topic CWA/ISE/WLC - client timeout when redirected to portal. in Network Access Control

CWA/ISE/WLC - client timeout when redirected to portal.

c.s — Mon, 11 Mar 2019 03:02:35 GMT

Problem: When connecting to the CWA ssid, the client gets redirected to: https://lab-ise01.lab.local:8443/guestportal/gateway?sessionId=3c02a8c00000000878430a51&action=cwa

but the link times out.

I'm currently following this guide: https://supportforums.cisco.com/docs/DOC-26442

Any thoughts or suggestions are appreciated.

Info: ISE 1.1.1 and vWLC 7.3.101.0 is installed on vmware. Identity Source: Internal Users. AP is in FlexConnect mode. MAC filtering enable, no layer 3 security. Allow AAA Override enabled. Radius NAC enabled.

Topology:

Win7/iPad - - - AP----labswitch-----switch-----switch-----VMware

(Traffic does not pass through FW and there are no ACL on the switches.)

ACL on WLC:

Client on WLC

Re: CWA/ISE/WLC - client timeout when redirected to portal.

Mikael Gustafsson — Sun, 03 Feb 2013 16:13:03 GMT

Can you see if DNS is working for the client?

Regard
Mikael

Sent from Cisco Technical Support iPad App

Re: CWA/ISE/WLC - client timeout when redirected to portal.

c.s — Mon, 04 Feb 2013 15:30:05 GMT

The DNS work fine, but it can't reach the ISE for some reason.

The wlan works fine without web-auth (ise) btw

CWA/ISE/WLC - client timeout when redirected to portal.

c.s — Fri, 08 Feb 2013 12:57:17 GMT

I thought I might be hitting the bug mentioned in the following thread. https://supportforums.cisco.com/thread/2191587

Oddly enough, updating the vWLC to v7.3.112.0 did not resolve the problem. (ISE is v1.1.2)

I still cannot reach anything from the the CWA wlan unless I remove CWA.

Re:CWA/ISE/WLC - client timeout when redirected to portal.

Tarik Admani — Sun, 10 Feb 2013 02:10:03 GMT

Are you sending the airespace acl so the client can hit the ise node with the dns services allowed. Please provide the screenshots of the client session from the wlc. Also hover over the green button in the ise live authentications portal and provide a screenshot of the radius attributes that are sent back to the controller.

Sent from Cisco Technical Support Android App

CWA/ISE/WLC - client timeout when redirected to portal.

r.gergis — Thu, 14 Feb 2013 20:16:26 GMT

I am having this exact issue as well. I followed the FlexConnect Wireless BYOD guide but I just timeout getting the redirect page. I've even opened the ACL to any/any. The guide makes mention of sending a flex ACL as the CWA Airespace-ACL-Name but that does not appear right. Controller is on 7.4 and ISE 1.1.2

CWA/ISE/WLC - client timeout when redirected to portal.

Mikael Gustafsson — Thu, 14 Feb 2013 22:58:05 GMT

Another test is to copy the redirect url from the WLC and swap domain name part in the url to the ISE IP address, then past it in the browser. Just to test without DNS and narrow down the troubleshooting.

[hxxps://198.51.100.10:8443/guestportal/gateway?sessionId=3c02a8c00000000878430a51&action=cwa]

CWA/ISE/WLC - client timeout when redirected to portal.

Raul Manzano Barroso — Fri, 15 Feb 2013 12:34:35 GMT

Hi all.

Accoding with this behaviour, I have a similar problem with the renew of the IP address. In a similar scenario (ISE1.1.2 + vWLC 7.3.101. + CWA + DVLAN assigment); for test purposses I need to use the AP in flexconnect mode with central control and traffic data due to vWLC does not support APs in a local mode.

Applying WCA in a SSID with a "non-routed" interface and two interfaces for both different profiles. Client passes CWA profile in "non route" subnet when redirected; after a successful web authetication ISE sends to WLC the new attributes including the new VLAN, new ACL and the access-accept, but the client is not trying to change the IP address through DHCP.

I use two rules for authentication

First: Guest Redirection; condition "Wireless MAB" then "WLC-CWA" (central authentication - ACL-POSTURE-REDIRECT)

Second (This rule above the first) Guest Traffic; Condition "Network access: UseCase EQUALS GuestFlow) then "Guest Permit Access"(with includes new vlan assigment in function of the role based - new ACL asigment - Termination-Action=0)

WLC shows me the data correctly, it changes the interface, the ACL and changes the client status to RUN but maintains the IP address belonging to the old VLAN (non-routed vlan)

Could be possible that this bug will be hitting me?

Are there any Radius Attribute to force a DHCP IP procces for this devices?

Thanks in advanced.

Best Regards.

CWA/ISE/WLC - client timeout when redirected to portal.

Mikael Gustafsson — Fri, 15 Feb 2013 13:02:06 GMT

The client dosent know that the WLC changed VLAN and is not asking for a new IP.

To get that you need to use the 802.1x supplicant on the client, hence its better to only use ACL for MAB/guest flow.

On a switch you can bounce the port but I dont think there is a good way to do that on wireless.

Regards

CWA/ISE/WLC - client timeout when redirected to portal.

DumortierC — Fri, 15 Feb 2013 13:14:03 GMT

Hello,

it's work only for windows.

1. Click on "Administration" menu

2. Click on "Guest Management"

3. Click on "Settings"

4.Expand "Guest". Expand "Mult-Portal Configuration"

5. Click on "DefaultGuestPortal" or the name of a custom portal you may have created

6. Enable "Vlan DHCP Release".

here is a link: https://supportforums.cisco.com/docs/DOC-18325

regards

Re: CWA/ISE/WLC - client timeout when redirected to portal.

ivan.martin — Sun, 19 Jun 2022 02:07:23 GMT

Hi Raul, sorry my english is not good 🙂

Yo say:"WLC shows me the data correctly, it changes the interface, the ACL and changes the client status to RUN but maintains the IP address belonging to the old VLAN (non-routed vlan)"

In spanish...

Puede usted por favor revisar el grupo Flex Connect: wlan vlan mapping:

Aqui la wlan-id elegida debe indicar la "old vlan". A parte de indicar la vlan nativa para el AP. Por tantas wlan-id necesarias, deberán indicarse a la "old vlan".

Posteriormente su authorZ Profile debera indicar la vlan final a donde usted quiere autorizar.

Requisito importante es que la wlc soporte udp1700 (coa), el ise show ports | in 1700, el flex acl puede incluir 2 lineas que digan desde bootpccliente --- bootpcserver (y viceversa) un timeout holgado (10seg) y una recomendación adicional habilite "Vlan DHCP Release" en al Guest Portal.

Si no resulta preliminarmente valide en la wired que el dhcp pase a la vlan guest.

Quedo atento.

Regards, Ivan.

Re: CWA/ISE/WLC - client timeout when redirected to portal.

ahollifield — Mon, 20 Jun 2022 11:56:31 GMT

This is a post from 2013 (9 years ago!) I highly suggest making a new community post to help with your issue.