Re: CWA redirect on ISE Guest Portal does not work

Antonio Esposto · ‎10-18-2021

Good morning,

we have a problem to Guest Portal Redirect.
When the guest user arrive on Guest Portal, he receive the error (see the first attachment error1.jpg)

We have a Anchor-Foreign architecture, the ACL that we use is the second attachment named acl1.jpg.
The ACL is applied on the Anchor and Foreign and we see from ISE log that the URL arrive correctly on the device of Guest user.

Anchor and ISE are in different subnet.

Could it be a problem related to acl not configured correctly?

Thanks and Regards,

Antonio Esposto

Greg Gibbs · ‎10-18-2021

The redirect ACL looks sufficient, so you would need to troubleshoot from the client side of the connection. Is the client getting an IP address in the correct subnet? Can it resolve the ISE node FQDNs? Are there any firewalls/ACLs between the client and ISE PSNs, etc?

You might consider updating your redirect ACL to permit ICMP so you can do some basic ping tests from the client and do a packet capture on the PSN to see if the client traffic is reaching it.

Antonio Esposto · ‎10-19-2021

Good morning Greg,

thanks for your answer! The problem is that if I try to configure an access list "accept IP any any" in this case i haven't problem of connection , i regularly reach the ISE portal if I look for it on the browser even if obviously, by putting the acl "accept ip any any" I am not redirected to ISE but I regularly surf without going through the guest portal for authentication.
For this reason, I have ruled out that there may be problems in the network since if they are present, even with the acl accept ip any any I should not browse because there may be a firewall in the middle of the network flow that prevents me from communicating.
Thanks again and have a nice day.