cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

147
Views
5
Helpful
2
Replies
Highlighted
Beginner

CWA redirection not working

Hi Team,

 

Hope you all are doing good

I am working on wireless guest access ( Sponsor Base ).

I have WLC 5508, 3560 SW, 1702i AP, ISE 2.4

 

Problem Description : Earlier i was getting connect on Guest SSID but redirection was not happening, Now i am not able to connect on Guest SSID

 

When i checked on ISE there is no logs/hits on live logs

 

On WLC i checked and found that device is not getting the IP addr so what i did i amanually put the IP addr but it also didn't work, i meant no connectivity.

 

Attaching screen shots for reference.

 

Please help me on this, Appreciate prompt response.

Everyone's tags (1)
2 REPLIES 2
Contributor

Re: CWA redirection not working

Hi , i have same problems with my 5508 ,and i downgrade the code because withe latest code noone from guest take ip address ,there was not even authentication log in ISE and in WLC the client was with ip address 0.0.0.0   . Witch version of code you use ? And again this was only for guest network all other networks like corporate WPA2 etc working as expected . I resolve with downgrade the code but there was 1 more way to add PSK for guest it will allow you clients to take ip address .

Enthusiast

Re: CWA redirection not working

You ACL should look something along these lines:

Extended IP access list ACL_WEBAUTH_REDIRECT
10 deny ip any host <ISE SERVER> log
20 deny ip any host <ISE SERVER> log
30 permit tcp any any eq www log
40 permit tcp any any eq 443 log
50 permit tcp any any eq 8443 log
60 deny udp any any eq domain log
70 deny udp any eq bootpc any eq bootps log

Based on my experience with posture assessment & guest portal redirects the logic is backwards. For example:
10 deny ip any host <ISE SERVER> log -- This is actually allowing connectivity to your ISE server.

I recommend testing this out. Prior to doing so ensure that routing is in place for your WLC/user endpoint to reach whatever nic you are using on ISE for your portal.

HTH!