topic Re: ISE URL redirection not work when the gateway for the vlan is on f in Network Access Control

ISE URL redirection not work when the gateway for the vlan is on firew

Hevin27 — Thu, 11 Jul 2024 10:21:23 GMT

Hi guys,

I'm new to ISE and recently we are deploying ISE to production to authenticate users. The issue currently encountered is guest self-registration. For security reasons, the network where the guest is located is a separate area on the firewall, when a guest accesses the network, ISE will deliver a redirect URL for the visitor to self-register. ISE is able to deliver the redirect URL and call the ACL to the interface, but the client does not automatically pop up the browser and redirect to the self-registration page, and redirects cannot be triggered by manual access a website either, but copying the redirect URL delivered by ISE to the switch interface to the client is accessible .(There is a policy on the firewall to allow the switch to manage the IP to the guest network.). I checked the forums and found that the firewall might be blocking the one-way traffic from spoofed IP to client VLAN. With the same configuration, if I modify the vlan-id delivered by ISE to the SVI which is on the core switch, it is no problem at all. So I believe it's the firewall that implicitly blocks this traffic. Has anyone ever been in this situation? How should it be resolved?

1. I enabled a guest SVI on the authentication switch as suggested on the forum and it works.
2. Someone suggested enabling redirects for L2, but I don't know how to do it and don't know if it works.

Re: ISE URL redirection not work when the gateway for the vlan is on f

MHM Cisco World — Thu, 11 Jul 2024 12:13:06 GMT

FW must have policy allow guest IP to access ise url

If you add this policy and not work' then check if url redirect is use IP or hostname' if it use hostname then check dns from guest by using dns lookup.

MHM

Re: ISE URL redirection not work when the gateway for the vlan is on f

Hevin27 — Thu, 25 Jul 2024 07:53:07 GMT

In fact, we found that the underlying situation is that stateful firewalls drop traffic that is modified. In the case of a stateful firewall, he sees a one-way traffic that is dropped even if a policy is established.

Re: ISE URL redirection not work when the gateway for the vlan is on f

MHM Cisco World — Thu, 25 Jul 2024 13:47:33 GMT

so this issue is solved ?

Thanks

MHM

Re: ISE URL redirection not work when the gateway for the vlan is on f

Hevin27 — Fri, 26 Jul 2024 08:26:47 GMT

yes, for the NGFW, we need to disable the tcp syn check of source zone, then the one-way traffic can through the NGFW.