Re: CWA Redirection

Nub65 · ‎02-20-2020

Hello,

I am trying to do CWA with switch. Everything is done correctly but still it does not do redirection. Can an ios version be the problem?

Switch model: WS-C2960-48PST-L

IOS version: 12.2(55)SE12

Damien Miller · ‎02-20-2020

Your switch could certainly be an issue. First confirm that your are using lan base, and not lan lite. See this note from Howon.
https://community.cisco.com/t5/network-access-control/2960x-lan-lite/m-p/3995364/highlight/true#M455212

"Lan-Lite doesn't support dACL, pACL, or URL-Redirect so CWA or BYOD will not be possible unless using Auth VLAN feature. Profiling should work as CoA is supported. There are also additional authentication related restrictions with Lan-Lite so not recommended for secure access scenarios."

If you are leveraging lan base already, then consider looking at upgrading to 15.2.7E(ED) as this is the Cisco recommended and "gold star" release. This should rule out any cwa bugs in the 12.x train you are using.

And not the last item, but confirm the switch is learning the IP address of the endpoint via IP device tracking, if not, then the redirect won't work either. This has been a relatively more common issue over the years.

If those items don't sort it out, then we will need to dig in and confirm more about the configuration.

Nub65 · ‎02-20-2020

We are using lan base. IP device tracking is enabled and switch learns the ip address.

I will try to update the ios version and let you know if it resolves the issue.

hslai · ‎02-23-2020

Besides what pointed out by Damien..

please refer to No redirect on Wired guest portal, ISE v2.4 and Central Web Authentication with a Switch and Identity Services Engine Configuration Example