topic Re: Cisco ISE web redirect not working in Network Access Control

Cisco ISE web redirect not working

Jason Weids — Fri, 01 Mar 2019 10:41:30 GMT

Can anyone help with this. I have an open SSID doing MAC filtering to ISE with the following auth rules;

My devices is hitting correct rule for the unknown MAC but it is not redirecting me to the guest portal & is allowing me access in the associated VLAN assigned to the WebAuth policy.

Re: Cisco ISE web redirect not working

Jason Weids — Fri, 01 Mar 2019 10:54:11 GMT

Just to add, I can browse to the redirect link from the device.

Re: Cisco ISE web redirect not working

Rob Ingram — Fri, 01 Mar 2019 11:19:07 GMT

Hi,
When you access the link from the device is it via FQDN or IP address?....can the device resolve the dns hostname of the ISE PSN?

Can you confirm the redirect ACL been applied to the interface?...what is the output of "show authentication session interface Gi x" ?

What is the configuration of your called ACL_WEBAUTH_REDIRECT?

Re: Cisco ISE web redirect not working

Jason Weids — Fri, 01 Mar 2019 12:52:42 GMT

Hi,

Accessing the link works using the FQDN & the client can resolve this.

What interface would the ACL be applied to being this a wireless connection?

Below show the attribute of the Cisco_WebAuth profile but where to I find the configuration of the ACL_WEBAUTH_REDIRECT.

There is also a "!" withe the following note;

Re: Cisco ISE web redirect not working

Rob Ingram — Fri, 01 Mar 2019 13:02:46 GMT

Sorry I mis-read the original post and assumed it was wired. Can you confirm the configuration of the ACL_WEBAUTH_REDIRECT ACL defined on the WLC? Can you check the WLC for the client session and confirm the redirect ACL is applied.

Re: Cisco ISE web redirect not working

Jason Weids — Fri, 01 Mar 2019 13:33:36 GMT

It doesn't look like it is applying the ACL. Do I need to create the ACL on the WLC as well?

Re: Cisco ISE web redirect not working

Rob Ingram — Fri, 01 Mar 2019 13:35:40 GMT

Ok. Check the ACL on the WLC and ensure the case is the same as defined on ISE and spelling.

Check this page and double check the configuration of the WLC configuration.

Re: Cisco ISE web redirect not working

Jason Weids — Fri, 01 Mar 2019 14:17:22 GMT

Awesome thank you. It works. Wish I had this guide before.

I've another question now.

A guest theoretically could enter any details they like on the registration page to get access. Is there a way to verify them by email or any other methods? We sometimes have minors on site & they might need a different level of access or URL filtering, either way, for compliance we would have to be able to identify the users.

Re: Cisco ISE web redirect not working

Rob Ingram — Fri, 01 Mar 2019 15:16:18 GMT

Hi,

Glad to hear it's working now. I haven't used Guest for a log time, but does this link do what you want? This is to configure approval request email to a sponsor.

HTH

Re: Cisco ISE web redirect not working

Jason Weids — Fri, 01 Mar 2019 17:41:50 GMT

Only issue is the web page only seems to work with IE or edge. Is there support for other browsers & mobile devices?

Re: Cisco ISE web redirect not working

Rob Ingram — Fri, 01 Mar 2019 20:23:21 GMT

Do you get a certificate on the non MS browsers? If you are using an Internal CA then the IE/Edge browsers would automatically trust those certificates and not present a certificate error. Firefox/Chrome and a mobile browser would not trust the Internal CA unless specifically configured to do.

HTH

Re: Cisco ISE web redirect not working

Jason Weids — Mon, 04 Mar 2019 14:09:09 GMT

We have imported the full certificate chain that has been signed by a CA authority & bound the original cert request. It has being used by the default portal certificate group and we can confirm in the browser when redirected that is is using this certificate but it is still saying it is not trusted.

Re: Cisco ISE web redirect not working

Rob Ingram — Mon, 04 Mar 2019 15:16:31 GMT

Does your client computer have the QuoVadis EV SSL ICA G3 certificate in it's machine store?

Re: Cisco ISE web redirect not working

Jason Weids — Mon, 04 Mar 2019 16:59:35 GMT

No it doesn't

Re: Cisco ISE web redirect not working

Rob Ingram — Mon, 04 Mar 2019 17:03:44 GMT

That QuoVadis certificate needs to be imported to the computer trusted certificate store, otherwise the web browser will consider it untrusted and error.

Re: Cisco ISE web redirect not working

Jason Weids — Tue, 05 Mar 2019 09:02:48 GMT

How is this meant to work for guests then?

I have now imported the certificate to the machine & it is now trusted & all browsers working. I'm confused how this is going to work for guests on their own devices though.

Re: Cisco ISE web redirect not working

Rob Ingram — Tue, 05 Mar 2019 09:55:06 GMT

That QuoVadis CA certificate is possibly not, as default installed onto a computer compared to Comodo, Entrust, Verisign etc which are. Possibly use one of these other CAs which should ensure trust for most devices (hopefully).

HTH

Re: Cisco ISE web redirect not working

Jason Weids — Tue, 05 Mar 2019 10:57:38 GMT

So do I need to use one of the trusted certificates in ISE for the guest portal, like the verisign class 3 public certification authority?

How do I apply this to the guest portal?

Re: Cisco ISE web redirect not working

bern81 — Wed, 06 Mar 2019 08:41:39 GMT

you can use self-signing portal with sponsor approval.
like this when the guest get the redirect page, he has to create a user and who he is visiting.
the request goes to a sponsor account email that approve the guest and define the duration for the connection.
the guest received an email with his passwd and can access internet.

Re: Cisco ISE web redirect not working

Jason Weids — Thu, 07 Mar 2019 08:18:15 GMT

After applying the cert to the admin role & restarting ISE all portals on all browsers are now accepting the certificate. Seems strange that they didn't when we applied it to the portal role because that doesn't require a restart.