Solved: Guest Portal CWA Not Redirecting to Login Page

Chris Terry · ‎06-14-2023

We have a Anchor - Foreign WLC set up. We have an open SSID that is set to redirect to a portal where employees would enter their AD credentials to get onto the network which would be internet access only for their personal devices

I can see the clients in both ISE and the WLC getting the redirect URL, but nothing happens. The clients are also not able to manually bring up a browser to get redirected. While testing I can ping the portal IP as well as forward and reverse DNS works.

The clients are passing the initial auth in ISE, but not getting redirected. I attached screenshots showing the AV Pair URL clients get, the WLC redirect URL, and the WLC redirect ACL

Chris Terry · ‎06-14-2023

I was able to get the redirect working by recreating the authorization policies in ISE and the redirect ACL on the WLC closer to what this guide describes https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html.

I'm just having issues with iPhones not redirecting at this point. Android phones and Windows laptops work fine

View solution in original post

poongarg · ‎06-14-2023

Kindly disable captive-bypass on WLAN settings>Layer 3>Security and check again. It is known issue with Apple devices.

View solution in original post

Flavio Miranda · ‎06-14-2023

Hi

On the ACL, this permit ip any any seems not right. What is it 172.21.240.8 ?

I believe you should have a permit to HTTP/HTTPS

Chris Terry · ‎06-14-2023

The 172.21.240.8 is the portal URL. We have it on a separate NIC on the ISE box. The ACL rule is permitting anything to and from that IP which should include HTTPS

Flavio Miranda · ‎06-14-2023

If that is the portal, then make sense.

Do you have aaa override on the Guest WLAN? and Support for CoA enable on the radius server config on the WLC ?

Chris Terry · ‎06-14-2023

Yes to all.

Flavio Miranda · ‎06-14-2023

Mac filter checked on the WLAN ? NAC state ISE_NAC on WLAN?

If yes to all, I dont see anything else for the WLC

Chris Terry · ‎06-14-2023

Yes to all of that as well

poongarg · ‎06-14-2023

It may be possible that http service is not enabled on WLC to interrupt the http traffic and redirect the original URL.

Enable ip http server. if it is already enabled then restart http services on WLC.

config network webmode enable

Note about HTTPS Redirection: By default, the WLC did not redirect HTTPS traffic. This means that if you type an HTTPS address into your browser, nothing happens. You must type an HTTP address in order to get redirected to the login page which was served in HTTPS. (ex http://2.2.2.4)

In Version 8.0 and later, you can enable redirection of HTTPS traffic with the CLI command config network web-auth https-redirect enable.

HTH

Chris Terry · ‎06-14-2023

Should the port be? Just 443?

Chris Terry · ‎06-14-2023

I was able to get the redirect working by recreating the authorization policies in ISE and the redirect ACL on the WLC closer to what this guide describes https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html.

I'm just having issues with iPhones not redirecting at this point. Android phones and Windows laptops work fine

poongarg · ‎06-14-2023

Kindly disable captive-bypass on WLAN settings>Layer 3>Security and check again. It is known issue with Apple devices.