 10.0.93.202 f0de.f180.13b8 0A005DF40000000D0010E23A

Could you please help to explore the problem? Thank you very much.

ISE & Switch URL redirect not working

Tarik Admani — Tue, 19 Mar 2013 05:27:56 GMT

Hi,

Seems like you need to implicity deny dns traffic in your redirect ACL. Also I do not see the dACL being sent from ISE down to the client as a part of the redirection configuration.

Thanks,

Tarik Admani
*Please rate helpful posts*

ISE & Switch URL redirect not working

Hiep Nguyen — Tue, 19 Mar 2013 06:49:34 GMT

Thank you Tarik for your response. I tried every way and finally, upgrading to IOS ver 15.0 made it work. Thankss

ISE & Switch URL redirect not working

networkguy13111 — Mon, 08 Apr 2013 06:50:31 GMT

With switch IOS version later than 15.0 the default interface ACL is not required. For url redirection the dACL is not required as this ACL is part of traffic restrict for "guest" users.

In my experiece some users can not get the redirect correctly because anti-spoof ACL on management Vlan or stateful firewall blocks the TCP syn ack.

It is rare in campus network access layer switches have user SVI configured so the redirect traffic has to be sent from the netman SVI, but trickly the TCP SYN ACK from the HTTP server will be sent back from the netman Vlan without source IP changed. (The switch is spoofing the source IP in my understanding with changing only the MAC address of the packet). In most of the cases there should be a basic ACL resides on the netman SVI on the first hop router, where the TCP SYN ACK may be dropped by the ACL.

tips:

1. "debug epm redirect" can make sure your traffic matches the redirect url and will get intercepted by the switch

2. It will be an ACL or firewall issue if you can see epm is redirecting your http request but can not see the SYN ACK from the requested server.

Which can win the race: increasing bandwidth with new technologies VS QoS?