09-03-2012 12:23 AM - edited 03-10-2019 07:29 PM
I have a situation where DNS cannot be used for redirecting on CWA, so I have had to create a auth profile that has manual entries in it that redirects the guest to the IP address of the guest portal, rather than the DNS name.
The attribute is configured with the following:
cisco-av-pair = url-redirect=https://x.x.x.x:8443/guestportal/Login.action
cisco-av-pair = url-redirect-acl=cwa
The redirection works, and the guest is prompted with a login screen, but as soon as they are authenticated they receive a error page stating that the resource is not found, with the resource being /guestportal.
The URL that it is trying to reach is https://x.x.x.x:8443/guestportal/guest/redir.html
Has anyone managed to configure CWA to use the IP address rather than the DNS name, and go around this issue?
09-03-2012 12:36 AM
Martyn,
Can you try this av-pair instead (substitue only the x.x.x.x and leave the other variables ISE should populate them with the correct session id). Keep in mind DNS is critical but lets see how if the following changes your luck, usually the redirection afterwards is a page that tells the user to retry their original request.
url-redirect=https://x.x.x.x:8443/guestportal/gateway?sessionId=SessionIdValue&action=cwa
url-redirect-acl=cwa
Thanks,
Tarik Admani
*Please rate helpful posts*
09-03-2012 04:06 AM
Hi Tarik,
Thanks for the suggestion,
I did initially have it set to this, as that was initially logical to me, but when I had that in place you get a session has expired window after the logon has completed, so I thought I would try a couple of other redirects to see if they would work, but thats where I ended up at the initial redirect url that I posted.
09-04-2012 05:40 PM
I understand, you can try opening a TAC case but DNS is the main issue, also do you see two authenticate requests or just the authenticate request to the portal?
thanks,
Tarik Admani
*Please rate helpful posts*
09-04-2012 05:56 PM
I see the initial success upon connection and can see the redirect being applied, but then once it is authenticated it shows another entry with a failure and you get the session expired page.
Sent from Cisco Technical Support iPad App
09-04-2012 06:51 PM
I can see that if I allow ISE to populate the redirect URL then a session ID is generated. If I manually specify the radius attribute then a session ID is not generated.
Is there a way then to change the URL that the guest is redirected to so that it isn't the host name?
Sent from Cisco Technical Support iPad App
09-04-2012 09:19 PM
I've followed this up with TAC and have confirmation that at the moment you cannot change the DNS name that the user is re-directed to.
Also in ISE 1.1 you could manually specify the radius attrbute with the IP address and as I was doing and it will give you unique session ID, but in 1.1.1 you cannot do this.
09-04-2012 09:48 PM
Martin,
Is ths a bug on why this won't work in ISE?
Sent from Cisco Technical Support iPad App
09-04-2012 09:51 PM
The bug for not being able to change the DNS name that the guest is redirected to is here:
It's not currently viewable, but should be in the next couple of days apparently.
I am trying to find out if the method of manually specifying the radius attribute was deliberatley removed in 1.1.1 or if it is a bug.
10-04-2012 03:43 PM
Any news on this ?, i am having the same issue, the sessionIdValue field is not getting filled out with a session id, when i attempt to manually define the redirect url in the cwa authz result, so ISE does not know the session id when you then log into the guest portal :-(
09-12-2013 02:32 AM
09-12-2013 11:42 PM
Hi
You can configure custom portal to perform Client Provisioning and Posture. If you select this option, the guest login flow performs a CWA and the guest portal will be redirected to Client Provisioning after performing AUP and change password checks. In this case, the posture subsystem performs a CoA to the NAD to re-authenticate the client connection once the posture has been assessed.
If Vlan Dhcp Release is selected under Multi-Portal Configurations, posture will perform the client side IP release and renew operation. Check the Vlan Dhcp Release option to refresh Windows clients IP address after VLAN change in both wired or wireless environments for Guest with posture.
This affects the CWA user login flow when the network access during the final authorization switches the guest VLAN to a new VLAN. In this case, the old IP of the guest needs to be released before the VLAN change and a new guest IP needs to be requested through DHCP once the new VLAN access is in place. The Cisco ISE server redirects the guest browser to download an applet to perform the IP release renew operation.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide