topic Re: Cisco ISE Guest Access URL Redirect after authentication in Network Access Control

Cisco ISE Guest Access URL Redirect after authentication

InfraISE2020 — Thu, 10 Feb 2022 15:26:40 GMT

We upgraded our Cisco ISE portal from v2.7 to v3.0 and following on from this we appear to have an issue with guest authentication.

Previously, when a guest connected to our Guest SSID they was redirected to a portal to sign in. This part of the authentication is working however after sign in they was redirected to our company URL.

Since the upgrade the users are no longer being redirected after the authentication resulting it them believing they are not authenticated but if they connect to the SSID again they are already authenticated (dropped into endpoint identity group) and can browse the internet.

We have tried different URLs and options in the "once authenticated, take guest to" configuration, however none of these appear to be working.

We have also updated the portal on the Cisco ISE builder to be on the same version as ISE however this doesn't appear to have made any improvements.

Has anyone come across these problems post upgrade? Alternatively does anyone know what settings need to be enabled to that after authentication the guest access sign in automatically disappears and they are no longer redirected to a website?

TIA.

Re: Cisco ISE Guest Access URL Redirect after authentication

Aref Alsouqi — Thu, 10 Feb 2022 16:30:35 GMT

I think in the Authentication Success Settings you can choose one of the following options:

- Original URL

- Authentication Success page

- Custom URL

I think in your case you might want to select the Authentication Success page, that should take care of letting the users know that they are successfully authenticated.

Re: Cisco ISE Guest Access URL Redirect after authentication

InfraISE2020 — Thu, 10 Feb 2022 16:41:34 GMT

Hi Aref,

We have tried that however it still appears to leave the user in an unauthenticated state - until they reconnect to the SSID where they are able to log in as they are dropped in to the correct EIG.

Re: Cisco ISE Guest Access URL Redirect after authentication

Arne Bier — Thu, 10 Feb 2022 22:31:11 GMT

@InfraISE2020 - just a quick suggestion - I had a similar issue with an ISE 3.0 customer and the issue turned out that on the WLC I had forgotten to include permit statements for PSN @ TCP/8443 in the ACL_ALLOWED ACL (i.e. after authentication or after successful MAC auth). I could have sworn that in earlier deployments I never had to do that. It seems a bit non-sensical, because the ISE portals should not be involved AFTER an authentication. Anyway - it's worth a try.

Re: Cisco ISE Guest Access URL Redirect after authentication

amitkulshrestha — Tue, 26 Jul 2022 08:43:03 GMT

Hi Arne,

I am also facing same issue, could plz share me Acl which u have confiugre.

In my case i have configure acl on ISE itself for after authentication.

Regards

Amit

Re: Cisco ISE Guest Access URL Redirect after authentication

Arne Bier — Tue, 26 Jul 2022 20:42:52 GMT

Amit, are you using an AireOS WLC or 9800?

In either case, what I was referring to is the ACL that is applied to the user AFTER they have successfully authenticated on th eprtal (or passed MAB auth successfully using the "Remember Me" method).

In the case of AireOS, the ACL lives on the controller and I had to include the PSN's IP address and the destination TCP port of the portal - I don't have access to this config now - but I allowed inbound access to PSN dest port 8443 and outbound from PSN source 8443

The post auth ACL at a high level goes like this

Allow DNS

Allow ISE PSN Portals

Block RFC 1918 (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)

Allow Everything

Re: Cisco ISE Guest Access URL Redirect after authentication

amitkulshrestha — Wed, 27 Jul 2022 05:50:23 GMT

Very Thanks Arne , for taking time to reply me ,

"are you using an AireOS WLC or 9800?" --> C9800-CL

"In either case, what I was referring to is the ACL that is applied to the user AFTER they have successfully authenticated on th eprtal (or passed MAB auth successfully using the "Remember Me" method)." --> that means acl internet access. Not redirect one?

"In the case of AireOS, the ACL lives on the controller and I had to include the PSN's IP address and the destination TCP port of the portal - I don't have access to this config now - but I allowed inbound access to PSN dest port 8443 and outbound from PSN source 8443" --> Ok .. in my case i hav C9800-CL that mean i have to place my acl on ISE. here i my acl do check and suggest corrections :-

permit udp any eq bootpc any eq bootps
permit udp any any eq domain
permit ip any host 1ab.25.32.11 -->ISE PSN1
permit ip any host 1ab.25.32.12 -->ISE PSN2
permit ip any host 10.1xy.10.9 -->DNS1
permit ip any host 10.1xy.10.10 -->DNS2
permit ip any any

Regards

Amit

Re: Cisco ISE Guest Access URL Redirect after authentication

Arne Bier — Wed, 27 Jul 2022 06:09:19 GMT

If you have a C9800 and you want to apply a dACL AFTER successful authentication then you should have something like

permit udp any eq bootpc any eq bootps permit udp any any eq domain permit ip any host 1ab.25.32.11 port 8443 -->ISE PSN1 (best to specify the exact TCP port - e.g. 8443) permit ip any host 1ab.25.32.12 port 8443 -->ISE PSN2 (best to specify the exact TCP port - e.g. 8443) permit ip any host 10.1xy.10.9 -->DNS1 <--- this won't match because DNS further above will match permit ip any host 10.1xy.10.10 -->DNS2 <--- make this more specific by specifying DNS UDP port - and then delete the more generic rule at the top deny ip any 10.0.0.0 /8 deny ip any 192.168.0.0/16 deny ip any 172.16.0.0/12 permit ip any any