07-11-2024 03:21 AM
Hi guys,
I'm new to ISE and recently we are deploying ISE to production to authenticate users. The issue currently encountered is guest self-registration. For security reasons, the network where the guest is located is a separate area on the firewall, when a guest accesses the network, ISE will deliver a redirect URL for the visitor to self-register. ISE is able to deliver the redirect URL and call the ACL to the interface, but the client does not automatically pop up the browser and redirect to the self-registration page, and redirects cannot be triggered by manual access a website either, but copying the redirect URL delivered by ISE to the switch interface to the client is accessible .(There is a policy on the firewall to allow the switch to manage the IP to the guest network.). I checked the forums and found that the firewall might be blocking the one-way traffic from spoofed IP to client VLAN. With the same configuration, if I modify the vlan-id delivered by ISE to the SVI which is on the core switch, it is no problem at all. So I believe it's the firewall that implicitly blocks this traffic. Has anyone ever been in this situation? How should it be resolved?
1. I enabled a guest SVI on the authentication switch as suggested on the forum and it works.
2. Someone suggested enabling redirects for L2, but I don't know how to do it and don't know if it works.
07-11-2024 05:13 AM
FW must have policy allow guest IP to access ise url
If you add this policy and not work' then check if url redirect is use IP or hostname' if it use hostname then check dns from guest by using dns lookup.
MHM
07-25-2024 12:53 AM
In fact, we found that the underlying situation is that stateful firewalls drop traffic that is modified. In the case of a stateful firewall, he sees a one-way traffic that is dropped even if a policy is established.
07-25-2024 06:47 AM
so this issue is solved ?
Thanks
MHM
07-26-2024 01:26 AM
yes, for the NGFW, we need to disable the tcp syn check of source zone, then the one-way traffic can through the NGFW.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide