URL Redirect Not Consistent

Mark H — Mon, 11 Mar 2019 06:42:34 GMT

Hi everyone,

Have you ever seen an issue where a URL redirect to force web authentication is not performing reliably?

We have ISE 1.4, utilising a Cisco 3850 (3.3.5SE) access switch in converged access mode. We provide guest wireless access using a Cisco WLC 5508 (7.6.101.1) as the anchor. A client can successfully join and they have restricted access but the URL redirect to the guest portal only works intermittently, eventually after trying several sites you will get redirected. The WLC5508 is definitely receiving the connection, using a debug for the web-auth (below) there are multiple 'received connection' as I try different sites to trigger the redirection until eventually it works...

*webauthRedirect: Apr 27 15:28:55.086: 10:41:7f:d6:4c:43- received connection

*webauthRedirect: Apr 27 15:28:55.093: 10:41:7f:d6:4c:43- received request

*webauthRedirect: Apr 27 15:28:55.110: 10:41:7f:d6:4c:43- received connection

*webauthRedirect: Apr 27 15:28:55.112: 10:41:7f:d6:4c:43- received request

*webauthRedirect: Apr 27 15:28:55.123: 10:41:7f:d6:4c:43- received connection

*webauthRedirect: Apr 27 15:28:55.125: 10:41:7f:d6:4c:43- received request

*webauthRedirect: Apr 27 15:28:55.137: 10:41:7f:d6:4c:43- received connection

*webauthRedirect: Apr 27 15:28:55.140: 10:41:7f:d6:4c:43- received request

*webauthRedirect: Apr 27 15:28:55.157: 10:41:7f:d6:4c:43- received connection

*webauthRedirect: Apr 27 15:28:55.159: 10:41:7f:d6:4c:43- received request

*webauthRedirect: Apr 27 15:28:55.171: 10:41:7f:d6:4c:43- received connection

*webauthRedirect: Apr 27 15:28:55.174: 10:41:7f:d6:4c:43- received request

*webauthRedirect: Apr 27 15:28:55.185: 10:41:7f:d6:4c:43- received connection

*webauthRedirect: Apr 27 15:28:55.188: 10:41:7f:d6:4c:43- received request

*webauthRedirect: Apr 27 15:28:55.202: 10:41:7f:d6:4c:43- received connection

*webauthRedirect: Apr 27 15:28:55.303: 10:41:7f:d6:4c:43- received request

*webauthRedirect: Apr 27 15:28:59.484: 10:41:7f:d6:4c:43- received connection

*webauthRedirect: Apr 27 15:28:59.486: 10:41:7f:d6:4c:43- received request

*webauthRedirect: Apr 27 15:28:59.498: 10:41:7f:d6:4c:43- received connection

*webauthRedirect: Apr 27 15:28:59.499: 10:41:7f:d6:4c:43- received request

*webauthRedirect: Apr 27 15:28:59.511: 10:41:7f:d6:4c:43- received connection

*webauthRedirect: Apr 27 15:28:59.513: 10:41:7f:d6:4c:43- received request

*webauthRedirect: Apr 27 15:28:59.524: 10:41:7f:d6:4c:43- received connection

*webauthRedirect: Apr 27 15:28:59.526: 10:41:7f:d6:4c:43- received request

*webauthRedirect: Apr 27 15:29:00.303: 10:41:7f:d6:4c:43- received connection

*webauthRedirect: Apr 27 15:29:00.317: 10:41:7f:d6:4c:43- received connection

*webauthRedirect: Apr 27 15:29:00.331: 10:41:7f:d6:4c:43- received connection

*webauthRedirect: Apr 27 15:29:03.335: 10:41:7f:d6:4c:43- received connection

*webauthRedirect: Apr 27 15:29:03.359: 10:41:7f:d6:4c:43- received connection

