Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
181
Views
2
Helpful
4
Replies

ISE URL redirection not work when the gateway for the vlan is on firew

Hevin27
Level 1
Level 1

‎07-11-2024 03:21 AM

Hi guys,

I'm new to ISE and recently we are deploying ISE to production to authenticate users. The issue currently encountered is guest self-registration. For security reasons, the network where the guest is located is a separate area on the firewall, when a guest accesses the network, ISE will deliver a redirect URL for the visitor to self-register. ISE is able to deliver the redirect URL and call the ACL to the interface, but the client does not automatically pop up the browser and redirect to the self-registration page, and redirects cannot be triggered by manual access a website either, but copying the redirect URL delivered by ISE to the switch interface to the client is accessible .(There is a policy on the firewall to allow the switch to manage the IP to the guest network.). I checked the forums and found that the firewall might be blocking the one-way traffic from spoofed IP to client VLAN. With the same configuration, if I modify the vlan-id delivered by ISE to the SVI which is on the core switch, it is no problem at all. So I believe it's the firewall that implicitly blocks this traffic. Has anyone ever been in this situation? How should it be resolved?

1. I enabled a guest SVI on the authentication switch as suggested on the forum and it works.
2. Someone suggested enabling redirects for L2, but I don't know how to do it and don't know if it works.

 

0 Helpful
4 Replies 4

MHM Cisco World
VIP
VIP

‎07-11-2024 05:13 AM

FW must have policy allow guest IP to access ise url

If you add this policy and not work' then check if url redirect is use IP or hostname' if it use hostname then check dns from guest by using dns lookup.

MHM

0 Helpful

Hevin27
Level 1
Level 1
In response to MHM Cisco World

‎07-25-2024 12:53 AM

In fact, we found that the underlying situation is that stateful firewalls drop traffic that is modified. In the case of a stateful firewall, he sees a one-way traffic that is dropped even if a policy is established.

 

MHM Cisco World
VIP
VIP
In response to Hevin27

‎07-25-2024 06:47 AM

so this issue is solved ?

Thanks

MHM

0 Helpful

Hevin27
Level 1
Level 1
In response to MHM Cisco World

‎07-26-2024 01:26 AM

yes, for the NGFW, we need to disable the tcp syn check  of source zone, then the one-way traffic can through the NGFW.

Hevin27_0-1721982375786.png

 

Customers Also Viewed These Support Documents