Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2069
Views
5
Helpful
3
Replies

ISE 1.2 Guest portal re-direct URL not working

Go to solution
n-russell-biggie
Level 1
Level 1

‎09-30-2017 04:04 AM - edited ‎02-21-2020 10:35 AM

Issues with Web Authentication..


Hello, I am trying to set up CWA on Cisco ISE 1.2.

When attempting to WebAuth from a laptop plugged directly into a switch port I see the below Authentication details:

HQ-SW(config-if)#do sh authenti sess int gi 1/0/3 det
            Interface:  GigabitEthernet1/0/3
          MAC Address:  5cf9.dd63.7174
         IPv6 Address:  Unknown
         IPv4 Address:  10.10.100.124
            User-Name:  5C-F9-DD-63-71-74
               Status:  Authorized
               Domain:  DATA
       Oper host mode:  multi-auth
     Oper control dir:  both
      Session timeout:  N/A
      Restart timeout:  N/A
Periodic Acct timeout:  N/A
       Session Uptime:  21s
    Common Session ID:  0A0A64FA0000002100F59BD6
      Acct Session ID:  0x00000014
               Handle:  0x3C000013
       Current Policy:  POLICY_Gi1/0/3

Local Policies:
        Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

Server Policies:
           Vlan Group:  Vlan: 100

         URL Redirect:  https://ise01.secure.local:8443/guestportal/gateway?sessionId=0A0A64FA0000002100F59BD6&portal=Our_Captive_Portal&action=cwa
     URL Redirect ACL:  REDIRECT
              ACS ACL:  xACSACLx-IP-Waiting_For_WebAuth-59cf5a62

Method status list:
       Method           State

       mab              Authc Success


My redirect ACL on the switch is very Basic and I can see hits against it.

Extended IP access list REDIRECT
    10 permit tcp any any eq www
    20 permit tcp any any eq 443 (108 matches)

When I open a browser in IE on the laptop it attempts to redirect me to the URL seen on the switch in the authentication details but we then get "Page cannot be displayed".


I am unable to telnet to the ISE server on port 443 or 8443. We have no firewalls inbetween ISE / Switch / Laptop.

If I copy the URL in the authentication details and browse to it from another laptop that is on a standard "non dot1x / MAB port I am able to reach the guest portal web page.

Any help in getting this working would be great.

Thanks

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee

‎09-30-2017 06:46 AM

Hi,

 

Can your machine resolve the ISE hostname?

 

On the ISE under the Authorization profiles, go to the CWA option and check Static IP/FQDN option.

 

Put in the IP of the ISE node rather than the hostname and test.

 

Regards,

Aditya

Please rate helpful and mark correct answers

View solution in original post

3 Replies 3

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee

‎09-30-2017 06:46 AM

Hi,

 

Can your machine resolve the ISE hostname?

 

On the ISE under the Authorization profiles, go to the CWA option and check Static IP/FQDN option.

 

Put in the IP of the ISE node rather than the hostname and test.

 

Regards,

Aditya

Please rate helpful and mark correct answers

Go to solution
n-russell-biggie
Level 1
Level 1
In response to Aditya Ganjoo

‎09-30-2017 11:59 PM

Hello Aditya,

 

Your test did indeed work. It turned out to be an issue with the DNS server that he guest laptop was using.

 

Many thanks

Nick

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to n-russell-biggie

‎10-01-2017 01:34 AM

I would also note that use of .local domain names is not recommended. They are deprecated by all public CAs and will also not be trusted by guest users.

0 Helpful
Customers Also Viewed These Support Documents