topic No you shouldnt have to in Network Access Control

Guest Wireless portal :- URL redirection to the client is not happened

pradeepgun — Mon, 11 Mar 2019 06:21:48 GMT

Currently we have POC Anchor-Foreign Scenario for DMZ wireless guest accesses using portal. Once we connected to SSID then we can see the foreign WLC quickly shows the client is in the RUN state and Anchor WLC shows CENTRAL_WEB_AUTH. But still URL redirection to the client is not happened. But when we copy and paste URL from logs to client browser then it is getting correctly. I have attached the redirection ACL for both WLCs and client debugs from both side.

We are using 5760 as Foreign WLC and 5508 WLC with ISE 1.3 patch 5.

Highly appreciated any help.

The ACL entry can be blank on

Tarik Admani — Thu, 31 Dec 2015 05:57:26 GMT

The ACL entry can be blank on the foreign controller since the acl that is enforced is on the anchor, you have to make sure that the redirect acls that are configured on both controllers are identical as they are case sensitive.

Many thanks Tarik.

pradeepgun — Thu, 31 Dec 2015 06:19:20 GMT

Many thanks Tarik.

Here we are using identical ACLs in both controllers and name also same. Do we need to allow DHCP as well. I have configured ACL based on below document.

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html

No you shouldnt have to

Tarik Admani — Thu, 31 Dec 2015 16:27:32 GMT

No you shouldnt have to because the CWA detection on the controller should allow dhcp and dns traffic through, in my acl that I have I only redirect the webauth port and the ip of ISE and thats all. What version of code are you running on your setup?

Thanks Tarik,

pradeepgun — Thu, 31 Dec 2015 21:52:16 GMT

Thanks Tarik,

Anchor WLC is CT5508 - 7.6.130.0

Foreign WLC is 5760 - 15.2

Would you please check the attached ALCs and if it is possible share your working ACLs