cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
38757
Views
10
Helpful
11
Replies

AnyConnect blank page when clicking download link

dgaikwad
Level 5
Level 5

Hi Experts,

As a continuation from the previous post, I was able to tweak the posture redirect ACL to allow the redirection to work.Here

Now the user is able to get the redirect URL and is able to pass the first page.

So, user gets to this page:Download URL page.jpg

 

The he clicks the download link, he gets directed towards a blank page, there is no anyconnect download of package.

So, I checked the web page source, I saw that the download URL was not complete and did not include the FQDN and port of ISE server that we are connecting to, as here:


Download URL code.jpg

The question that I have is this normal behavior?

Am I missing anything on this ACL here?

rule 0 permit udp destination-port eq bootps
rule 5 permit udp destination-port eq bootpc
rule 10 permit udp destination-port eq dns
rule 15 permit ip destination <ISE Server> 0

 

2 Accepted Solutions

Accepted Solutions

Unfortunately this is not supported currently. With 2.4, dynamic URL feature support is limited to Cisco, HPE (Not H3C), and ArubaOS only. I suggest creating a TAC SR and reference CSCvn03432 (Dynamic URL feature support is limited to Cisco and HPE (ArubaOS) device). The defect is not visible to the public yet.

View solution in original post

howon
Cisco Employee
Cisco Employee

FYI, there are few workarounds noted in the defect:

Use static URL if 3rd party NAD supports it. Also, ISE 2.1 auth VLAN feature may be used instead. Lastly, if this is only for posture use case, ISE 2.2 can support URL-redirect-less flow for AnyConnect posture flow.

View solution in original post

11 Replies 11

hslai
Cisco Employee
Cisco Employee

I believe this due to 3rd-party NAD and your specific configurations. I will check with our teams who are more familiar with such use case.

howon
Cisco Employee
Cisco Employee

Can you share how the 'redirect' setting on NAD profile is configured?

Here I using the HP wired NAD profile and have added this attribute: H3C-Web-URL for sending in redirect URLs. As it was suggested as per one of the configuration guides for HP.

Here is the redirect configuration form the NAD profile:

URL redirect 004.JPG

Also, I have seen in the live logs, that its sending cisco-av-pair is sending this value, as seen in the html code there:

https://ip:port/portal/gateway?mac=ClientMacValue&portal=e22de2a0-d5f2-11e8-821a-02429aa7df64&action=cpp

If I replace the IP and port with FQDN and 8443 manually, by copying the download works!

Unfortunately this is not supported currently. With 2.4, dynamic URL feature support is limited to Cisco, HPE (Not H3C), and ArubaOS only. I suggest creating a TAC SR and reference CSCvn03432 (Dynamic URL feature support is limited to Cisco and HPE (ArubaOS) device). The defect is not visible to the public yet.

Does that mean this also not works for Guest Redirection?

Since this is also one of the use cases that I am working for this client here.

 

Correct. CSCvn03432 also applies to CWA.

Understood! The other solution that I see fit for this situation is using auth VLAN flow to allow, guest redirection as well as client provisioning.

There is one more thing that I forgot to post in the previous reply was that, this is applicable for JunOS and H3C devices as well?
URL redirection or CWA cannot be configured for Juniper and H3C device, correct?

If you are referring to dynamic URL redirect (e.g. CWA), then correct, sending dynamic URL is only for Cisco and HPE (ArubaOS) devices so CSCvn03432 is applicable to any other NADs.

howon
Cisco Employee
Cisco Employee

FYI, there are few workarounds noted in the defect:

Use static URL if 3rd party NAD supports it. Also, ISE 2.1 auth VLAN feature may be used instead. Lastly, if this is only for posture use case, ISE 2.2 can support URL-redirect-less flow for AnyConnect posture flow.

Thanks for the clarification.

Is there a certain format that I could use for static URL redirection?
If you have any could you refer the same if possible?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: