topic Web Redirect is not working in Wireless

Web Redirect is not working

Prasan Venky — Sun, 04 Jul 2021 07:26:11 GMT

Hello,

We configured the web authentication in wlc 5508with ISE for the guest traffic. When client tries to connect it redirects to the different URL. That means the specified URL (that is default redirection page of ISE) 'https://<ISE IP>:8443/guestportal/portal.jsp' but client is getting redirected to

'https://<ISE>:8443/guestportal/login.action?switch_url=https://<virtual IP>/login.html&wlan...'. And finally page cannot be displayed now error message i am getting.

Why it happens..? Any quick help would be really appreciated

Moreover i have doubts on the below points.

1) Should both the Anchor and the foriegn controllers be configured for web auth security or only anchor ..?

2) When external web redirection, the client has to get the DNS resolved entry for the Specified URL or WLC knows to take it to the external web page..?

3) Any special configuration has to be done on ISE?

Thanks for your time

KVS

Message was edited by: Prasan Venky

Web Redirect is not working

grabonlee — Tue, 16 Jul 2013 15:16:47 GMT

Hi,

When a user-defined guest portal is implemented, the URL should be in the format below:

https://:8443/guestportal/portals/name_of_user_defined_portal/portal.jsp.

The ISE_Server_IP should either be the IP address of the ISE server or the DNS resolvable hostname of the ISE Server.

The external web authentication URL should only be specified in the Anchor Controller.

Web Redirect is not working

Prasan Venky — Tue, 16 Jul 2013 15:37:05 GMT

thanks for your reply Osita.

We are using default setting for the guest portal access in ISE . We are not sure about userdefined web page.

We even tried by giving direct ip of ISE as like https:// ip address :8443/guestportal/portal.jsp ,

https:// ip address :8443/guestportal/login.action .

But still web page is not displaying. What needs to be checked?

Re:Web Redirect is not working

grabonlee — Tue, 16 Jul 2013 15:52:30 GMT

Did u specify the URL in the external web auth login on the anchor controller?

Did u check the firewall to see if it may be blocking port 8443?

Are u using pre-authentication ACL? If so, u have to make sure that there is both inbound and outbound ACL to and from the ISE on port 8443.

Sent from Cisco Technical Support Android App

Web Redirect is not working

Prasan Venky — Tue, 16 Jul 2013 17:40:52 GMT

Did u specify the URL in the external web auth login on the anchor controller?

Yes , we have given on the anchor controller.

Did u check the firewall to see if it may be blocking port 8443?

We have allowed the port

Are u using pre-authentication ACL? If so, u have to make sure that there is both inbound and outbound ACL to and from the ISE on port 8443.

We have allowed

1.ise to any 2. any to ise 3. any to dns 4. dns to any

In wlan configuration , we specified L3 security as web auth with external server and the URL of ISE (pre auth ACL chosen). In advanced tab we given AAA override .

In ISE we just allowed the permit access auth profile for the guest access.

Do we need to configure anything extra?

Web Redirect is not working

grabonlee — Tue, 16 Jul 2013 18:18:39 GMT

Hi,

For now could you uncheck AAA override in the WLAN config.

Does your Authentication policy on the ISE similar to below:

IF (WLC_Web_Authentication and Wireless_Guest_WebAuth)

THEN (Allow Default Network Access (or user defined access) and USE Guest_Portal_Sequence)

WLC_Web_Authentication is system generated compound condition that matches Service-Type and NAS port type

Wireless_Guest_WebAuth is user defined simple condition that matched open guest SSID i.e Airespace-Wlan-Id EQUALS (number of the guest SSID on the WLC).

How is the Authorization policy set up?

Are the devices that you have problem with Apple or MAC OSX?

If so, you need to add the command on the anchor controller ---- configure network web-auth captive-bypass enable.

Finally could you confirm that on the Pre-auth ACLs, you specified the port 8443 and not just any?

Web Redirect is not working

Prasan Venky — Tue, 16 Jul 2013 18:40:14 GMT

Really thanks for the reply .

Yes , we have configured

IF (WLC_Web_Authentication and Wireless_Guest_WebAuth)

THEN (Allow Default Network Access

For authorization , default permit any access .

We tried with windows 7 clients

Anyway anchor controller is placed after the firewall. we didn't open the port 443 for redirection. We will enable it tomorrow .We will check and let you know tomorrow.

