Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4099
Views
0
Helpful
3
Replies

ISE & Switch URL redirect not working

Hiep Nguyen
Level 1
Level 1

‎03-18-2013 10:10 PM - edited ‎03-10-2019 08:12 PM

Dear team,

I'm setting up Guest portal for Wired user. Everything seems to be okay, the PC is get MAB authz success, ISE push URL redirect to switch. The only problem is when I open browser, it is not redirected.

Here is some output from my 3560C:

Cisco IOS Software, C3560C Software (C3560c405-UNIVERSALK9-M), Version 12.2(55)EX3

SW3560C-LAB#sh auth sess int f0/3

            Interface:  FastEthernet0/3

          MAC Address:  f0de.f180.13b8

           IP Address:  10.0.93.202

            User-Name:  F0-DE-F1-80-13-B8

               Status:  Authz Success

               Domain:  DATA

      Security Policy:  Should Secure

      Security Status:  Unsecure

       Oper host mode:  multi-domain

     Oper control dir:  both

        Authorized By:  Authentication Server

           Vlan Group:  N/A

     URL Redirect ACL:  redirect

         URL Redirect:  https://BYODISE.byod.com:8443/guestportal/gateway?sessionId=0A005DF40000000D0010E23A&action=cwa

      Session timeout:  N/A

         Idle timeout:  N/A

    Common Session ID:  0A005DF40000000D0010E23A

      Acct Session ID:  0x00000011

               Handle:  0xD700000D

Runnable methods list:

       Method   State

       mab      Authc Success

SW3560C-LAB#sh epm sess summary

EPM Session Information

-----------------------

Total sessions seen so far : 10

Total active sessions      : 1

Interface            IP Address   MAC Address       Audit Session Id:

-----------------------------------------------------------------------------

FastEthernet0/3       10.0.93.202  f0de.f180.13b8    0A005DF40000000D0010E23A

Could you please help to explore the problem? Thank you very much.

1 person had this problem
Labels:
15356635-ISE-3560config.txt.zip
0 Helpful
3 Replies 3

Tarik Admani
VIP Alumni
VIP Alumni

‎03-18-2013 10:27 PM

Hi,

Seems like you need to implicity deny dns traffic in your redirect ACL. Also I do not see the dACL being sent from ISE down to the client as a part of the redirection configuration.

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

Hiep Nguyen
Level 1
Level 1
In response to Tarik Admani

‎03-18-2013 11:49 PM

Thank you Tarik for your response. I tried every way and finally, upgrading to IOS ver 15.0 made it work. Thankss

0 Helpful

networkguy13111
Level 1
Level 1
In response to Tarik Admani

‎04-07-2013 11:50 PM

With switch IOS version later than 15.0 the default interface ACL is not required. For url redirection the dACL is not required as this ACL is part of traffic restrict for "guest" users.

In my experiece some users can not get the redirect correctly because anti-spoof ACL on management Vlan or stateful firewall blocks the TCP syn ack.

It is rare in campus network access layer switches have user SVI configured so the redirect traffic has to be sent from the netman SVI, but trickly the TCP SYN ACK from the HTTP server will be sent back from the netman Vlan without source IP changed. (The switch is spoofing the source IP in my understanding with changing only the MAC address of the packet). In most of the cases there should be a basic ACL resides on the netman SVI on the first hop router, where the TCP SYN ACK may be dropped by the ACL.

tips:

1. "debug epm redirect" can make sure your traffic matches the redirect url and will get intercepted by the switch

2. It will be an ACL or firewall issue if you can see epm is redirecting your http request but can not see the SYN ACK from the requested server.

Which can win the race: increasing bandwidth with new technologies VS QoS?

-- Best Regards
0 Helpful
Customers Also Viewed These Support Documents