topic Re: Cisco switch url web-redirect is not working in Network Access Control

Cisco switch url web-redirect is not working

Almas — Thu, 20 Oct 2022 06:26:05 GMT

Hi,

I have a problem with web redirection url. When I connect my PC to the switch (s2960), the PC is authenticated. And the Switch received URL redirect and URL Redirect ACL. PC requested an ip address using dhcp and is receiving it. The browser opens on the computer and it starts opening the redirect URL over and over again, like in a loop. And the captive portal page won't open.

I configured ip http server, ip http secure-server, ip device tracking, ACL.

The "show authentication sessions interface gigabitEthernet x/x details" command give the next result
Interface: gigabitEthernet x/x
MAC Address: xxxx.xxxx.xxxx
IPv6 Address: Unknown
IPv4 Address: 10.1.4.23
User-Name: xxxxxxxxxxxx
Status: Authorized
Domain: DATA
Oper host mode: multi-domain
Oper control dir: both
Session timeout: N/A
Restart timeout: N/A
Periodic Acct timeout: 172800s (local), Remaining: 171245s
Session Uptime: 1568s
Common Session ID: 0Axxxxxxxxxxxxxx
Acct Session ID: 0x0XXXXXX
Handle: 0x8XXXXXXXX
Current Policy: POLICY_Gix/x

Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

Server Policies:
URL Redirect: https://10.1.1.15
URL Redirect ACL: Captive_Portal_Redirect

Method status list:
Method State

dot1x Stopped
mab Authc Success

what could be the problem?

Re: Cisco switch url web-redirect is not working

balaji.bandi — Thu, 20 Oct 2022 06:48:49 GMT

what ISE version are you using for this Authentication?

is the redirection issue only with one device or is this a new setup or are all devices having the same issue?

i also suggested checking directly access the portal is that works ?

check some docs to help :

https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

Re: Cisco switch url web-redirect is not working

Almas — Thu, 20 Oct 2022 08:35:52 GMT

I use ClearPass. All devices have same problem. I switch off dot1x and mab on the Switch, and the computers can connect to the portal.

I capture packet on the PC, ClearPass (Portal), Firewall. I see packet with SYN, SYN,ACK, between PC ip address and Portal ip address on the PC, but I don't see this packet on the Firewall and the Clerpass.

Connection look like there:
PC > Switch > Firewall > ClearPass.

Re: Cisco switch url web-redirect is not working

Greg Gibbs — Thu, 20 Oct 2022 21:34:40 GMT

What is the exact model of the switch captured from 'show inventory'?
What IOS version is it running?
What does your redirect ACL look like?
What does your interface configuration look like? Do you have an ACL applied to the switchport?

You might try sending an downloadable ACL that allows all traffic along with your redirect ACL to see if that makes a difference. If it does, you can modify the DACL to permit just the required traffic (usually the reverse of the redirect ACL).

Re: Cisco switch url web-redirect is not working

Almas — Fri, 21 Oct 2022 04:06:28 GMT

I have next model of the switch:
show inventory
NAME: "1", DESCR: "WS-C2960L-48PS-LL"

Next IOS version:
Model SW Version SW Image
----- ----- ---------- ----------
WS-C2960L-48PS-LL 15.2(7)E4 C2960L-UNIVERSALK9-M

ACL:
ip access-list extended Captive_Portal_Redirect
deny icmp any any
deny udp any eq bootpc any eq bootps
deny udp any any eq domain
permit tcp any any eq www
permit tcp any any eq 443

Interface configuration:

interface GigabitEthernet0/4
switchport access vlan 334
switchport mode access
switchport voice vlan 12
ip arp inspection trust
logging event trunk-status
logging event spanning-tree
logging event status
authentication event fail action next-method
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 3
arp log threshold entries 2048
spanning-tree portfast edge
end

I sent an downloadable ACL that allows all traffic along with my redirect ACL, but i didn't see difference.

Re: Cisco switch url web-redirect is not working

thomas — Fri, 11 Nov 2022 22:48:07 GMT

Are you sure that ClearPass supports a downloadable ACL to Cisco switches? Downloadable ACLs are not a RADIUS standard feature.

You might need to use pre-configured ACLs and send the ACL name only.

Re: Cisco switch url web-redirect is not working

davidgfriedman — Fri, 11 Nov 2022 23:03:47 GMT

We tried a Pilot with ClearPass at one site before deciding to stay with Cisco ISE. ClearPass could not send downloadable ACLs (at that time) to switches. It could send roles, radius ACLS as attributes, but could not handle downloadable ACLs for Cisco switches.