Solved: Re: Captive portal with cisco ISE

fgatto · ‎03-22-2023

Hello guys,

with the help of some guidance i tried to configure captive portal access via ISE. i followed this guide: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216330-ise-self-registered-guest-portal-configu.html#anc6

apart from a few points i didn't understand (unschooled on the subject) like ACL configuration i followed almost everything to the letter.

now i have this situation:
-I can see the guest wifi I created on WLC.
-I connect, so I am issued an ip but I can't open the registration page.

I also add that if I enter the entries "MAC Filtering" and "NAC STATE=ISE NAC" I can't connect to the network. so the only way is to deflate those two entries and leave "NAC STATE=NONE", in this way as explained before I can connect to the network.

I will leave you some screenshots so that you can get some more info.

for privacy i will remove my company data.

Thank you for your attention and I hope you can help me.

Let me know if you need any additional info

cisco.smj · ‎03-23-2023

(Also I would like to point out that I only need (for the time being) Cisco ISE for external users and not those who are part of a domain. So having said that is radius necessary?)
If you want the guest SSID to forward users to ISE for the guest portal. Yes

The redirect ACL is different from your typical ACL. When you use a web redirect ACL it is identifying traffic to send to ISE. If you explicitly deny traffic it will not be redirected. If you explicitly allow traffic it will be redirected to web redirect URL delivered by RADIUS. There used to be a bug that required you to explicitly deny DNS requests. So, I go ahead and deny DNS in my redirect ACL. Here is a copy of a working redirect ACL I recently used in a lab.

8905 is for NAC provisioning

I have 8084 in there because I used the same ACL for a BYOD proof of concept

You want 80 and 443 to be redirected to ISE

I had to deny 8443 because the portal wouldn't load on some of my devices. ISE uses 8443 for the portal.

The last entry is denying DNS so it is not redirecting when it is going to my lab domain controller.

View solution in original post

fgatto · ‎04-06-2023

Problem Solved

View solution in original post

Flavio Miranda · ‎03-22-2023

Hi

The mac filter is required if you are using Central web authantication, which means, the ISE (if the radius you are using is ISE) will send the guest portal.

If you are using local web authentaitcation, the WLC will handle the guest page and no mac filter is required.

For central web auth you need to configure NAC STATE and you need Access list configured on the WLC allowing DNS request.

The reason you connect but dont get the portal, is probably related to the ACL. You need to have connectiviry with DNS server in order to get the portal.

fgatto · ‎03-22-2023

Hi Flavio

thank you for your reply.

I set so as you suggested:
NAC STATE= ISE NAC
MAC filtered= flagged

With the current configuration, I cannot hook up to wifi, as it constantly stays in "connection in progress". So the guest page problem for the time being is secondary

what can I verify?

Nancy Saini · ‎03-22-2023

I would suggest checking the client status on WLC. What is the RADIUS state of the client? Also, check if you see the redirect URL and ACL or not.

If the client is not shown on the WLC then it would be connectivity issue between client and SSID. Would suggest raising a TAC case with Wireless team for further investigation

Flavio Miranda · ‎03-24-2023

As I said, we need to know first what kind of web auth your are using.

If central web auth with ISE, you have a lot of work on ISE side first.

On the wlc side, you need to use the NAC option on the Advanced tab of WLAN, along with ACL and Mac filter.

Keep in mind that CWA works like a radius and you need to allow aaa override on the WLC.

Communiction with DNS is mandatory from beginning so you need to allow it on the Guest ACL.

Now, if you usong Local Web auth, you need to make sure the WLC portal is ready

Nancy Saini · ‎03-22-2023

Hi @fgatto ,

If you are seeing the guest portal URL on the browser and the webpage is not loading, on the client check if below tests are failing:

telnet <ISE IP> <guest port number>
nslookup <portal URL FQDN>

If ISE guest URL is not seen on the browser, check the redirect ACL defined on the wireless and make sure the ACL name is pushed in the authorization profile on ISE.

fgatto · ‎03-23-2023

hello guys,

thank you for yours reply.

I'll premise that I'm a first timer on this kind of topic, so it will speak in a fairly basic way.
I would suggest checking the client status on WLC= where can I check?
What is the RADIUS state of the client= should I check the status of the radius?

also I would like to point out that I only need (for the time being) Cisco ISE for external users and not those who are part of a domain. So having said that is radius necessary?

sorry again if these are trivial questions, but I am slowly getting into this topic and I am doing it more out of passion

cisco.smj · ‎03-23-2023

(Also I would like to point out that I only need (for the time being) Cisco ISE for external users and not those who are part of a domain. So having said that is radius necessary?)
If you want the guest SSID to forward users to ISE for the guest portal. Yes

The redirect ACL is different from your typical ACL. When you use a web redirect ACL it is identifying traffic to send to ISE. If you explicitly deny traffic it will not be redirected. If you explicitly allow traffic it will be redirected to web redirect URL delivered by RADIUS. There used to be a bug that required you to explicitly deny DNS requests. So, I go ahead and deny DNS in my redirect ACL. Here is a copy of a working redirect ACL I recently used in a lab.

8905 is for NAC provisioning

I have 8084 in there because I used the same ACL for a BYOD proof of concept

You want 80 and 443 to be redirected to ISE

I had to deny 8443 because the portal wouldn't load on some of my devices. ISE uses 8443 for the portal.

The last entry is denying DNS so it is not redirecting when it is going to my lab domain controller.

AntonyS · ‎11-09-2023

How did you beat the problem where calling the Guest Portal via Redirect-ACL calling a https:// page (before auth'd) resulted in a browser showing a SSL not trusted error?
eg: an unauthd PC tried for https://google.com/ gets the Redirect-ACL URL from ISE, but the browser expected google yet it's the self-signed cert from the Cisco gear, so a broswer ssl error pops up to scare the user.
In my case a locally signed certificate cert -which will never match the site the user was trying to visit- was being used as the SSL cert for the encryption.

The problem seems to be if triggering the authorisation portal is via SSL I see this error, the user needs to accept the bodgy cert, but it's not a smooth experience. Trying to trigger it via a http:// call does not work either as browsers today seem to auto try the https:// variant so I see the error again even when trying http://

The process: PC -> GuestSSID -> MAC not Auth'd -> attempted SSL web site triggers Redirect-ACL -> ISE Issues the redirect URL to Guest portal -> the selfsigned cisco SSL gear triggers a browser warning because the SSL does not match the Guest Portal URL provided by ISE
At least I think this is happening. The ISE Guest portal page is https:// on port 8443...

fgatto · ‎03-24-2023

thanks to all for the answer.

I am going and now I can connect with the current configuration. The problem is that when I connect to the wifi it doesn't redirect to the portal to register my user, but if I type in the url,the browser opens the page correctly. also if I try to register it crashes at loading.

i have a question: on the wifi configuration on wlc, in the "aaa servers" section in the drop down menu should i select the ip of ise or radius?

fgatto · ‎04-06-2023

Problem Solved