cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5007
Views
5
Helpful
22
Replies

Cisco ISE - Redirect CWA

David Boos
Level 1
Level 1

I'm new to ISE and have run into a snag that I'm not sure how to handle.  I have CWA configured and when I access the ISE SSID I am redirected to the guest login page.  When I login it asks me to accept the AUP, I accept, it tells me authentication is successful but when I try to browse to another site I can't get anywhere and it brings me right back to the guest login page.  Any ideas or suggestions?

1 Accepted Solution

Accepted Solutions

Replace the condition on the left from Guest to Any....the policy you defined below is to redirect all mab requests to the redirection portal where the user can enter then authentication information.

Thanks,

tarik admani

As always please remember to rate any feedback that you find helpful.

View solution in original post

22 Replies 22

Tarik Admani
VIP Alumni
VIP Alumni

David,

You will have to create another authorization policy above this rule that they will have to hit once their Endpoint profile changes...this is where CoA comes into play and this is what ISE uses over other radius servers.

When the user authenticates and is unknown to ISE then the endpoint gets redirected to the web portal. Once the user authentication, this is where coa takes effect and searches for another matching authorization policy. Have you created an authorization poilcy for guests?

Thanks,

Tarik admani

I've attached a copy of my authorization policy.

Thanks for replying.

David,

Do you have radius nac enabled on the your WLC also what version of code are you running on the controller?

Also when the authentication event occurs can you post a screenshot of the authentication page (under Monitoring > Authentication)

Along with AAA override, should be under the advance settings on the SSID.

Thanks

tarik Admani

Message was edited by: Tarik Admani

I've attached screenshots

WLC Code

WLAN Settings

The controller side looks fine, we need to see if you you have CoA enabled globally. Can you check the following and set the COA to reauth (default is set to to No COA).

http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_prof_pol.html#wp1340803

Please post a screenshot of the authentication report..Monitoring>Authentications

thanks,

Tarik Admani

I did not have CoA enabled and set to reauth, set that option disconnected from the WLAN, reassociated, still loops back to the guest page. Attached a screenshot of the authentications - I assumed on ISE and not on the WLC.

Can you post a screeshot of your Guest policy i only see the Identity group conditoin but the authorization profile that you assigned to this rule.

Thanks

tarik Admani

Guest Policy

Sorry,

I meant the authorization policy that is above your redirection policy under authorization.

The policy under Policy > Results then Authorization > Authorization Results?

Expand the screenshot in the 3rd message of this thread.

Nothing under Layer 3, I was sent a powerpoint called

ISE for CUWN Essentials:

Central Web Authentication (CWA)

Configuration Example

and I followed that, I would attach it but I can only attach images/video.  It calls for Layer 2 MAC filtering an nothing for Layer 3.  Maybe that's wrong but just filling you in on where I'm coming from.

Thanks,
David

Sorry about the previous message, I thought i had deleted that. I would like you to expand the screenshot in the 3rd message of this thread, it only shows the idenity group condition and not the result that you selected.

Got it, attached below.