CWA NOT REDIRECT AUTOMATIC IN CLIENT WEBBROWSER

claudioparker · ‎06-23-2014

Guys, i have problem, the the portal cwa not open automatic in clients, if the client copy and paste the url of session, this open!! but automatic is the problem, the acl is ok, dns is ok.

switch version 15.2

mohanak · ‎06-24-2014

Client Machine URL Redirection Function Not Working


Symptoms or Issue	Users are not appropriately redirected to the correct URL for authentication.
Conditions	The monitoring and troubleshooting configuration validator is designed to catch this. The web authentication configuration (global) details may display something like the following: •Mandatory Expected Configuration Found On Device •aaa authorization auth-proxy default group <radius_group> aaa authorization auth-proxy default group radius •aaa accounting auth-proxy default start-stop group <radius_group> Missing •ip admission name <word> proxy http inactivity-time 60 Missing fallback profile <word> •ip access-group <word> in •ip admission <word> Missing •ip http server ip http server •ip http secure-server ip http secure-server
Possible Causes	The switch is missing the ip http server and/or ip http secure-server command.
Resolution	Verify and (if necessary) adjust the configuration on the switch.

and also verify the similar issue with solution:

https://supportforums.cisco.com/discussion/11954461/cwa-page-does-not-redirect

claudioparker · ‎06-26-2014

NOT WORK!!

nspasov · ‎06-26-2014

Can you post:

1. Your switch configuration

2. The output of show authentication session interface interface_name_number where the client is connecting

Thank you for rating helpful posts!

claudioparker · ‎06-26-2014

SW-ISE#show authentication sessions interface fastEthernet 0/1
Interface: FastEthernet0/1
MAC Address: 6431.5077.5aa2
IP Address: 172.16.1.2
User-Name: 64-31-50-77-5A-A2
Status: Authz Success
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
ACS ACL: xACSACLx-IP-POSTURE_REMEDIATION-53a84454
URL Redirect ACL: ACL-POSTURE-REDIRECT
URL Redirect: https://xxxxxx:8443/guestportal/gateway?sessionId=AC101E6400000006000107B7&action=cwa
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC101E6400000006000107B7
Acct Session ID: 0x00000008
Handle: 0xC9000007

Runnable methods list:
Method State
mab Authc Success
dot1x Not run
SW-ISE#show epm session ip 172.16.1.2
Admission feature: DOT1X
ACS ACL: xACSACLx-IP-POSTURE_REMEDIATION-53a84454
URL Redirect ACL: ACL-POSTURE-REDIRECT
URL Redirect: https://xxxxxx:8443/guestportal/gateway?sessionId=AC101E6400000006000107B7&action=cwa

-------------------

SW-ISE#show ip access-lists interface fastEthernet 0/1
permit tcp host 172.16.1.2 host 172.16.30.20 eq 8443
permit tcp host 172.16.1.2 any eq www
permit tcp host 172.16.1.2 any eq 443
permit udp host 172.16.1.2 any eq domain
permit icmp host 172.16.1.2 any

ip http server
ip http secure-server
!
ip access-list extended ACL-POSTURE-REDIRECT
deny ip any host 172.16.30.20
permit tcp any any eq 443
permit tcp any any eq www
ip access-list extended default
permit ip any any
ip radius source-interface Vlan30
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server dead-criteria time 2 tries 2
radius-server host 172.16.30.20 auth-port 1812 acct-port 1813 key cisco
radius-server vsa send accounting
radius-server vsa send authentication

if i put manual link Open, dns is ok, also if from pc telnet to 8443 work!!, the link not redirect manual on client

nspasov · ‎06-26-2014

Couple of things:

172.16.30.20 is the IP Address of ISE, correct?

Add the following ACE to the top of your ACL:

deny udp any any eq domain

Thank you for rating helpful posts!