Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6409
Views
15
Helpful
11
Replies

ISE CWA FLEXCONNECT - No url redirect

Simon Parlsjo
Level 1
Level 1

‎11-14-2014 02:59 AM - edited ‎03-10-2019 10:10 PM

Hi,

 

I'm setting up a LAB environment for CWA with ISE(1.2.1), vWLC(8.0.100), ASA5505(9.1.X) and a 2602 AP in flexconnect mode.

Unfortunately I'm running into problems.

The AP, WLC and ISE is all running in vlan 1 which terminates in the 5505 as a inside interface. 

Vlan 2 is a guest network terminating on a separate interface in the ASA.

 

The problem that I'm facing is that the url-redirect from the ISE dosent' work. If i check the client summery on the vWLC I can see that the client get applyes the redirect flexconnect ACL and that the URL is present. I've verified that it's not a DNS issue and I'm able to manually connect to ISE so there is no ACL blocking me. The client just dosen't get the redirect. I've tired with multiple devices (windows,ios,android) and it's all the same.

 

I've followed the following guides:

http://www.drchaos.com/flexconnect-local-switching-guestbyod/

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html#anc11

 

Currently I'm at work but I can provide some debug output later. 

 

Have anyone seen this behavior before?

 

 

Labels:
0 Helpful
11 Replies 11

nspasov
Cisco Employee
Cisco Employee

‎11-14-2014 05:13 PM

It is possible that you are hitting the following bug:

https://tools.cisco.com/bugsearch/bug/CSCue68065

One thing this bug does not mention is that there is another resolution outside of disabling local switching. The alternative is:

1. Create a standar ACL on the controller that is named exactly as the FlexConnect ACLs

2. The standard ACL does not have to have any ACE in it

I have ran into this issue before and the above workaround has worked for me. The issue was supposed be addressed in version 8.x of the WLC but I think it is still worth giving it a try. 

 

Thank you for rating helpful posts!

bhose
Level 1
Level 1
In response to nspasov

‎11-16-2014 02:48 PM

Hi Simon,

 

As long as the client can resolve the address and the client is attempting to access an HTTP site not HTTPS, the redirect should work.

 

Maybe try a debug dot11 profile detail on the AP and see what the logs show.

 

Brett

0 Helpful

jannekarlsson
Level 1
Level 1
In response to bhose

‎03-03-2016 02:20 AM

Is there a solution for redirecting https-sites to the ISE?

0 Helpful

Simon Parlsjo
Level 1
Level 1

‎11-20-2014 05:28 AM

A small update.

 

If I manually paste the redirect in my browser then I'm able to login successfully and connect to the network and everything works.

I feel a bit uncertain of how the Flexconnect ACL should look like. Does flexconnect ACL only work on inbound traffic. 

 

I've included the ACL that I'm currently using and below are some pointers to help understand it:

10.0.0.21 - WLC

10.0.0.22 - ISE

10.0.20 - DNS/DHCP

 

I will try adding a standard ACL.

Preview file
22 KB
0 Helpful

bhose
Level 1
Level 1
In response to Simon Parlsjo

‎11-20-2014 02:12 PM

Hi Simon,

 

ACL looks good.

The only other thing I can think of is that with Flexconnect you need to add the ACL to the Policies on the AP.

This can be done directly on the AP under Flexconnect -->  External WebAuthentication ACLs or in the Flexconnect group under ACL Mappings --> Policies

Hope this helps!

 

0 Helpful

Simon Parlsjo
Level 1
Level 1
In response to bhose

‎11-21-2014 05:40 AM

Hi,

 

I have already added the ACLs to the flexconnect group, is that sufficent?

Wireless->Flexconnect Groups->ACL Mapping->Policies

But do I need to add only the GUEST-CWA redirect ACL or both, in my case PERMIT_ACCESS?

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to Simon Parlsjo

‎11-21-2014 09:21 AM

You only need to map the redirect ACL under the "Policies" The redirect ACL should only allow access to your ISE and your DNS servers while denying everything else. 

Also:

- Did you create a standard (non-flexconnect) ACL that matches the name of the Flex-connect one?

- Are you returning the redirect ACL in your CWA authorization profile

 

Thank you for rating helpful posts!

0 Helpful

Simon Parlsjo
Level 1
Level 1
In response to nspasov

‎11-24-2014 12:57 AM

Hi,

 

I forgot to mention that I already had a standard ACL with the same name. I saw that bug before I stated this disscussion and I did give that a test however without success.

 

I've included two new pictures one with my authorization rules and one with the AutZ Result for CWA.

 

I did a debug dot11 policys detail on the AP but I'm not getting any results when connecting with a device and trying the guest-access.

 

Preview file
11 KB
Preview file
13 KB
0 Helpful

ahurtadove
Level 1
Level 1
In response to Simon Parlsjo

‎01-26-2015 04:43 AM

Hi!

Did you ever get around this?, I'm facing the same issues.

Thank you!

0 Helpful

Mikael Gustafsson
Level 5
Level 5

‎10-26-2015 08:49 AM

 

Same thing here, everything looks like it is working but no redirect on the client.

Did you find a solution to the problem?

 

Cheers

0 Helpful

ciscosureshn
Level 1
Level 1
In response to Mikael Gustafsson

‎02-07-2016 10:08 AM - edited ‎02-16-2018 12:18 AM

Hi,

   Points to Check for FlexConnect CWA (ISE):

1) Redirect ACL should be created in Flexconnect ACL which will permit http & https to ISE and DNS, DHCP to respective severs

2) The same Flexconnect ACL need to added in FlexConnect Group ACL Mapping->polices

3) A normal ACL with same name of Flexconnect ACL need to be created in security->access control list without any rules in it.

4) The ACL name should be called in CWA in ISE authorization policy.

The same worked for me. Hope this helps.

   Regards

Customers Also Viewed These Support Documents