LS,

I'm trying to configure CoA in our lab.

If I open a browser on the client I don't get automatically redirected to the guest portal. If I copy and paste the URL that I find under URL redirect manually, I get there. If I then login with an AD user  everything goes smoothly.

Anyone an idea why the browser doesn't automatically send me to the guest portal.

Ise version: 2.0.0.306

Running config:

no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname nonono
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$y5Lh$89rGSTBReNxUXtV1HQ4Ev1
!
username radius-test password 0 key4wolkluw
username admin privilege 15 secret 5 $1$x/Yr$C0tZ143qg/fTEAz/AXn.x1
aaa new-model

aaa group server radius ISE-group
 server name ISE
!
aaa authentication login default enable
aaa authentication dot1x default group radius
aaa authorization exec ISE-AUTHO group tacacs+ local
aaa authorization commands 1 ISE-AUTHO group tacacs+ local
aaa authorization commands 15 ISE-AUTHO group tacacs+ local
aaa authorization network default group radius
aaa accounting update periodic 5
aaa accounting dot1x default start-stop group radius
!
!
!
!
!
aaa server radius dynamic-author
 client nononon
 server-key nononon
!
aaa session-id common
system mtu routing 1500
vtp domain RIM

vtp mode transparent
!
!
ip domain-name dev.dc
ip device tracking
!
device-sensor notify all-changes
epm logging
!
crypto pki trustpoint TP-self-signed-252061312
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-252061312
 revocation-check none
 rsakeypair TP-self-signed-252061312
!
!
crypto pki certificate chain TP-self-signed-252061312
 certificate self-signed 01
 

         quit
dot1x system-auth-control
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 800
 name management
!
vlan 1140
 name Dot1X
!
!
!
!
!
!
interface FastEthernet0/1
 description Win7-PC-eth4
 switchport access vlan 1140
 switchport mode access
 ip access-group SAMPLE-ACL in
 authentication host-mode multi-auth
 authentication open
 authentication order mab dot1x
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 10
 spanning-tree portfast
 spanning-tree bpduguard enable
!

ip default-gateway nono
ip http server
ip http secure-server
!
ip access-list extended REDIRECT
 permit tcp any any eq www
 permit tcp any any eq 443
ip access-list extended REDIRECT_ACL
 deny   udp any eq bootpc any eq bootps
 deny   udp any any eq domain
 deny   tcp any host nonono eq 8443
 permit tcp any any eq www
 permit tcp any any eq 443
ip access-list extended SAMPLE-ACL
 deny   icmp any host 8.8.8.8
 permit ip any any
logging origin-id ip
snmp-server community nono RO
snmp-server trap-source Vlan800
snmp-server enable traps snmp linkdown linkup
snmp-server enable traps mac-notification change move threshold
snmp-server host nonoversion 2c cisco  mac-notification
tacacs server nono-T
 address ipv4 nono
 key Generic0
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
radius-server vsa send accounting
radius-server vsa send authentication
!
radius server ISE
 address ipv4 nono auth-port 1812 acct-port 1813
 key nono

#show authentication sessions int fa0/1
            Interface:  FastEthernet0/1
          MAC Address:  68b5.99c8.40e2
           IP Address:  no
            User-Name:  68-B5-99-C8-40-E2
               Status:  Authz Success
               Domain:  DATA
       Oper host mode:  multi-auth
     Oper control dir:  both
        Authorized By:  Authentication Server
          Vlan Policy:  N/A
              ACS ACL:  xACSACLx-IP-Waiting_for_WebAuth-56bb2696
     URL Redirect ACL:  REDIRECT
         URL Redirect:  https://nonono:8443/portal/gateway?sessionId=0AA678B70000019863A32220&portal=1219fd00-cfed-11e5-a60a-000c29ce7ed9&action=cwa&token=8f0993cef3e50494b1afb86e6f8cb1ed
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  0AA678B70000019863A32220
      Acct Session ID:  0x00000248
               Handle:  0x3E000199

Runnable methods list:
       Method   State

       mab      Authc Success
       dot1x    Not run

Extended IP access list REDIRECT
    10 permit tcp any any eq www (422 matches)
    20 permit tcp any any eq 443 (976 matches)
Extended IP access list REDIRECT_ACL
    20 deny udp any eq bootpc any eq bootps
    30 deny udp any any eq domain
    40 deny tcp any host 10.166.4.33 eq 8443
    50 permit tcp any any eq www
    60 permit tcp any any eq 443
Extended IP access list SAMPLE-ACL
    10 deny icmp any host 8.8.8.8
    20 permit ip any any (15 matches)
Extended IP access list xACSACLx-IP-AD_Users_via_WebAuth-56bb26e4 (per-user)
    10 permit ip any any

   Interface:  FastEthernet0/1
          MAC Address:  68b5.99c8.40e2
           IP Address:  no
            User-Name:  nonono
               Status:  Authz Success
               Domain:  DATA
       Oper host mode:  multi-auth
     Oper control dir:  both
        Authorized By:  Authentication Server
          Vlan Policy:  N/A
              ACS ACL:  xACSACLx-IP-AD_Users_via_WebAuth-56bb26e4
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  0AA678B70000019863A32220
      Acct Session ID:  0x00000248
               Handle:  0x3E000199

Runnable methods list:
       Method   State
       mab      Authc Success
       dot1x    Not run

Thanks for your help!

With kind regards,

Geert