Hi Simon, As long as the

Simon Parlsjo · ‎11-14-2014

Hi,

I'm setting up a LAB environment for CWA with ISE(1.2.1), vWLC(8.0.100), ASA5505(9.1.X) and a 2602 AP in flexconnect mode.

Unfortunately I'm running into problems.

The AP, WLC and ISE is all running in vlan 1 which terminates in the 5505 as a inside interface.

Vlan 2 is a guest network terminating on a separate interface in the ASA.

The problem that I'm facing is that the url-redirect from the ISE dosent' work. If i check the client summery on the vWLC I can see that the client get applyes the redirect flexconnect ACL and that the URL is present. I've verified that it's not a DNS issue and I'm able to manually connect to ISE so there is no ACL blocking me. The client just dosen't get the redirect. I've tired with multiple devices (windows,ios,android) and it's all the same.

I've followed the following guides:

http://www.drchaos.com/flexconnect-local-switching-guestbyod/

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html#anc11

Currently I'm at work but I can provide some debug output later.

Have anyone seen this behavior before?

nspasov · ‎11-14-2014

It is possible that you are hitting the following bug:

https://tools.cisco.com/bugsearch/bug/CSCue68065

One thing this bug does not mention is that there is another resolution outside of disabling local switching. The alternative is:

1. Create a standar ACL on the controller that is named exactly as the FlexConnect ACLs

2. The standard ACL does not have to have any ACE in it

I have ran into this issue before and the above workaround has worked for me. The issue was supposed be addressed in version 8.x of the WLC but I think it is still worth giving it a try.

Thank you for rating helpful posts!

bhose · ‎11-16-2014

Hi Simon,

As long as the client can resolve the address and the client is attempting to access an HTTP site not HTTPS, the redirect should work.

Maybe try a debug dot11 profile detail on the AP and see what the logs show.

Brett

jannekarlsson · ‎03-03-2016

Is there a solution for redirecting https-sites to the ISE?

Simon Parlsjo · ‎11-20-2014

A small update.

If I manually paste the redirect in my browser then I'm able to login successfully and connect to the network and everything works.

I feel a bit uncertain of how the Flexconnect ACL should look like. Does flexconnect ACL only work on inbound traffic.

I've included the ACL that I'm currently using and below are some pointers to help understand it:

10.0.0.21 - WLC

10.0.0.22 - ISE

10.0.20 - DNS/DHCP

I will try adding a standard ACL.

bhose · ‎11-20-2014

Hi Simon,

ACL looks good.

The only other thing I can think of is that with Flexconnect you need to add the ACL to the Policies on the AP.

This can be done directly on the AP under Flexconnect --> External WebAuthentication ACLs or in the Flexconnect group under ACL Mappings --> Policies

Hope this helps!

Simon Parlsjo · ‎11-21-2014

Hi,

I have already added the ACLs to the flexconnect group, is that sufficent?

Wireless->Flexconnect Groups->ACL Mapping->Policies

But do I need to add only the GUEST-CWA redirect ACL or both, in my case PERMIT_ACCESS?

nspasov · ‎11-21-2014

You only need to map the redirect ACL under the "Policies" The redirect ACL should only allow access to your ISE and your DNS servers while denying everything else.

Also:

- Did you create a standard (non-flexconnect) ACL that matches the name of the Flex-connect one?

- Are you returning the redirect ACL in your CWA authorization profile

Thank you for rating helpful posts!

Simon Parlsjo · ‎11-24-2014

Hi,

I forgot to mention that I already had a standard ACL with the same name. I saw that bug before I stated this disscussion and I did give that a test however without success.

I've included two new pictures one with my authorization rules and one with the AutZ Result for CWA.

I did a debug dot11 policys detail on the AP but I'm not getting any results when connecting with a device and trying the guest-access.

ahurtadove · ‎01-26-2015

Hi!

Did you ever get around this?, I'm facing the same issues.

Thank you!

Mikael Gustafsson · ‎10-26-2015

Same thing here, everything looks like it is working but no redirect on the client.

Did you find a solution to the problem?

Cheers

ciscosureshn · ‎02-07-2016

Hi,

Points to Check for FlexConnect CWA (ISE):

1) Redirect ACL should be created in Flexconnect ACL which will permit http & https to ISE and DNS, DHCP to respective severs

2) The same Flexconnect ACL need to added in FlexConnect Group ACL Mapping->polices

3) A normal ACL with same name of Flexconnect ACL need to be created in security->access control list without any rules in it.

4) The ACL name should be called in CWA in ISE authorization policy.

The same worked for me. Hope this helps.

Regards

ISE CWA FLEXCONNECT - No url redirect