the switch is preconfigured with

ip default gateway x.x.x.1 (vlan 22)

and trunked up

thanks

Please make the changes so that vlan 22 and 33 to talk to each other on port 80 and 443 (for the redirection to work).

Here is the guide that will help:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/app_note_c27-577494.html

Figure 3. TCP Traffic Flow for Login Page When No Layer 3 SVI for Host VLAN Exists on Access Switch

Thanks,

Tarik Admani
*Please rate helpful posts*

I'll check today but it should do

that was something I tested from client trying a telnet on port 8443

however i'll remove the acl on ise to make it shure

thank you very much for the resources, from there I learned about the redirection flow and now I'm quite shure of the possible cause, : The stateful firewall blocking the syn ack from the switch that is supposed to be returned to the client with the fake ip address of the destination (acquired by client dns query)

do you have any suggestion on how to turn off stateful inspection for ports 80 and 443 on the firewall?

consider that there is on it a global rule to enable inspection everywhere....

can a gerarchic rule be made to disable this only on the networks where it is meant not to be applied?

morevover I think I should allow on firewall http/s communication from the internet to the login network because the firewall itself will block it thinking that the request comes from there...

Guiliano,

Your best bet for a reliable answer would be to post this as a side question on the firewalling forums. Please remember to post back to help future customers on how things go!

Thanks,

Tarik Admani
*Please rate helpful posts*

however not everithing is working as it should, sometimes the acl are not pushed properly and the redirect acl does not show any hit (often), sometimes the centralwebauth acl is not pushed properly and the show ip access list interface results in blank output

interface GigabitEthernet1/0/10

description Porte dot1x - voip ISE

switchport access vlan 300

switchport mode access

switchport voice vlan 818

ip access-group ACL-ALLOW in

srr-queue bandwidth share 1 30 35 5

queue-set 2

priority-queue out

authentication event fail action next-method

authentication event server dead action authorize vlan 300

authentication event server alive action reinitialize

authentication host-mode multi-domain

authentication open

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

authentication violation restrict

mab

mls qos trust cos

dot1x pae authenticator

dot1x timeout tx-period 10

auto qos trust

spanning-tree portfast

spanning-tree bpduguard enable

end

the show auth sessiond for the interface is

            Interface:  GigabitEthernet1/0/10

          MAC Address:  20cf.3017.645b

           IP Address:  172.31.105.132

            User-Name:  20-CF-30-17-64-5B

               Status:  Authz Success

               Domain:  DATA

       Oper host mode:  multi-domain

     Oper control dir:  both

        Authorized By:  Authentication Server

          Vlan Policy:  300

              ACS ACL:  xACSACLx-IP-CentralWebAuth-5062f332

     URL Redirect ACL:  redirect

         URL Redirect:  https://ISEC3395.omitted.omitted:8443/guestportal/gateway?sessionId=AC1F552F0000000A001A6FD2&action=cwa

      Session timeout:  N/A

         Idle timeout:  N/A

    Common Session ID:  AC1F552F0000000A001A6FD2

      Acct Session ID:  0x0000000D

               Handle:  0x7C00000A

solution was to disable stateful inspection in between firewall's interfaces, please keep in mind that creating an inspection class for tcp traffic only is not sufficient, be shure to check "all protocols"

Thanks for the feedback, please do not forget to mark this thread as resolved and to rate any helpful feedback.

Thanks,

Tarik Admani

What if there is no Firewall in between ? like what i am doing right now in my local environment is having 3 devices supplicant , Authenticator which is a Switch and a AAA ISE 2.4

Supplicant - win 10 with Firewall OFF

I am successfully able to perform dot1x authentication and also the client provisioning web redirection which is reflecting on the result under switch by hitting the command
#show authentication session int g1/1 details
web redirect URI is placed. getting hit as well onto the PREAUTH, as well as compliant unknown authorization policy and authentication policy . Only part which is not working here is the Redirection to the client provisioning page from supplicant.

I made a reverse route on ISE so that IP reachability from supplicant and ISE will be there . but still redirection is not working. Is there any patch which i supposed to be considering here to install in ISE .

if you copy the URL from "show authentication session int g1/1 details" and paste in on the clients browser does it work ?

share redirect ACL, share client debug from ISE if possible, make sure CoA is enable on the switch, make sure https and http service is enabled on the switch

Yes when i copied the URL from the Redirect URI parameter into supplicant . it worked and i was able to perform the assessment. But automatic redirection is not happening.

And yes COA and http service was a good point which you made , somehow i didn't realized that. and i gave it . thanks for that.

In addition to the below comments, it may also be time to start thinking about an ISE upgrade: https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/bulletin-c25-743964.html