Web Redirect is not working

mmangat — Wed, 17 Jul 2013 02:03:13 GMT

Hello,

How to Make an External (Local) Web Authentication Work with an External Page

As already briefly explained, the utilization of an external WebAuth server is just an external repository for the login page. The user credentials are still authenticated by the WLC. The external web server only allows you to use a special or different login page. Here are the steps performed for an external WebAuth:

The client (end user) opens a web browser and enters a URL.
If the client is not authenticated and external web authentication is used, the WLC redirects the user to the external web server URL. In other words, the WLC sends an HTTP redirect to the client with the website's spoofed IP address and points to the external server IP address. The external web authentication login URL is appended with parameters such as the AP_Mac_Address, the client_url (www.website.com), and the action_URL that the customer needs to contact the switch web server.
The external web server URL sends the user to a login page. Then the user can use a pre-authentication access control list (ACL) in order to access the server. The ACL is only needed for the Wireless LAN Controller 2000 series.
The login page takes the user credentials input and sends the request back to the action_URL, such as http://1.1.1.1/login.html, of the WLC web server. This is provided as an input parameter to the customer redirect URL, where 1.1.1.1 is the virtual interface address on the switch.
The WLC web server submits the username and password for authentication.
The WLC initiates the RADIUS server request or uses the local database on the WLC, and then authenticates the user.
If authentication is successful, the WLC web server either forwards the user to the configured redirect URL or to the URL the client entered.
If authentication fails, then the WLC web server redirects the user back to the customer login URL.

Note: If the access points (APs) are in FlexConnect mode, a preauth ACL is irrelevant. Flex ACLs can be used to allow access to the web server for clients that have not been authenticated.

For more details, please refer to the following:

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080bf7d89.shtml#redirect

Web Redirect is not working

Prasan Venky — Wed, 17 Jul 2013 02:41:53 GMT

Hi Mantej Mangat ,

All the guest credentials will be genereated in ISE thorugh sponsor portal. But how the WLC comes to know the guest credentials if we follow the above method as mentioned by you.

Web Redirect is not working

Ravi Singh — Mon, 22 Jul 2013 02:05:01 GMT

Hello Prasan,

In the above scenario WLC is sending the authentication request to server on behalf of USER and When WLC sent authentication request to external server it keep the track of this request. In this way it comes to know that authentication is successful.

Web Redirect is not working

grabonlee — Wed, 14 Aug 2013 10:13:04 GMT

In case you haven't resolved your problem. I would like to ask if you have created a DNS record for the ISE? Also if you're using pre-authentication ACL on the WLC, make sure that the Protocol is TCP and not UDP for port 8443

I see this is a bit of an old

eric.ahernandez — Tue, 22 Apr 2014 22:41:05 GMT

I see this is a bit of an old thread, right now I'm having the exact same problem. The weird thing is, It was working properly for a few weeks, suddenly today it started behaving like this, the redirection to the ISE portal gets done, and when I log in ISE shows the authentication was done right and the users get redirected to https://1.1.1.1/login.html but they can't access that URL so it gets stuck there. Anyone knows what's up with this?

Oooook, now I feel dumb for

eric.ahernandez — Tue, 22 Apr 2014 23:39:32 GMT

Oooook, now I feel dumb for replying at my own post with the answer.... So it turns out I actually did some changes a day before problems started, I disabled the WebAuth SecureWeb option (since I don't have a certificate right now and I was testing to see if stops doing the https redirection prompting for the certificate) and the problem was after the authentication it still redirects to https://1.1.1.1/login.html and it doesn't work because it's disabled. I'm trying to disable it but to keep working, is there any way to configure the redirection to the WLC virtual IP address to be HTTP instead of HTTPS? Disabling he secureweb option doesn't seem to do the trick...

Hi Eric, In your case, the

grabonlee — Thu, 24 Apr 2014 08:39:06 GMT

Hi Eric,

In your case, the redirect is handled by ISE and not the WLC. If you want HTTP to work, then you have to remove the ISE portal as the external redirect URL under the Security tab of the WLC and instead point to internal page of the WLC.

Alternatively, if you still want to use ISE as the redirect server, try changing the port number from :8443 and specify your HTTP port, which can be 80, 8080 or other user defined ports. However, whatever port you choose has to be allowed through your firewall.

Cheers

Well prasanesh i would

kaaftab — Fri, 25 Apr 2014 07:34:41 GMT

Well prasanesh i would suggest to go through cisco how to guide for step by step configuration of WLC with ISE and you can compare if any thing you have missed

How is your pre-auth ACL

eric.ahernandez — Thu, 29 May 2014 22:46:38 GMT

How is your pre-auth ACL configured in your WLC? This should be done on the anchor controller if you have one.

Also, if your DNS does not resolve the ISE IP address you can check the checkbox option to use the IP address instead of the FQDN, and the portal port has to be permitted on the firewall as well.