topic Re: Cisco ISE - Redirect CWA in Network Access Control

Cisco ISE - Redirect CWA

David Boos — Mon, 11 Mar 2019 02:15:36 GMT

I'm new to ISE and have run into a snag that I'm not sure how to handle. I have CWA configured and when I access the ISE SSID I am redirected to the guest login page. When I login it asks me to accept the AUP, I accept, it tells me authentication is successful but when I try to browse to another site I can't get anywhere and it brings me right back to the guest login page. Any ideas or suggestions?

Cisco ISE - Redirect CWA

Tarik Admani — Mon, 02 Jul 2012 20:33:40 GMT

David,

You will have to create another authorization policy above this rule that they will have to hit once their Endpoint profile changes...this is where CoA comes into play and this is what ISE uses over other radius servers.

When the user authenticates and is unknown to ISE then the endpoint gets redirected to the web portal. Once the user authentication, this is where coa takes effect and searches for another matching authorization policy. Have you created an authorization poilcy for guests?

Thanks,

Tarik admani

Cisco ISE - Redirect CWA

David Boos — Mon, 02 Jul 2012 20:50:16 GMT

I've attached a copy of my authorization policy.

Thanks for replying.

Re: Cisco ISE - Redirect CWA

Tarik Admani — Mon, 02 Jul 2012 20:54:56 GMT

David,

Do you have radius nac enabled on the your WLC also what version of code are you running on the controller?

Also when the authentication event occurs can you post a screenshot of the authentication page (under Monitoring > Authentication)

Along with AAA override, should be under the advance settings on the SSID.

Thanks

tarik Admani

Message was edited by: Tarik Admani

Cisco ISE - Redirect CWA

David Boos — Mon, 02 Jul 2012 21:01:11 GMT

I've attached screenshots

WLC Code

WLAN Settings

Cisco ISE - Redirect CWA

Tarik Admani — Mon, 02 Jul 2012 21:07:52 GMT

The controller side looks fine, we need to see if you you have CoA enabled globally. Can you check the following and set the COA to reauth (default is set to to No COA).

http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_prof_pol.html#wp1340803

Please post a screenshot of the authentication report..Monitoring>Authentications

thanks,

Tarik Admani

Cisco ISE - Redirect CWA

David Boos — Mon, 02 Jul 2012 21:15:41 GMT

I did not have CoA enabled and set to reauth, set that option disconnected from the WLAN, reassociated, still loops back to the guest page. Attached a screenshot of the authentications - I assumed on ISE and not on the WLC.

Cisco ISE - Redirect CWA

Tarik Admani — Mon, 02 Jul 2012 21:22:57 GMT

Can you post a screeshot of your Guest policy i only see the Identity group conditoin but the authorization profile that you assigned to this rule.

Thanks

tarik Admani

Cisco ISE - Redirect CWA

David Boos — Mon, 02 Jul 2012 21:24:50 GMT

Guest Policy

Cisco ISE - Redirect CWA

Tarik Admani — Mon, 02 Jul 2012 21:26:41 GMT

Sorry,

I meant the authorization policy that is above your redirection policy under authorization.

Cisco ISE - Redirect CWA

David Boos — Mon, 02 Jul 2012 21:29:24 GMT

The policy under Policy > Results then Authorization > Authorization Results?

Re: Cisco ISE - Redirect CWA

Tarik Admani — Mon, 02 Jul 2012 21:30:28 GMT

Expand the screenshot in the 3rd message of this thread.

Cisco ISE - Redirect CWA

David Boos — Mon, 02 Jul 2012 21:34:56 GMT

Nothing under Layer 3, I was sent a powerpoint called

ISE for CUWN Essentials:

Central Web Authentication (CWA)

Configuration Example

and I followed that, I would attach it but I can only attach images/video. It calls for Layer 2 MAC filtering an nothing for Layer 3. Maybe that's wrong but just filling you in on where I'm coming from.

Thanks,
David

Cisco ISE - Redirect CWA

Tarik Admani — Mon, 02 Jul 2012 21:36:29 GMT

Sorry about the previous message, I thought i had deleted that. I would like you to expand the screenshot in the 3rd message of this thread, it only shows the idenity group condition and not the result that you selected.

Cisco ISE - Redirect CWA

David Boos — Mon, 02 Jul 2012 21:39:31 GMT

Got it, attached below.

Cisco ISE - Redirect CWA

Tarik Admani — Mon, 02 Jul 2012 21:51:26 GMT

Is boos179 the guest account you are trying to authenticate with?

Thanks

Tarik Admani

Cisco ISE - Redirect CWA

David Boos — Mon, 02 Jul 2012 22:09:18 GMT

Yes, I've attached my identity sequence below. I've allowed anyone with an AD credential to login to the guest portal using their AD credential as a guest. Boos179 is my username.

Cisco ISE - Redirect CWA

Tarik Admani — Mon, 02 Jul 2012 22:17:04 GMT

That makes sense now, so you are not being dynamically mapped to the Guest as you would assume. You need to create another authorization policy that matches the group that you would like to allow your domain users (i.e. Domain Users).

You need to create this condition first by defining the group in Active directory (Administration > Identities > External Identity sources > Active Directory > Groups > Add > (there is a 100 group limit so you can search Domain* and that will pull anything that matches Domain and the wildcard).

If you have done the already they create another authoriztion policy and use this following:

Policy > Authorization > Insert New Rule [Above | Below] > Conditions (Create New Condition [Advance Option]) > Select Attribute (AD1 > ExternalGroup EQUALS [the group you chose before] > Set your result

Then test that should do the trick.

Thanks

tarik Admani

Cisco ISE - Redirect CWA

David Boos — Mon, 02 Jul 2012 22:27:08 GMT

This is my new authorization policy, I'm a but confused though. What does the last policy (MAC not Known) actually do then? I will have to test in the morning to find out if this works.

Cisco ISE - Redirect CWA

Tarik Admani — Mon, 02 Jul 2012 22:38:14 GMT

Replace the condition on the left from Guest to Any....the policy you defined below is to redirect all mab requests to the redirection portal where the user can enter then authentication information.

Thanks,

tarik admani

As always please remember to rate any feedback that you find helpful.