topic Re: ISE - Central Webauthentication // Guest accouts in Network Access Control

ISE - Central Webauthentication // Guest accouts

marczacho — Mon, 11 Mar 2019 02:04:34 GMT

Hi, I'm working with the Cisco ISE as a school project, but I have some problems with the central web authentication. I have followed this guide, and at the moment I have the following two problems:

The redirection does not work, but it seems like the ISE tells the switch to redirect, but nothing happens at the client. (See buttom of the post)

I can access the guest webportal by entering the direct url-address.

I have tried to trigger the redirect both by a DNS name and by an ip-address.

My second problem is my guest users.

When I create a guest account from the sponsorportal, I can't see the password only stars (****), and I can't figure out if this is a security feature or a bug. Right now I'm working in an offline environment so I don't have access to a SMTP server, so I can't try the email function to get the guest account information.

I have tried to create a guest account in the adminportal, but I can't login with it. If I go the authentication logs, I just get an "86020 unknown error".

I run everything in VMware, and I have to go through two switches with a trunk connection, before I can reach the switch I'm working on, therefore I have a bit unusually configuration.

I have attached the switch configuration, and a screenshot to show my setup.

---

sw03#sh auth sess int fa0/5

Interface: FastEthernet0/5

MAC Address: 000c.29ff.28f7

IP Address: Unknown

User-Name: 00-0C-29-FF-28-F7

Status: Authz Success

Domain: DATA

Security Policy: Should Secure

Security Status: Unsecure

Oper host mode: single-host

Oper control dir: both

Authorized By: Authentication Server

Vlan Group: N/A

URL Redirect ACL: redirect

URL Redirect: https://mz-ise.mz:8443/guestportal/gateway?sessionId=C0A80A020000000C047D8E21&action=cwa

Session timeout: N/A

Idle timeout: N/A

Common Session ID: C0A80A020000000C047D8E21

Acct Session ID: 0x00000014

Handle: 0x7F00000C

Runnable methods list:

Method State

mab Authc Success

Re: ISE - Central Webauthentication // Guest accouts

Alex Pfeil — Wed, 09 May 2012 01:49:33 GMT

An ACL could be blocking the redirect if the management interface of the switch and the device are on two separate VLANs. If the switch is layer three, temporarily create routing on it between the two and see of it works.

Second, a proxy will also mess with URL redirection if it is on a different port than port 80. on a WLAN controller a proxy should work fine with URL redirection.

Thanks

Alex

Hope this helps

Sent from Cisco Technical Support iPhone App

Re: ISE - Central Webauthentication // Guest accouts

Alex Pfeil — Wed, 09 May 2012 01:52:35 GMT

Also redirect ACLs are the opposite of regular ACLs so can you post the redirect ACL

Thanks

Alex

Sent from Cisco Technical Support iPhone App

Re: ISE - Central Webauthentication // Guest accouts

marczacho — Wed, 09 May 2012 11:12:05 GMT

Regarding the guest password/login problem, the problem is solved.
I updated to ISE v1.1, and now that part is working, but I still have the problem with redirect.

Here is my redirect ACL:

ip access-list extended redirect

deny ip any host 192.168.10.5 (my ISE ip)

permit tcp any any eq www

permit tcp any any eq 443

Re: ISE - Central Webauthentication // Guest accouts

marczacho — Wed, 09 May 2012 12:19:13 GMT

Okay, I just tried some different things, and after adding these two commands, the redirection works!

ip dhcp snooping

ip device tracking