Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1226
Views
0
Helpful
3
Replies

Cisco ISE and CoA not redirecting

coreycomputer
Level 1
Level 1

‎07-12-2018 06:16 PM - edited ‎02-21-2020 11:00 AM

So i have Cisco ISE running and im trying to do a web redirect through CoA.  I know that I have done every thing right because I debugged radius and I see that I have success on Authentication and Authorization.  the DACL downloads and I see the URL there.  I also made sure that I had a dns entry present for the url in my environment.  The problem is when I connect using MAB and try to go to an actual website it does not get redirected to the authentication portal like it should. It goes to google or whatever I am trying to get to and it shouldn't.  Again i know that I did it right because the debugs show success.  Also i do a "show authentication sessions interface x" and I can see that the DACL applied and everything.  I feel like it is something small that I am missing.  Someone please advise.    FYI i am using 3750 as authenticator and Windows PC as supplicant.  

Labels:
0 Helpful
3 Replies 3

Francesco Molino
VIP Alumni
VIP Alumni

‎07-23-2018 09:05 PM

Hi

Can you share please your acl pushed?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

ldanny
Cisco Employee
Cisco Employee

‎07-24-2018 12:32 AM

Sounds like your DACL.

Make sure you are allowing access to ISE , DNS and deny the rest to trigger re-direct.

You can reference this Doc as an example.

 

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html

 

 

0 Helpful

craig.beck
Level 1
Level 1

‎07-24-2018 01:13 AM

There's a few things to check...

 

1] ip http server - Is this enabled on the switch?  If not, the switch won't be able to redirect web requests.

2] CWA Redirect ACL - How have you formatted it and where have you configured it?  Remember, the CWA ACL needs to be inverse, so DENY everything you want to allow (DHCP, DNS, ISE portal) and PERMIT everything else.  Also, the ACL needs to be configured statically on the switch, not pushed via ISE.  This isn't the same as the dACL.

3] Are clients using a proxy?  If so, you need to configure the switch to listen on the proxy port instead.

0 Helpful
Customers Also Viewed These Support Documents