Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5196
Views
0
Helpful
7
Replies

Cisco ISE Guest Access URL Redirect after authentication

InfraISE2020
Level 1
Level 1

‎02-10-2022 07:26 AM

We upgraded our Cisco ISE portal from v2.7 to v3.0 and following on from this we appear to have an issue with guest authentication.

 

Previously, when a guest connected to our Guest SSID they was redirected to a portal to sign in. This part of the authentication is working however after sign in they was redirected to our company URL.

 

Since the upgrade the users are no longer being redirected after the authentication resulting it them believing they are not authenticated but if they connect to the SSID again they are already authenticated (dropped into endpoint identity group) and can browse the internet.

 

We have tried different URLs and options in the "once authenticated, take guest to" configuration, however none of these appear to be working.

 

We have also updated the portal on the Cisco ISE builder to be on the same version as ISE however this doesn't appear to have made any improvements.

 

Has anyone come across these problems post upgrade? Alternatively does anyone know what settings need to be enabled to that after authentication the guest access sign in automatically disappears and they are no longer redirected to a website?

 

TIA. 

0 Helpful
7 Replies 7

Aref Alsouqi
VIP
VIP

‎02-10-2022 08:30 AM

I think in the Authentication Success Settings you can choose one of the following options:

- Original URL

- Authentication Success page

- Custom URL

I think in your case you might want to select the Authentication Success page, that should take care of letting the users know that they are successfully authenticated.

0 Helpful

InfraISE2020
Level 1
Level 1
In response to Aref Alsouqi

‎02-10-2022 08:41 AM

Hi Aref,

 

We have tried that however it still appears to leave the user in an unauthenticated state - until they reconnect to the SSID where they are able to log in as they are dropped in to the correct EIG. 

 

 

0 Helpful

Arne Bier
VIP
VIP
In response to InfraISE2020

‎02-10-2022 02:31 PM

@InfraISE2020 - just a quick suggestion - I had a similar issue with an ISE 3.0 customer and the issue turned out that on the WLC I had forgotten to include permit statements for PSN @ TCP/8443 in the ACL_ALLOWED ACL (i.e. after authentication or after successful MAC auth). I could have sworn that in earlier deployments I never had to do that. It seems a bit non-sensical, because the ISE portals should not be involved AFTER an authentication. Anyway - it's worth a try.

0 Helpful

amitkulshrestha
Level 1
Level 1
In response to Arne Bier

‎07-26-2022 01:43 AM

Hi Arne,

  I am also facing same issue, could plz share me Acl which u have confiugre.

In my case i have configure acl on ISE itself for after authentication.

Regards

Amit

 

0 Helpful

Arne Bier
VIP
VIP
In response to amitkulshrestha

‎07-26-2022 01:42 PM

Amit, are you using an AireOS WLC or 9800?

In either case, what I was referring to is the ACL that is applied to the user AFTER they have successfully authenticated on th eprtal (or passed MAB auth successfully using the "Remember Me" method). 

In the case of AireOS, the ACL lives on the controller and I had to include the PSN's IP address and the destination TCP port of the portal - I don't have access to this config now - but I allowed inbound access to PSN dest port 8443 and outbound from PSN source 8443

The post auth ACL at a high level goes like this

Allow DNS

Allow ISE PSN Portals

Block RFC 1918 (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)

Allow Everything

0 Helpful

amitkulshrestha
Level 1
Level 1
In response to Arne Bier

‎07-26-2022 10:47 PM - edited ‎07-26-2022 10:50 PM

Very Thanks Arne , for taking time to reply me ,

"are you using an AireOS WLC or 9800?" --> C9800-CL

"In either case, what I was referring to is the ACL that is applied to the user AFTER they have successfully authenticated on th eprtal (or passed MAB auth successfully using the "Remember Me" method)." --> that means acl internet access. Not redirect one?

"In the case of AireOS, the ACL lives on the controller and I had to include the PSN's IP address and the destination TCP port of the portal - I don't have access to this config now - but I allowed inbound access to PSN dest port 8443 and outbound from PSN source 8443" --> Ok .. in my case i hav C9800-CL that mean i have to place my acl on ISE. here i my acl do check and suggest corrections :-

permit udp any eq bootpc any eq bootps
permit udp any any eq domain
permit ip any host 1ab.25.32.11 -->ISE PSN1
permit ip any host 1ab.25.32.12 -->ISE PSN2
permit ip any host 10.1xy.10.9 -->DNS1
permit ip any host 10.1xy.10.10 -->DNS2
permit ip any any

Regards

Amit

0 Helpful

Arne Bier
VIP
VIP
In response to amitkulshrestha

‎07-26-2022 11:09 PM

If you have a C9800 and you want to apply a dACL AFTER successful authentication then you should have something like

 

permit udp any eq bootpc any eq bootps
permit udp any any eq domain
permit ip any host 1ab.25.32.11 port 8443 -->ISE PSN1 (best to specify the exact TCP port - e.g. 8443)
permit ip any host 1ab.25.32.12 port 8443 -->ISE PSN2 (best to specify the exact TCP port - e.g. 8443)
permit ip any host 10.1xy.10.9 -->DNS1   <--- this won't match because DNS further above will match 
permit ip any host 10.1xy.10.10 -->DNS2 <--- make this more specific by specifying DNS UDP port - and then delete the more generic rule at the top
deny ip any 10.0.0.0 /8
deny ip any 192.168.0.0/16
deny ip any 172.16.0.0/12
permit ip any any

 

0 Helpful
Customers Also Viewed These Support Documents