topic ISE Guest Redirection- Chrome Web Browser in Network Access Control

ISE Guest Redirection- Chrome Web Browser

awatson20 — Thu, 07 Nov 2019 13:38:26 GMT

We are using ISE 2.4 patch 9 for guest access, and are encountering an issue with the redirection process on Windows 10 devices. After connecting to the guest SSID, windows detects the captive portal and will launch the edge browser by default and you successfully get redirected to the Guest Portal page. The browser is redirecting to a microsoft page. (https://go.microsoft.com/) However, if I change the default browser to "Chrome", I get redirected, but I receive error This site can’t be reached go.microsoft.com unexpectedly closed the connection. It takes multiple attempts to various sites to finally get the redirect to work, or if I enter in an HTTP site only it works. Any suggestions?

Re: ISE Guest Redirection- Chrome Web Browser

varma10 — Thu, 07 Nov 2019 14:13:09 GMT

I think your wireless LAN controller is not enabled to intercept https traffic. Verify on the WLC if the secure web-auth redirect is enabled or disabled. You can do this by issuing command "show network summary" on WLC and look for "Web Auth Secure Redirection". This should be enabled.

If disabled, then issue command "config network web-auth https-redirect enable".

Re: ISE Guest Redirection- Chrome Web Browser

awatson20 — Thu, 07 Nov 2019 14:55:32 GMT

We do have this currently disabled. My question would be why do the other browsers not have this issue, and what is the disadvantage to enabling this? I believe from reading it is not advised to enable HTTPS redirect on the wireless controllers, or is this something that is a recommended best practice now?

Re: ISE Guest Redirection- Chrome Web Browser

Jason Kunst — Thu, 07 Nov 2019 18:46:21 GMT

HTTPS redirect would be definitely recommended as alot of the browser auto launch try to call HTTPS site. Everything is going https. Unfortunately even with everything perfect i always run into issues roaming the world with various guest systems not auto launching on laptops and phones with DNS and caching issues.

All else fails you can ask users to go to http site. such as http://enroll.cisco.com

Do you have a well known certificate deployed in ISE? If its not and using self-signed that might be the issues. Example HSTS errors?

More information can be found by looking at the following guides on setup and certificates

https://community.cisco.com/t5/security-documents/ise-guest-access-prescriptive-deployment-guide/ta-p/3640475

https://community.cisco.com/t5/security-documents/how-to-implement-digital-certificates-in-ise/ta-p/3630897

If all else fails open TAC case

Re: ISE Guest Redirection- Chrome Web Browser

hslai — Sat, 09 Nov 2019 04:40:20 GMT

You might be hitting CSCvi41578

Re: ISE Guest Redirection- Chrome Web Browser

awatson20 — Tue, 12 Nov 2019 13:18:30 GMT

We are not using Chrome 65. We are on Chrome 78.

Re: ISE Guest Redirection- Chrome Web Browser

awatson20 — Tue, 12 Nov 2019 13:21:34 GMT

Do you have a well known certificate deployed in ISE? If its not and using self-signed that might be the issues. Example HSTS errors? We have a standard SSL certificate through godaddy signed and loaded in ISE associated with the guest portals. Is that what you were referring to, and would that be correct?