*webauthRedirect: Apr 27 15:29:03.381: 10:41:7f:d6:4c:43- received connection

*webauthRedirect: Apr 27 15:29:05.320: 10:41:7f:d6:4c:43- received connection

*webauthRedirect: Apr 27 15:29:05.343: 10:41:7f:d6:4c:43- received connection

*webauthRedirect: Apr 27 15:29:05.365: 10:41:7f:d6:4c:43- received connection

*webauthRedirect: Apr 27 15:29:07.140: 10:41:7f:d6:4c:43- received connection

*webauthRedirect: Apr 27 15:29:07.158: 10:41:7f:d6:4c:43- received connection

*webauthRedirect: Apr 27 15:29:07.174: 10:41:7f:d6:4c:43- received connection

*webauthRedirect: Apr 27 15:29:08.957: 10:41:7f:d6:4c:43- received connection

*webauthRedirect: Apr 27 15:29:08.979: 10:41:7f:d6:4c:43- received connection

*webauthRedirect: Apr 27 15:29:08.983: captive-bypass detection disabled, Not checking for wispr in HTTP GET, client mac=10:41:7f:d6:4c:43
*webauthRedirect: Apr 27 15:29:08.983: 10:41:7f:d6:4c:43- Preparing redirect URL according to configured Web-Auth type
*webauthRedirect: Apr 27 15:29:08.983: 10:41:7f:d6:4c:43: Client configured with AAA overridden redirect URL https://ISE008.domain.com:8443/portal/gateway?sessionId=0a7a780157204e040000911c&portal=eb4ce520-9a04-11e5-a633-005056870
*webauthRedirect: Apr 27 15:29:08.983: 10:41:7f:d6:4c:43- http_response_msg_body1 is <HTML><HEAD><TITLE> Web Authentication Redirect</TITLE><META http-equiv="Cache-control" content="no-cache"><META http-equiv="Pragma" content="
*webauthRedirect: Apr 27 15:29:08.983: 10:41:7f:d6:4c:43- http_response_msg_body2 is "></HEAD></HTML>

*webauthRedirect: Apr 27 15:29:08.983: 10:41:7f:d6:4c:43- parser host is www.lifehacker.com.au
*webauthRedirect: Apr 27 15:29:08.983: 10:41:7f:d6:4c:43- parser path is /
*webauthRedirect: Apr 27 15:29:08.983: 10:41:7f:d6:4c:43- added redirect=, URL is now https://ISE008.domain.com:8443/portal/gateway?sessionId=0a7a780157204e040000911c&portal=eb4ce520-9a04-11e5-a633-005056870370&action=cwa&type=drw
*webauthRedirect: Apr 27 15:29:08.983: 10:41:7f:d6:4c:43- str1 is now https://ISE008.domain.com:8443/portal/gateway?sessionId=0a7a780157204e040000911c&portal=eb4ce520-9a04-11e5-a633-005056870370&action=cwa&type=drw&token=82d8cad90
*webauthRedirect: Apr 27 15:29:08.983: 10:41:7f:d6:4c:43- clen string is Content-Length: 433

*webauthRedirect: Apr 27 15:29:08.983: 10:41:7f:d6:4c:43- Message to be sent is
HTTP/1.1 200 OK
Location: https://ISE008.domain.com:8443/portal/gateway?sessionId=0a7a780157204e040000911c&portal=eb4ce520-9a04-11e5-a633-0050568703
*webauthRedirect: Apr 27 15:29:08.983: 10:41:7f:d6:4c:43- send data length=690
*webauthRedirect: Apr 27 15:29:08.983: 10:41:7f:d6:4c:43- Web-auth type External, but unable to get URL
*apfReceiveTask: Apr 27 15:29:15.989: 10:41:7f:d6:4c:43 172.18.18.139 WEBAUTH_REQD (8) pemAdvanceState2 5600, Adding TMP rule
*apfReceiveTask: Apr 27 15:29:15.990: 10:41:7f:d6:4c:43 172.18.18.139 WEBAUTH_REQD (8) Replacing Fast Path rule

topic URL Redirect Not Consistent in Network Access Control

URL Redirect Not Consistent