CWA redirection not working

sajid231088 · ‎02-28-2019

Hi Team,

Hope you all are doing good

I am working on wireless guest access ( Sponsor Base ).

I have WLC 5508, 3560 SW, 1702i AP, ISE 2.4

Problem Description : Earlier i was getting connect on Guest SSID but redirection was not happening, Now i am not able to connect on Guest SSID

When i checked on ISE there is no logs/hits on live logs

On WLC i checked and found that device is not getting the IP addr so what i did i amanually put the IP addr but it also didn't work, i meant no connectivity.

Attaching screen shots for reference.

Please help me on this, Appreciate prompt response.

ognyan.totev · ‎02-28-2019

Hi , i have same problems with my 5508 ,and i downgrade the code because withe latest code noone from guest take ip address ,there was not even authentication log in ISE and in WLC the client was with ip address 0.0.0.0 . Witch version of code you use ? And again this was only for guest network all other networks like corporate WPA2 etc working as expected . I resolve with downgrade the code but there was 1 more way to add PSK for guest it will allow you clients to take ip address .

Mike.Cifelli · ‎02-28-2019

You ACL should look something along these lines:

Extended IP access list ACL_WEBAUTH_REDIRECT
10 deny ip any host <ISE SERVER> log
20 deny ip any host <ISE SERVER> log
30 permit tcp any any eq www log
40 permit tcp any any eq 443 log
50 permit tcp any any eq 8443 log
60 deny udp any any eq domain log
70 deny udp any eq bootpc any eq bootps log

Based on my experience with posture assessment & guest portal redirects the logic is backwards. For example:
10 deny ip any host <ISE SERVER> log -- This is actually allowing connectivity to your ISE server.

I recommend testing this out. Prior to doing so ensure that routing is in place for your WLC/user endpoint to reach whatever nic you are using on ISE for your portal.

HTH!