Solved: Issues with ISE Guest Portal Redirection Over WLC When Using Explicit

Carl-in-lux · ‎03-28-2024

Hello

We've successfully enabled the ISE Guest Portal on our WLC, and it works well with PCs until we apply explicit proxy settings. After configuring the proxy, the guest portal no longer appears; instead, the PC tries to access the proxy server, bypassing the ISE redirection.

We attempted a workaround by adding our domain (portal.company.com and *.company.com) to the proxy's exceptions list, but the PC continues to prioritize the proxy server.

Any advice on how to ensure the guest portal is accessed before the proxy intervention?

Thanks for your insights.

Carl-in-lux · ‎04-08-2024

Hi,

I finally found the solution to get the redirection to work with the explicit proxy.
i had to add this Microsoft's redirect url in the proxy bypass :
"www.msftconnecttest.com/*"

View solution in original post

marce1000 · ‎03-29-2024

- If the proxy settings are applied on the PC , isn't that normal ?

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Carl-in-lux · ‎03-29-2024

It is normal in a standard situation, but it must be dealt with when using redirection for web authentication.

balaji.bandi · ‎03-29-2024

just thinking this use case try to use WPAD File rather Manually configuring the Proxy, also you can use DHCP Options (if that works).

https://www.cisco.com/c/en/us/td/docs/security/web_security/connector/connector3000/WPADAP.html

or in the browser proxy exception URL add that local domain which you like to directly.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Carl-in-lux · ‎03-29-2024

I've done the exception, but i think the actual problem is that ISE redirection is overwritten by the proxy. So the client is never redirect to the ISE Portal. If i type the portal address manually i can get to it.

balaji.bandi · ‎03-29-2024

Does proxy does know how to reach that URL ?

If i type the portal address manually i can get to it. (using the Proxy settings ?)

This required some troubleshoot and understand the flows - where it dropping ? when the user authenticate, do you see request in Proxy going to redirect URL ? is this denied or allowed ?

how is your proxy configured for authentication ?

may be check this guide can help you :

https://ciscocustomer.lookbookhq.com/iseguidedjourney/ise-manage-on-my-device-portal

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Carl-in-lux · ‎04-02-2024

Thank you for providing the link.

It appears to be an issue related to architecture.

Setting up an explicit proxy causes the PC to attempt connection with the proxy server prior to interacting with the ISE Captive Portal, regardless of bypass settings for local and ISE URLs. The PC persists in trying to connect to the proxy server.

However, authentication with the ISE Captive Portal is required before the PC can establish a connection to the proxy server.

A potential solution might be to configure the proxy as a transparent proxy operating at the VLAN level.

Carl-in-lux · ‎04-08-2024

Hi,

I finally found the solution to get the redirection to work with the explicit proxy.
i had to add this Microsoft's redirect url in the proxy bypass :
"www.msftconnecttest.com/*"

balaji.bandi · ‎04-09-2024

This was recent change in Microsoft - as soon as you connect to network, its check with the domain mentioned connect.txt that where all the issue started, once we do the same outlook other stuff start work too.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help