05-08-2012 02:05 AM - edited 03-10-2019 07:04 PM
Hi, I'm working with the Cisco ISE as a school project, but I have some problems with the central web authentication. I have followed this guide, and at the moment I have the following two problems:
The redirection does not work, but it seems like the ISE tells the switch to redirect, but nothing happens at the client. (See buttom of the post)
I can access the guest webportal by entering the direct url-address.
I have tried to trigger the redirect both by a DNS name and by an ip-address.
My second problem is my guest users.
When I create a guest account from the sponsorportal, I can't see the password only stars (****), and I can't figure out if this is a security feature or a bug. Right now I'm working in an offline environment so I don't have access to a SMTP server, so I can't try the email function to get the guest account information.
I have tried to create a guest account in the adminportal, but I can't login with it. If I go the authentication logs, I just get an "86020 unknown error".
I run everything in VMware, and I have to go through two switches with a trunk connection, before I can reach the switch I'm working on, therefore I have a bit unusually configuration.
I have attached the switch configuration, and a screenshot to show my setup.
---
sw03#sh auth sess int fa0/5
Interface: FastEthernet0/5
MAC Address: 000c.29ff.28f7
IP Address: Unknown
User-Name: 00-0C-29-FF-28-F7
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: single-host
Oper control dir: both
Authorized By: Authentication Server
Vlan Group: N/A
URL Redirect ACL: redirect
URL Redirect: https://mz-ise.mz:8443/guestportal/gateway?sessionId=C0A80A020000000C047D8E21&action=cwa
Session timeout: N/A
Idle timeout: N/A
Common Session ID: C0A80A020000000C047D8E21
Acct Session ID: 0x00000014
Handle: 0x7F00000C
Runnable methods list:
Method State
mab Authc Success
05-08-2012 06:49 PM
An ACL could be blocking the redirect if the management interface of the switch and the device are on two separate VLANs. If the switch is layer three, temporarily create routing on it between the two and see of it works.
Second, a proxy will also mess with URL redirection if it is on a different port than port 80. on a WLAN controller a proxy should work fine with URL redirection.
Thanks
Alex
Hope this helps
Sent from Cisco Technical Support iPhone App
05-08-2012 06:52 PM
Also redirect ACLs are the opposite of regular ACLs so can you post the redirect ACL
Thanks
Alex
Sent from Cisco Technical Support iPhone App
05-09-2012 04:12 AM
Regarding the guest password/login problem, the problem is solved.
I updated to ISE v1.1, and now that part is working, but I still have the problem with redirect.
Here is my redirect ACL:
ip access-list extended redirect
deny ip any host 192.168.10.5 (my ISE ip)
permit tcp any any eq www
permit tcp any any eq 443
05-09-2012 05:19 AM
Okay, I just tried some different things, and after adding these two commands, the redirection works!
ip dhcp snooping
ip device tracking
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide