cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

11756
Views
25
Helpful
21
Replies
Jason Weids
Beginner

Cisco ISE web redirect not working

Can anyone help with this. I have an open SSID doing MAC filtering to ISE with the following auth rules;

 

Capture.PNG

 

 

My devices is hitting correct rule for the unknown MAC but it is not redirecting me to the guest portal & is allowing me access in the associated VLAN assigned to the WebAuth policy.

Capture1.PNGCapture2.PNG

 

3 ACCEPTED SOLUTIONS

Accepted Solutions

Ok. Check the ACL on the WLC and ensure the case is the same as defined on ISE and spelling.

Check this page and double check the configuration of the WLC configuration.

View solution in original post

Hi,

Glad to hear it's working now. I haven't used Guest for a log time, but does this link do what you want? This is to configure approval request email to a sponsor.

 

HTH

View solution in original post

After applying the cert to the admin role & restarting ISE all portals on all browsers are now accepting the certificate. Seems strange that they didn't when we applied it to the portal role because that doesn't require a restart.

View solution in original post

21 REPLIES 21
Jason Weids
Beginner

Just to add, I can browse to the redirect link from the device.

Hi,
When you access the link from the device is it via FQDN or IP address?....can the device resolve the dns hostname of the ISE PSN?

Can you confirm the redirect ACL been applied to the interface?...what is the output of "show authentication session interface Gi x" ?

What is the configuration of your called ACL_WEBAUTH_REDIRECT?

Hi,

 

Accessing the link works using the FQDN & the client can resolve this.

What interface would the ACL be applied to being this a wireless connection?

 

Below show the attribute of the Cisco_WebAuth profile but where to I find the configuration of the ACL_WEBAUTH_REDIRECT.

 

Capture3.PNG

 

There is also a "!" withe the following note;

 

Capture4.PNG

 

 

Sorry I mis-read the original post and assumed it was wired. Can you confirm the configuration of the ACL_WEBAUTH_REDIRECT ACL defined on the WLC? Can you check the WLC for the client session and confirm the redirect ACL is applied.

It doesn't look like it is applying the ACL. Do I need to create the ACL on the WLC as well?

 

Capture5.PNG

Ok. Check the ACL on the WLC and ensure the case is the same as defined on ISE and spelling.

Check this page and double check the configuration of the WLC configuration.

Awesome thank you. It works. Wish I had this guide before.

 

I've another question now.

 

A guest theoretically could enter any details they like on the registration page to get access. Is there a way to verify them by email or any other methods? We sometimes have minors on site & they might need a different level of access or URL filtering, either way, for compliance we would have to be able to identify the users.

Hi,

Glad to hear it's working now. I haven't used Guest for a log time, but does this link do what you want? This is to configure approval request email to a sponsor.

 

HTH

Only issue is the web page only seems to work with IE or edge. Is there support for other browsers & mobile devices?

Do you get a certificate on the non MS browsers? If you are using an Internal CA then the IE/Edge browsers would automatically trust those certificates and not present a certificate error. Firefox/Chrome and a mobile browser would not trust the Internal CA unless specifically configured to do.

HTH

We have imported the full certificate chain that has been signed by a CA authority & bound the original cert request. It has being used by the default portal certificate group and we can confirm in the browser when redirected that is is using this certificate but it is still saying it is not trusted.

 

Cert error1.PNGcert error.PNG

Does your client computer have the QuoVadis EV SSL ICA G3 certificate in it's machine store?

No it doesn't

That QuoVadis certificate needs to be imported to the computer trusted certificate store, otherwise the web browser will consider it untrusted and error.
Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube