10-22-2018 06:58 AM
Hi Experts,
As a continuation from the previous post, I was able to tweak the posture redirect ACL to allow the redirection to work.Here
Now the user is able to get the redirect URL and is able to pass the first page.
So, user gets to this page:
The he clicks the download link, he gets directed towards a blank page, there is no anyconnect download of package.
So, I checked the web page source, I saw that the download URL was not complete and did not include the FQDN and port of ISE server that we are connecting to, as here:
The question that I have is this normal behavior?
Am I missing anything on this ACL here?
rule 0 permit udp destination-port eq bootps
rule 5 permit udp destination-port eq bootpc
rule 10 permit udp destination-port eq dns
rule 15 permit ip destination <ISE Server> 0
Solved! Go to Solution.
10-25-2018 02:48 AM
Unfortunately this is not supported currently. With 2.4, dynamic URL feature support is limited to Cisco, HPE (Not H3C), and ArubaOS only. I suggest creating a TAC SR and reference CSCvn03432 (Dynamic URL feature support is limited to Cisco and HPE (ArubaOS) device). The defect is not visible to the public yet.
10-29-2018 07:00 AM
FYI, there are few workarounds noted in the defect:
Use static URL if 3rd party NAD supports it. Also, ISE 2.1 auth VLAN feature may be used instead. Lastly, if this is only for posture use case, ISE 2.2 can support URL-redirect-less flow for AnyConnect posture flow.
10-24-2018 12:15 PM
I believe this due to 3rd-party NAD and your specific configurations. I will check with our teams who are more familiar with such use case.
10-24-2018 01:29 PM
Can you share how the 'redirect' setting on NAD profile is configured?
10-25-2018 12:24 AM
Here I using the HP wired NAD profile and have added this attribute: H3C-Web-URL for sending in redirect URLs. As it was suggested as per one of the configuration guides for HP.
Here is the redirect configuration form the NAD profile:
Also, I have seen in the live logs, that its sending cisco-av-pair is sending this value, as seen in the html code there:
https://ip:port/portal/gateway?mac=ClientMacValue&portal=e22de2a0-d5f2-11e8-821a-02429aa7df64&action=cpp
If I replace the IP and port with FQDN and 8443 manually, by copying the download works!
10-25-2018 02:48 AM
Unfortunately this is not supported currently. With 2.4, dynamic URL feature support is limited to Cisco, HPE (Not H3C), and ArubaOS only. I suggest creating a TAC SR and reference CSCvn03432 (Dynamic URL feature support is limited to Cisco and HPE (ArubaOS) device). The defect is not visible to the public yet.
10-26-2018 03:23 AM
Does that mean this also not works for Guest Redirection?
Since this is also one of the use cases that I am working for this client here.
10-26-2018 04:33 AM
Correct. CSCvn03432 also applies to CWA.
10-26-2018 04:47 AM
Understood! The other solution that I see fit for this situation is using auth VLAN flow to allow, guest redirection as well as client provisioning.
10-29-2018 12:27 AM
There is one more thing that I forgot to post in the previous reply was that, this is applicable for JunOS and H3C devices as well?
URL redirection or CWA cannot be configured for Juniper and H3C device, correct?
10-29-2018 05:01 AM
If you are referring to dynamic URL redirect (e.g. CWA), then correct, sending dynamic URL is only for Cisco and HPE (ArubaOS) devices so CSCvn03432 is applicable to any other NADs.
10-29-2018 07:00 AM
FYI, there are few workarounds noted in the defect:
Use static URL if 3rd party NAD supports it. Also, ISE 2.1 auth VLAN feature may be used instead. Lastly, if this is only for posture use case, ISE 2.2 can support URL-redirect-less flow for AnyConnect posture flow.
10-30-2018 01:02 AM
Thanks for the clarification.
Is there a certain format that I could use for static URL redirection?
If you have any could you refer the same if possible?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide