This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
I'm setting up a LAB environment for CWA with ISE(1.2.1), vWLC(8.0.100), ASA5505(9.1.X) and a 2602 AP in flexconnect mode.
Unfortunately I'm running into problems.
The AP, WLC and ISE is all running in vlan 1 which terminates in the 5505 as a inside interface.
Vlan 2 is a guest network terminating on a separate interface in the ASA.
The problem that I'm facing is that the url-redirect from the ISE dosent' work. If i check the client summery on the vWLC I can see that the client get applyes the redirect flexconnect ACL and that the URL is present. I've verified that it's not a DNS issue and I'm able to manually connect to ISE so there is no ACL blocking me. The client just dosen't get the redirect. I've tired with multiple devices (windows,ios,android) and it's all the same.
I've followed the following guides:
Currently I'm at work but I can provide some debug output later.
Have anyone seen this behavior before?
It is possible that you are hitting the following bug:
One thing this bug does not mention is that there is another resolution outside of disabling local switching. The alternative is:
1. Create a standar ACL on the controller that is named exactly as the FlexConnect ACLs
2. The standard ACL does not have to have any ACE in it
I have ran into this issue before and the above workaround has worked for me. The issue was supposed be addressed in version 8.x of the WLC but I think it is still worth giving it a try.
Thank you for rating helpful posts!
As long as the client can resolve the address and the client is attempting to access an HTTP site not HTTPS, the redirect should work.
Maybe try a debug dot11 profile detail on the AP and see what the logs show.
A small update.
If I manually paste the redirect in my browser then I'm able to login successfully and connect to the network and everything works.
I feel a bit uncertain of how the Flexconnect ACL should look like. Does flexconnect ACL only work on inbound traffic.
I've included the ACL that I'm currently using and below are some pointers to help understand it:
10.0.0.21 - WLC
10.0.0.22 - ISE
10.0.20 - DNS/DHCP
I will try adding a standard ACL.
ACL looks good.
The only other thing I can think of is that with Flexconnect you need to add the ACL to the Policies on the AP.
This can be done directly on the AP under Flexconnect --> External WebAuthentication ACLs or in the Flexconnect group under ACL Mappings --> Policies
Hope this helps!
I have already added the ACLs to the flexconnect group, is that sufficent?
Wireless->Flexconnect Groups->ACL Mapping->Policies
But do I need to add only the GUEST-CWA redirect ACL or both, in my case PERMIT_ACCESS?
You only need to map the redirect ACL under the "Policies" The redirect ACL should only allow access to your ISE and your DNS servers while denying everything else.
- Did you create a standard (non-flexconnect) ACL that matches the name of the Flex-connect one?
- Are you returning the redirect ACL in your CWA authorization profile
Thank you for rating helpful posts!
I forgot to mention that I already had a standard ACL with the same name. I saw that bug before I stated this disscussion and I did give that a test however without success.
I've included two new pictures one with my authorization rules and one with the AutZ Result for CWA.
I did a debug dot11 policys detail on the AP but I'm not getting any results when connecting with a device and trying the guest-access.
Points to Check for FlexConnect CWA (ISE):
1) Redirect ACL should be created in Flexconnect ACL which will permit http & https to ISE and DNS, DHCP to respective severs
2) The same Flexconnect ACL need to added in FlexConnect Group ACL Mapping->polices
3) A normal ACL with same name of Flexconnect ACL need to be created in security->access control list without any rules in it.
4) The ACL name should be called in CWA in ISE authorization policy.
The same worked for me. Hope this helps.