topic Re: Redirection to an internal web server in Network Access Control

Redirection to an internal web server

Chess Norris — Wed, 21 Nov 2018 13:03:09 GMT

I am trying to get ISE (2.4) to redirect clients to an internal web server. The redirection is part of an authorization policy used for quarantine clients, but I am a bit stuck getting this to work properly. I can get the redirection to work without any issues if I am using the web redirection option and point it directly to a portal page on the ISE server itself, but my customer wants to use an internal MS web server. I used the advanced attribute settings in the authorization policy and used the cisco-av-pair. The config looks like this:

cisco-av-pair = url-redirect-acl=CWA-URL-REDIRECT-ACL

cisco-av-pair = url-redirect=http://10.159.9.29:80/pxgrid/unquaran.html

When looking at the switch, I can see the redirection url and the address is correct. If I just copy/paste the url, the client have no problem to reach the page, but no redirection is happening.

Here is the output from the switch:

SW01-FIPWR-SBOX#show authentication sessions interface gigabitEthernet1/0/1 details

Server Policies:
Security Policy: None
Security Status: Link Unsecured
URL Redirect ACL: CWA-URL-REDIRECT-ACL
URL Redirect: https://10.159.9.29/pxgrid/unquaran.html
ACS ACL: xACSACLx-IP-LimitedAccessDACL-5bec09c6

Any suggestion how to get this to work?

Thanks

/Jorgen

Re: Redirection to an internal web server

pan — Wed, 21 Nov 2018 16:20:09 GMT

Could you answer following:

1> Do you have CWA-URL-REDIRECT-ACL ACL configured on switch?

2> Does the ACL CWA-URL-REDIRECT-ACL have 10.159.9.29 in deny statement?

In authorization policy you have http://10.159.9.29 but on switch you have https://10.159.9.29

Re: Redirection to an internal web server

pan — Wed, 21 Nov 2018 16:32:36 GMT

I have tested it works:

3750#show access-lists redirect-test
Extended IP access list redirect-test
    10 deny ip any host 10.127.196.230
    20 permit tcp any any eq www (20 matches)
    30 permit tcp any any eq 443

3750#show authentication sessions int g2/0/1
            Interface: GigabitEthernet2/0/1
          MAC Address: b496.9126.dec0
           IP Address: 10.106.37.240
            User-Name: panadmin
               Status: Authz Success
               Domain: DATA
      Security Policy: Should Secure
      Security Status: Unsecure
       Oper host mode: single-host
     Oper control dir: both
        Authorized By: Authentication Server
          Vlan Policy: N/A
     URL Redirect ACL: redirect-test
         URL Redirect: https://10.127.196.230
      Session timeout: N/A
         Idle timeout: N/A
    Common Session ID: 0A6A25DE000031FF914E75EE
      Acct Session ID: 0x0000385A
               Handle: 0x420001E1

Runnable methods list:
       Method   State
       dot1x    Authc Success

I have tried to open some http website and it automatically redirected me to redirect url

Re: Redirection to an internal web server

Chess Norris — Wed, 21 Nov 2018 18:17:27 GMT

Thank you for the suggestions, We do have the CWA-URL-REDIRECT-ACL ACL on the switch and
it is including deny ip any 10.159.9.29.

I will not be able to test this until monday next week, but I will have a look at your config and compare it to what we have.

Thanks
/Jorgen

Re: Redirection to an internal web server

mnagired — Wed, 21 Nov 2018 19:29:31 GMT

Jorgen,

I do notice a dACL - ACS ACL: xACSACLx-IP-LimitedAccessDACL-5bec09c6 which is part of auth policy.. Can you share the content of the dACL and i hope dACL isnt denying http/https access.

Re: Redirection to an internal web server

Chess Norris — Thu, 22 Nov 2018 06:17:40 GMT

The ACL: xACSACLx-IP-LimitedAccessDACL-5bec09c6 is permitting http and https traffic to the web server and also domain traffic. Reaching the url directly from the client works without any issues,

Thanks

/Jorgen