Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1977
Views
0
Helpful
5
Replies

ISE-Guest Portal Redirection

eng.malak
Level 1
Level 1

‎10-01-2012 02:48 AM - edited ‎03-10-2019 07:36 PM

Dears

i have configured everything right for the Gusset login and everything is going the way i want except one thing that the switch doesn’t force the quest to web directed to the ISE login paged however the ouput of the below command looks perfect and when i copy the url manually it works .. so how can i make it automatically ?

ISE-SWITCH#sh authen se int f0/12 

            Interface:  FastEthernet0/12

          MAC Address:  c80a.a96a.47b1

           IP Address:  Unknown

            User-Name:  C8-0A-A9-6A-47-B1

               Status:  Authz Success

               Domain:  DATA

      Security Policy:  Should Secure

      Security Status:  Unsecure

       Oper host mode:  multi-auth

     Oper control dir:  both

        Authorized By:  Authentication Server

           Vlan Group:  N/A

              ACS ACL:  xACSACLx-IP-CENTRAL_WEB_AUTH-50683952

     URL Redirect ACL:  ACL-WEBAUTH-REDIRECT

         URL Redirect:  https://EG1SHQ06.HEIWAY.NET:8443/guestportal/gateway?sessionId=0A8B080600000005001ECF63&action=cwa

      Session timeout:  N/A

         Idle timeout:  N/A

    Common Session ID:  0A8B080600000005001ECF63

      Acct Session ID:  0x00000007

               Handle:  0xD9000005

Runnable methods list:

       Method   State

       mab      Authc Success

       dot1x    Not run

ISE-SWITCH#sh ip access-l

Extended IP access list ACL-WEBAUTH-REDIRECT

    10 deny ip any host 10.139.8.216

    11 permit tcp any any eq www

    12 permit tcp any any eq 443

Extended IP access list Auth-Default-ACL-OPEN

    10 permit ip any any (314 matches)

Extended IP access list xACSACLx-IP-CENTRAL_WEB_AUTH-50683952 (per-user)

    10 permit udp any any eq domain

    20 permit icmp any any

    30 permit tcp any any eq www

    40 permit tcp any any eq 443

    50 permit tcp any host 10.139.8.216 eq 8443

Labels:
0 Helpful
5 Replies 5

Tarik Admani
VIP Alumni
VIP Alumni

‎10-01-2012 11:35 AM

Hi,

Can you post the following output:

show run | inc aaa

show run | inc ip http

show run interface f0/12

Tarik Admani
*Please rate helpful posts*

0 Helpful

eng.malak
Level 1
Level 1
In response to Tarik Admani

‎10-01-2012 12:33 PM

Sure

show run | inc aaa

aaa new-model

aaa authentication login default local

aaa authentication dot1x default group radius

aaa authorization exec default local

aaa authorization network default group radius

aaa authorization auth-proxy default group radius

aaa accounting dot1x default start-stop group radius

aaa accounting network default start-stop group radius

aaa server radius dynamic-author

aaa session-id common

show run | inc ip http

ip http server

ip http secure-server

show run interface f0/12

interface FastEthernet0/12

switchport access vlan 114

switchport mode access

authentication host-mode multi-auth

authentication open

authentication order mab dot1x

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

mab

dot1x pae authenticator

spanning-tree portfast

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to eng.malak

‎10-01-2012 01:37 PM

HI,

You are missing your pre-auth ACL, right now you have all traffic flowing through regardless of the redirect url...

Here is a guide that will help you build the pre-auth ACL.

http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_sw_cnfg.html#wp1059724

Thanks

Tarik Admani
*Please rate helpful posts*

0 Helpful

eng.malak
Level 1
Level 1
In response to Tarik Admani

‎10-01-2012 02:20 PM

Interesting , i will visit my customer soon and i will update you , thanks a lot

0 Helpful

eng.malak
Level 1
Level 1
In response to Tarik Admani

‎10-03-2012 03:48 AM

i did this changes and even upgraded the switch IOS to 12.2(58)SE2 but no luck ,

any other idea?

ISE-SWITCH#sh ip access-l               

Extended IP access list ACL-DEFAULT

    10 permit udp any eq bootpc any eq bootps

    20 permit udp any any eq domain

    30 permit icmp any any

    40 permit udp any any eq tftp

    50 permit tcp any host 10.139.8.216 eq www

    60 permit tcp any host 10.139.8.216 eq 443

    70 permit tcp any host 10.139.8.216 eq 8443

    80 permit tcp any host 10.139.8.216 eq 8905

    90 permit udp any host 10.139.8.216 eq 8905

    100 permit udp any host 10.139.8.216 eq 8906

    110 permit tcp any host 10.139.8.216 eq 8080

    120 permit udp any host 10.139.8.216 eq 9996

    130 deny ip any any log

Extended IP access list ACL-POSTURE-REDIRECT

    10 deny udp any any eq domain

    20 deny udp any host 10.139.8.216 eq 8905

    30 deny udp any host 10.139.8.216 eq 8906

    40 deny tcp any host 10.139.8.216 eq 8443

    50 deny tcp any host 10.139.8.216 eq 8905

    60 deny tcp any host 10.1.252.21 eq www

    70 permit ip any any

Extended IP access list ACL-WEBAUTH-REDIRECT

    10 deny ip any host 10.139.8.216

    20 permit tcp any any eq www

    30 permit tcp any any eq 443

Extended IP access list Auth-Default-ACL-OPEN

    10 permit udp any eq bootpc any eq bootps

    20 permit udp any any eq domain

    30 permit icmp any any

    40 permit udp any any eq tftp

    50 permit tcp any host 10.139.8.216 eq www

    60 permit tcp any host 10.139.8.216 eq 443

    70 permit tcp any host 10.139.8.216 eq 8443

    80 permit tcp any host 10.139.8.216 eq 8905

    90 permit udp any host 10.139.8.216 eq 8905

    100 permit udp any host 10.139.8.216 eq 8906

    110 permit tcp any host 10.139.8.216 eq 8080

    120 permit udp any host 10.139.8.216 eq 9996

    130 deny ip any any

Extended IP access list xACSACLx-IP-CENTRAL_WEB_AUTH-50683952 (per-user)

    10 permit udp any any eq domain

    20 permit icmp any any

    30 permit tcp any any eq www

    40 permit tcp any any eq 443

    50 permit tcp any host 10.139.8.216 eq 8443

0 Helpful
Customers Also Viewed These Support Documents