cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

3717
Views
15
Helpful
11
Replies
Highlighted
Beginner

ISE CWA FLEXCONNECT - No url redirect

Hi,

 

I'm setting up a LAB environment for CWA with ISE(1.2.1), vWLC(8.0.100), ASA5505(9.1.X) and a 2602 AP in flexconnect mode.

Unfortunately I'm running into problems.

The AP, WLC and ISE is all running in vlan 1 which terminates in the 5505 as a inside interface. 

Vlan 2 is a guest network terminating on a separate interface in the ASA.

 

The problem that I'm facing is that the url-redirect from the ISE dosent' work. If i check the client summery on the vWLC I can see that the client get applyes the redirect flexconnect ACL and that the URL is present. I've verified that it's not a DNS issue and I'm able to manually connect to ISE so there is no ACL blocking me. The client just dosen't get the redirect. I've tired with multiple devices (windows,ios,android) and it's all the same.

 

I've followed the following guides:

http://www.drchaos.com/flexconnect-local-switching-guestbyod/

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html#anc11

 

Currently I'm at work but I can provide some debug output later. 

 

Have anyone seen this behavior before?

 

 

11 REPLIES 11
Highlighted
Cisco Employee

It is possible that you are hitting the following bug:

https://tools.cisco.com/bugsearch/bug/CSCue68065

One thing this bug does not mention is that there is another resolution outside of disabling local switching. The alternative is:

1. Create a standar ACL on the controller that is named exactly as the FlexConnect ACLs

2. The standard ACL does not have to have any ACE in it

I have ran into this issue before and the above workaround has worked for me. The issue was supposed be addressed in version 8.x of the WLC but I think it is still worth giving it a try. 

 

Thank you for rating helpful posts!

Highlighted

Hi Simon,

 

As long as the client can resolve the address and the client is attempting to access an HTTP site not HTTPS, the redirect should work.

 

Maybe try a debug dot11 profile detail on the AP and see what the logs show.

 

Brett

Highlighted

Is there a solution for redirecting https-sites to the ISE?

Highlighted
Beginner

A small update.

 

If I manually paste the redirect in my browser then I'm able to login successfully and connect to the network and everything works.

I feel a bit uncertain of how the Flexconnect ACL should look like. Does flexconnect ACL only work on inbound traffic. 

 

I've included the ACL that I'm currently using and below are some pointers to help understand it:

10.0.0.21 - WLC

10.0.0.22 - ISE

10.0.20 - DNS/DHCP

 

I will try adding a standard ACL.

Highlighted

Hi Simon,

 

ACL looks good.

The only other thing I can think of is that with Flexconnect you need to add the ACL to the Policies on the AP.

This can be done directly on the AP under Flexconnect -->  External WebAuthentication ACLs or in the Flexconnect group under ACL Mappings --> Policies

Hope this helps!

 

Highlighted

Hi,

 

I have already added the ACLs to the flexconnect group, is that sufficent?

Wireless->Flexconnect Groups->ACL Mapping->Policies

But do I need to add only the GUEST-CWA redirect ACL or both, in my case PERMIT_ACCESS?

Highlighted

You only need to map the redirect ACL under the "Policies" The redirect ACL should only allow access to your ISE and your DNS servers while denying everything else. 

Also:

- Did you create a standard (non-flexconnect) ACL that matches the name of the Flex-connect one?

- Are you returning the redirect ACL in your CWA authorization profile

 

Thank you for rating helpful posts!

Highlighted

Hi,

 

I forgot to mention that I already had a standard ACL with the same name. I saw that bug before I stated this disscussion and I did give that a test however without success.

 

I've included two new pictures one with my authorization rules and one with the AutZ Result for CWA.

 

I did a debug dot11 policys detail on the AP but I'm not getting any results when connecting with a device and trying the guest-access.

 

Highlighted

Hi!

Did you ever get around this?, I'm facing the same issues.

Thank you!

Highlighted
Contributor

 

Same thing here, everything looks like it is working but no redirect on the client.

Did you find a solution to the problem?

 

Cheers

Highlighted

Hi,

   Points to Check for FlexConnect CWA (ISE):

1) Redirect ACL should be created in Flexconnect ACL which will permit http & https to ISE and DNS, DHCP to respective severs

2) The same Flexconnect ACL need to added in FlexConnect Group ACL Mapping->polices

3) A normal ACL with same name of Flexconnect ACL need to be created in security->access control list without any rules in it.

4) The ACL name should be called in CWA in ISE authorization policy.

The same worked for me. Hope this helps.

   Regards