Re: CWA/ISE/WLC - client timeout when redirected to portal.

c.s · ‎02-01-2013

Problem: When connecting to the CWA ssid, the client gets redirected to: https://lab-ise01.lab.local:8443/guestportal/gateway?sessionId=3c02a8c00000000878430a51&action=cwa

but the link times out.

I'm currently following this guide: https://supportforums.cisco.com/docs/DOC-26442

Any thoughts or suggestions are appreciated.

Info: ISE 1.1.1 and vWLC 7.3.101.0 is installed on vmware. Identity Source: Internal Users. AP is in FlexConnect mode. MAC filtering enable, no layer 3 security. Allow AAA Override enabled. Radius NAC enabled.

Topology:

Win7/iPad - - - AP----labswitch-----switch-----switch-----VMware

(Traffic does not pass through FW and there are no ACL on the switches.)

ACL on WLC:

Client on WLC

Mikael Gustafsson · ‎02-03-2013

Can you see if DNS is working for the client?

Regard
Mikael

Sent from Cisco Technical Support iPad App

c.s · ‎02-04-2013

The DNS work fine, but it can't reach the ISE for some reason.

The wlan works fine without web-auth (ise) btw

c.s · ‎02-08-2013

I thought I might be hitting the bug mentioned in the following thread. https://supportforums.cisco.com/thread/2191587

Oddly enough, updating the vWLC to v7.3.112.0 did not resolve the problem. (ISE is v1.1.2)

I still cannot reach anything from the the CWA wlan unless I remove CWA.

Tarik Admani · ‎02-09-2013

Are you sending the airespace acl so the client can hit the ise node with the dns services allowed. Please provide the screenshots of the client session from the wlc. Also hover over the green button in the ise live authentications portal and provide a screenshot of the radius attributes that are sent back to the controller.

Sent from Cisco Technical Support Android App

r.gergis · ‎02-14-2013

I am having this exact issue as well. I followed the FlexConnect Wireless BYOD guide but I just timeout getting the redirect page. I've even opened the ACL to any/any. The guide makes mention of sending a flex ACL as the CWA Airespace-ACL-Name but that does not appear right. Controller is on 7.4 and ISE 1.1.2

Mikael Gustafsson · ‎02-14-2013

Another test is to copy the redirect url from the WLC and swap domain name part in the url to the ISE IP address, then past it in the browser. Just to test without DNS and narrow down the troubleshooting.

Ex

[hxxps://198.51.100.10:8443/guestportal/gateway?sessionId=3c02a8c00000000878430a51&action=cwa]

Raul Manzano Barroso · ‎02-15-2013

Hi all.

Accoding with this behaviour, I have a similar problem with the renew of the IP address. In a similar scenario (ISE1.1.2 + vWLC 7.3.101. + CWA + DVLAN assigment); for test purposses I need to use the AP in flexconnect mode with central control and traffic data due to vWLC does not support APs in a local mode.

Applying WCA in a SSID with a "non-routed" interface and two interfaces for both different profiles. Client passes CWA profile in "non route" subnet when redirected; after a successful web authetication ISE sends to WLC the new attributes including the new VLAN, new ACL and the access-accept, but the client is not trying to change the IP address through DHCP.

I use two rules for authentication

First: Guest Redirection; condition "Wireless MAB" then "WLC-CWA" (central authentication - ACL-POSTURE-REDIRECT)

Second (This rule above the first) Guest Traffic; Condition "Network access: UseCase EQUALS GuestFlow) then "Guest Permit Access"(with includes new vlan assigment in function of the role based - new ACL asigment - Termination-Action=0)

WLC shows me the data correctly, it changes the interface, the ACL and changes the client status to RUN but maintains the IP address belonging to the old VLAN (non-routed vlan)

Could be possible that this bug will be hitting me?

Are there any Radius Attribute to force a DHCP IP procces for this devices?

Thanks in advanced.

Best Regards.

Mikael Gustafsson · ‎02-15-2013

Hi

The client dosent know that the WLC changed VLAN and is not asking for a new IP.

To get that you need to use the 802.1x supplicant on the client, hence its better to only use ACL for MAB/guest flow.

On a switch you can bounce the port but I dont think there is a good way to do that on wireless.

Regards

DumortierC · ‎02-15-2013

Hello,

it's work only for windows.

1. Click on "Administration" menu

2. Click on "Guest Management"

3. Click on "Settings"

4.Expand "Guest". Expand "Mult-Portal Configuration"

5. Click on "DefaultGuestPortal" or the name of a custom portal you may have created

6. Enable "Vlan DHCP Release".

here is a link: https://supportforums.cisco.com/docs/DOC-18325

regards

ivan.martin · ‎06-18-2022

Hi Raul, sorry my english is not good

Yo say:"WLC shows me the data correctly, it changes the interface, the ACL and changes the client status to RUN but maintains the IP address belonging to the old VLAN (non-routed vlan)"

In spanish...

Puede usted por favor revisar el grupo Flex Connect: wlan vlan mapping:

Aqui la wlan-id elegida debe indicar la "old vlan". A parte de indicar la vlan nativa para el AP. Por tantas wlan-id necesarias, deberán indicarse a la "old vlan".

Posteriormente su authorZ Profile debera indicar la vlan final a donde usted quiere autorizar.

Requisito importante es que la wlc soporte udp1700 (coa), el ise show ports | in 1700, el flex acl puede incluir 2 lineas que digan desde bootpccliente --- bootpcserver (y viceversa) un timeout holgado (10seg) y una recomendación adicional habilite "Vlan DHCP Release" en al Guest Portal.

Si no resulta preliminarmente valide en la wired que el dhcp pase a la vlan guest.

Quedo atento.

Regards, Ivan.

ahollifield · ‎06-20-2022

This is a post from 2013 (9 years ago!) I highly suggest making a new community post to help with your issue.