11-17-2019 01:44 AM - edited 11-18-2019 06:32 PM
Hello,
I'm working on a deployment where we need to redirect wireless guests to a web portal for authentication. We're using CWA - the radius server sends a url-redirect to the NAD ( Meraki AP ) , as well as the url-redirect acl that is meant to specify the traffic to be redirected.
Guest network is separate than Office network hence there are two VRFs ( Office VRF and Guest VRF ).
Guest is accessing internet via separate FW than Office network FW.
I have came up with following traffic flow based on my understanding for current setup and have configured ISE interface as below.
Eth0 – Mgmt + RADIUS interface
!
Hostname : ComISE
!
interface GigabitEthernet 0
ip address 10.18.77.141 255.255.255.0
ipv6 address autoconfig
ipv6 enable
!
!
Eth4 – Guest interface for Guest portal
!
ip host 10.81.55.141 iseguest iseguest.com.net
interface GigabitEthernet 4
ipv6 address autoconfig
ipv6 enable
ip address 10.81.55.141 255.255.255.0
no shutdown
!
ip route 10.82.152.0 255.255.255.0 gateway 10.81.55.10 à Static route to Guest Subnet
!
Issue : Guest Portal is not working from the Guest PC though PSN sends RADIUS access-accept with the redirect URL and ACL to the Meraki AP via interface eth4 . ( as per ISE log )
Flow should be as below if I am not wrong : Can you please help me to validate ?
1. Initial Request goes to Meraki AP and Meraki AP sends MAB request via office VRF on eth0 of ISE
2.ISE triggers the initial Auth_Z with redirect ACL on eth4 hence traffic flow from Guest VRF backs to NAD
3.Guest should be redirected to Guest portal ( hence Meraki AP should have reachability to guest portal which has been configured on eth4)
4.Guest uses username/password provided by sponsor
5 CoA happens with full ACL via PSN on eth0 / office VRF as guest has been identified in ISE database.
I have done trouble shoot to identify the issue :
- ISE can reach to guest subnet gateway via eth0
- ISE can reach to Guest interface subnet gateway
- Guest can reach to ISE on guest interface
- I can ping Meraki ( NAD) from ISE
-I use Guest portal on eth0 ( office VRF ) and use office subnet as a guest subnet then guest can open the guest portal.
Do you think following should be an issue ?
Meraki AP NAD does not have reachability to guest interface eth4? Or Meraki AP is not learning routes to reach Guest portal IP
Access switch, where Meraki is connected not propagating guest interface IP (from Guest VRF ) in to office VRF where Meraki is seating ?
There should be some routing between Guest VRF and Office VRF so NAD ( Meraki AP ) can reach the guest portal ?
Any thought or recomondation ?
11-18-2019 10:19 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide