06-23-2014 08:33 AM - edited 03-10-2019 09:49 PM
Guys, i have problem, the the portal cwa not open automatic in clients, if the client copy and paste the url of session, this open!! but automatic is the problem, the acl is ok, dns is ok.
switch version 15.2
06-24-2014 12:13 PM
Symptoms or Issue | Users are not appropriately redirected to the correct URL for authentication. |
Conditions | The monitoring and troubleshooting configuration validator is designed to catch this. The web authentication configuration (global) details may display something like the following: •Mandatory Expected Configuration Found On Device •aaa authorization auth-proxy default group <radius_group> aaa authorization auth-proxy default group radius •aaa accounting auth-proxy default start-stop group <radius_group> Missing •ip admission name <word> proxy http inactivity-time 60 Missing fallback profile <word> •ip access-group <word> in •ip admission <word> Missing •ip http server ip http server •ip http secure-server ip http secure-server |
Possible Causes | The switch is missing the ip http server and/or ip http secure-server command. |
Resolution | Verify and (if necessary) adjust the configuration on the switch. |
and also verify the similar issue with solution:
https://supportforums.cisco.com/discussion/11954461/cwa-page-does-not-redirect
06-26-2014 12:11 PM
NOT WORK!!
06-26-2014 12:37 PM
Can you post:
1. Your switch configuration
2. The output of show authentication session interface interface_name_number where the client is connecting
06-26-2014 12:53 PM
SW-ISE#show authentication sessions interface fastEthernet 0/1
Interface: FastEthernet0/1
MAC Address: 6431.5077.5aa2
IP Address: 172.16.1.2
User-Name: 64-31-50-77-5A-A2
Status: Authz Success
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
ACS ACL: xACSACLx-IP-POSTURE_REMEDIATION-53a84454
URL Redirect ACL: ACL-POSTURE-REDIRECT
URL Redirect: https://xxxxxx:8443/guestportal/gateway?sessionId=AC101E6400000006000107B7&action=cwa
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC101E6400000006000107B7
Acct Session ID: 0x00000008
Handle: 0xC9000007
Runnable methods list:
Method State
mab Authc Success
dot1x Not run
SW-ISE#show epm session ip 172.16.1.2
Admission feature: DOT1X
ACS ACL: xACSACLx-IP-POSTURE_REMEDIATION-53a84454
URL Redirect ACL: ACL-POSTURE-REDIRECT
URL Redirect: https://xxxxxx:8443/guestportal/gateway?sessionId=AC101E6400000006000107B7&action=cwa
-------------------
SW-ISE#show ip access-lists interface fastEthernet 0/1
permit tcp host 172.16.1.2 host 172.16.30.20 eq 8443
permit tcp host 172.16.1.2 any eq www
permit tcp host 172.16.1.2 any eq 443
permit udp host 172.16.1.2 any eq domain
permit icmp host 172.16.1.2 any
ip http server
ip http secure-server
!
ip access-list extended ACL-POSTURE-REDIRECT
deny ip any host 172.16.30.20
permit tcp any any eq 443
permit tcp any any eq www
ip access-list extended default
permit ip any any
ip radius source-interface Vlan30
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server dead-criteria time 2 tries 2
radius-server host 172.16.30.20 auth-port 1812 acct-port 1813 key cisco
radius-server vsa send accounting
radius-server vsa send authentication
if i put manual link Open, dns is ok, also if from pc telnet to 8443 work!!, the link not redirect manual on client
06-26-2014 01:32 PM
Couple of things:
172.16.30.20 is the IP Address of ISE, correct?
Add the following ACE to the top of your ACL:
deny udp any any eq domain
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide