Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2545
Views
15
Helpful
10
Replies

hotspot portal portal redirection issue

Go to solution
aravikumar
Level 1
Level 1

‎10-11-2019 05:18 PM

Hi

 

I created the policy sets for hotspot portal but I am not seeing my endpoint redirecting to the portal. I am being allowed access to the internet. I am running ISE 2.4 p9. I have added the ise fqdn in dns. portal test URL is working. The guest flow is not working. I tried multiple combinations of guest flow but it is not working. Any help would be appreciated. I followed the cisco guide to configure this. But redirection is not happening. Instead of redirecting to the portal it is allowing internet access.

 

Attached is the policy set screenshot.

 

Thanks,

Aravind.

Preview file
28 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
aravikumar
Level 1
Level 1
In response to Francesco Molino

‎10-21-2019 11:25 AM

Hi Francesco,

 

So the issue got resolved after i upgraded the Mac OS. I was able to see the captive portal pop up successfully.

 

Thanks for your help.

 

Thanks,

 

Aravind.

View solution in original post

0 Helpful
10 Replies 10

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎10-13-2019 09:33 PM

Hi

We see 39 hits on your cwa rule which means some endpoints must be redirected when hitting that rule.

Can you share your cwa authorization details rule?
Is this for wireless or wired?
Can you share your wireless acl as well please?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Go to solution
aravikumar
Level 1
Level 1
In response to Francesco Molino

‎10-14-2019 11:02 AM

Hi Francesco,

 

Thank you for your timely response.

 

This is a wireless guest usecase. I have attached the redirection authz profile and the WLC ACL screenshots. Please let me know if something is missing. I am not being redirected to the portal.

 

Thanks,

Aravind.

 

Preview file
15 KB
Preview file
31 KB
0 Helpful

Go to solution
paul
Level 10
Level 10
In response to aravikumar

‎10-14-2019 11:35 AM

If you look at the client details on the WLC is the user in CENTRAL_WEBAUTH_REQUIRED?

 

I always put a deny ip any any entry at the end of my redirect ACL, but should be implied.

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to aravikumar

‎10-14-2019 06:13 PM

Can you take a screenshot of your user status?
Do you see the redirect acl in your user status?

Your line 3 doesn't make any sense.
Usually the redirect acl should be:
REDIRECT_ACL:
- Allow DNS (UDP and Dest port DNS) / Inbound Direction
- Allow DHCP / Inbound Direction
- Allow ISE / Inbound Direction
- Allow ANY / Outbound Direction

The source should be 0.0.0.0/0 but destination should match what given above. Can you test it and let us know?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Go to solution
aravikumar
Level 1
Level 1
In response to Francesco Molino

‎10-15-2019 10:21 AM - edited ‎10-15-2019 02:15 PM

Hi Francesco,

Thank you for the corrections
So i can see redirection happening for windows workstation, iPhone and android. But Redirection is not happening for Macintosh. The captive portal pop up is coming but the actual ise portal is not loading on the macintosh machine.

 

I took packet captures on both windows(working) and mac(not working) endpoints. Any help would be appreciated.

Thanks,
Aravind.

failing pcap.pcapng
Working capture guest portal.pcapng
0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to aravikumar

‎10-15-2019 04:38 PM

Please make sure you have a valid certificate installed for the portal.

Here are some recommendations
Http://cs.co/ise-guest check out prescriptive guide
https://community.cisco.com/t5/security-documents/how-to-implement-digital-certificates-in-ise/ta-p/3630897
0 Helpful

Go to solution
aravikumar
Level 1
Level 1
In response to Jason Kunst

‎10-16-2019 08:45 AM

Hi Jason,

 

Thank you for your response. My portal certificate is signed by my internal CA and I am not using the default self signed certificate. I tried with endpoints that are not part of the domain for the guest usecase. As mentioned before the endpoints in this case are Macintosh, iPhone, Android Phone and Windows workstation. Though the macintosh is ttempting to load the redirection portal, it throws an error where "A problem occurred. The webpage couldn't be loaded". Does this mean the macintosh is not accepting the CA signed certificate presented by ISE? 

 

Thanks,

 

Aravind.

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to aravikumar

‎10-17-2019 08:50 AM

I'll look at your captures later and come back to you.
Can you detail the ise portal configuration? Is it in a different interface than the admin one? If so, the host is configured and machines are able to resolve the fqdn?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to aravikumar

‎10-19-2019 07:41 PM

Your mac client is 10.254.4.238.
I do see the redirect url on your capture, syn initiated by your ise and then your client doing a rst.

Do you have any firewalls on your client?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Go to solution
aravikumar
Level 1
Level 1
In response to Francesco Molino

‎10-21-2019 11:25 AM

Hi Francesco,

 

So the issue got resolved after i upgraded the Mac OS. I was able to see the captive portal pop up successfully.

 

Thanks for your help.

 

Thanks,

 

Aravind.

0 Helpful
Customers Also Viewed These Support Documents