Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1864
Views
0
Helpful
4
Replies

ISE - Central Webauthentication // Guest accouts

marczacho
Level 1
Level 1

‎05-08-2012 02:05 AM - edited ‎03-10-2019 07:04 PM

Hi, I'm working with the Cisco ISE as a school project, but I have some problems with the central web authentication. I have followed this guide, and at the moment I have the following two problems:

The redirection does not work, but it seems like the ISE tells the switch to redirect, but nothing happens at the client. (See buttom of the post)

I can access the guest webportal by entering the direct url-address.

I have tried to trigger the redirect both by a DNS name and by an ip-address.

My second problem is my guest users.

When I create a guest account from the sponsorportal, I can't see the password only stars (****), and I can't figure out if this is a security feature or a bug. Right now I'm working in an offline environment so I don't have access to a SMTP server, so I can't try the email function to get the guest account information.

I have tried to create a guest account in the adminportal, but I can't login with it. If I go the authentication logs, I just get an "86020 unknown error".

I run everything in VMware, and I have to go through two switches with a trunk connection, before I can reach the switch I'm working on, therefore I have a bit unusually configuration.

I have attached the switch configuration, and a screenshot to show my setup.

---

sw03#sh auth sess int fa0/5

            Interface:  FastEthernet0/5

          MAC Address:  000c.29ff.28f7

          IP Address:  Unknown

            User-Name:  00-0C-29-FF-28-F7

              Status:  Authz Success

              Domain:  DATA

      Security Policy:  Should Secure

      Security Status:  Unsecure

      Oper host mode:  single-host

    Oper control dir:  both

        Authorized By:  Authentication Server

          Vlan Group:  N/A

    URL Redirect ACL:  redirect

        URL Redirect:  https://mz-ise.mz:8443/guestportal/gateway?sessionId=C0A80A020000000C047D8E21&action=cwa

      Session timeout:  N/A

        Idle timeout:  N/A

    Common Session ID:  C0A80A020000000C047D8E21

      Acct Session ID:  0x00000014

              Handle:  0x7F00000C

Runnable methods list:

      Method  State

      mab      Authc Success

Labels:
127584-mz-sw3-run.zip
0 Helpful
4 Replies 4

Alex Pfeil
Level 7
Level 7

‎05-08-2012 06:49 PM

An ACL could be blocking the redirect if the management interface of the switch and the device are on two separate VLANs. If the switch is layer three, temporarily create routing on it between the two and see of it works.

Second, a proxy will also mess with URL redirection if it is on a different port than port 80. on a WLAN controller a proxy should work fine with URL redirection.

Thanks

Alex

Hope this helps

Sent from Cisco Technical Support iPhone App

0 Helpful

Alex Pfeil
Level 7
Level 7

‎05-08-2012 06:52 PM

Also redirect ACLs are the opposite of regular ACLs so can you post the redirect ACL

Thanks

Alex

Sent from Cisco Technical Support iPhone App

0 Helpful

marczacho
Level 1
Level 1

‎05-09-2012 04:12 AM

Regarding the guest password/login problem, the problem is solved.
I updated to ISE v1.1, and now that part is working, but I still have the problem with redirect.

Here is my redirect ACL:

ip access-list extended redirect

deny   ip any host 192.168.10.5 (my ISE ip)

permit tcp any any eq www

permit tcp any any eq 443

0 Helpful

marczacho
Level 1
Level 1
In response to marczacho

‎05-09-2012 05:19 AM

Okay, I just tried some different things, and after adding these two commands, the redirection works!

ip dhcp snooping

ip device tracking

0 Helpful
Customers Also Viewed These Support Documents