Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
23418
Views
25
Helpful
21
Replies

Cisco ISE web redirect not working

Go to solution
Jason Weids
Level 1
Level 1

‎03-01-2019 02:41 AM

Can anyone help with this. I have an open SSID doing MAC filtering to ISE with the following auth rules;

 

Capture.PNG

 

 

My devices is hitting correct rule for the unknown MAC but it is not redirecting me to the guest portal & is allowing me access in the associated VLAN assigned to the WebAuth policy.

Capture1.PNGCapture2.PNG

 

3 people had this problem
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to Jason Weids

‎03-01-2019 05:35 AM

Ok. Check the ACL on the WLC and ensure the case is the same as defined on ISE and spelling.

Check this page and double check the configuration of the WLC configuration.

View solution in original post

Go to solution
Rob Ingram
VIP
VIP
In response to Jason Weids

‎03-01-2019 07:16 AM

Hi,

Glad to hear it's working now. I haven't used Guest for a log time, but does this link do what you want? This is to configure approval request email to a sponsor.

 

HTH

View solution in original post

Go to solution
Jason Weids
Level 1
Level 1
In response to Jason Weids

‎03-07-2019 12:18 AM

After applying the cert to the admin role & restarting ISE all portals on all browsers are now accepting the certificate. Seems strange that they didn't when we applied it to the portal role because that doesn't require a restart.

View solution in original post

0 Helpful
21 Replies 21

Go to solution
Jason Weids
Level 1
Level 1

‎03-01-2019 02:54 AM

Just to add, I can browse to the redirect link from the device.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Jason Weids

‎03-01-2019 03:19 AM

Hi,
When you access the link from the device is it via FQDN or IP address?....can the device resolve the dns hostname of the ISE PSN?

Can you confirm the redirect ACL been applied to the interface?...what is the output of "show authentication session interface Gi x" ?

What is the configuration of your called ACL_WEBAUTH_REDIRECT?

Go to solution
Jason Weids
Level 1
Level 1
In response to Rob Ingram

‎03-01-2019 04:52 AM

Hi,

 

Accessing the link works using the FQDN & the client can resolve this.

What interface would the ACL be applied to being this a wireless connection?

 

Below show the attribute of the Cisco_WebAuth profile but where to I find the configuration of the ACL_WEBAUTH_REDIRECT.

 

Capture3.PNG

 

There is also a "!" withe the following note;

 

Capture4.PNG

 

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Jason Weids

‎03-01-2019 05:02 AM

Sorry I mis-read the original post and assumed it was wired. Can you confirm the configuration of the ACL_WEBAUTH_REDIRECT ACL defined on the WLC? Can you check the WLC for the client session and confirm the redirect ACL is applied.

Go to solution
Jason Weids
Level 1
Level 1
In response to Rob Ingram

‎03-01-2019 05:26 AM - edited ‎03-01-2019 05:33 AM

It doesn't look like it is applying the ACL. Do I need to create the ACL on the WLC as well?

 

Capture5.PNG

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Jason Weids

‎03-01-2019 05:35 AM

Ok. Check the ACL on the WLC and ensure the case is the same as defined on ISE and spelling.

Check this page and double check the configuration of the WLC configuration.

Go to solution
Jason Weids
Level 1
Level 1
In response to Rob Ingram

‎03-01-2019 06:17 AM

Awesome thank you. It works. Wish I had this guide before.

 

I've another question now.

 

A guest theoretically could enter any details they like on the registration page to get access. Is there a way to verify them by email or any other methods? We sometimes have minors on site & they might need a different level of access or URL filtering, either way, for compliance we would have to be able to identify the users.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Jason Weids

‎03-01-2019 07:16 AM

Hi,

Glad to hear it's working now. I haven't used Guest for a log time, but does this link do what you want? This is to configure approval request email to a sponsor.

 

HTH

Go to solution
Jason Weids
Level 1
Level 1
In response to Rob Ingram

‎03-01-2019 09:41 AM

Only issue is the web page only seems to work with IE or edge. Is there support for other browsers & mobile devices?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Jason Weids

‎03-01-2019 12:23 PM

Do you get a certificate on the non MS browsers? If you are using an Internal CA then the IE/Edge browsers would automatically trust those certificates and not present a certificate error. Firefox/Chrome and a mobile browser would not trust the Internal CA unless specifically configured to do.

HTH
0 Helpful

Go to solution
Jason Weids
Level 1
Level 1
In response to Rob Ingram

‎03-04-2019 06:08 AM - edited ‎03-04-2019 06:09 AM

We have imported the full certificate chain that has been signed by a CA authority & bound the original cert request. It has being used by the default portal certificate group and we can confirm in the browser when redirected that is is using this certificate but it is still saying it is not trusted.

 

Cert error1.PNGcert error.PNG

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Jason Weids

‎03-04-2019 07:16 AM

Does your client computer have the QuoVadis EV SSL ICA G3 certificate in it's machine store?
0 Helpful

Go to solution
Jason Weids
Level 1
Level 1
In response to Rob Ingram

‎03-04-2019 08:59 AM

No it doesn't

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Jason Weids

‎03-04-2019 09:03 AM

That QuoVadis certificate needs to be imported to the computer trusted certificate store, otherwise the web browser will consider it untrusted and error.
0 Helpful
Customers Also Viewed These Support Documents