Solved: NO REDIRECT GUEST PORTAL ISE WIRED

rcruzb@axtel.com.mx · ‎10-03-2019

DON´T SHOW THE GUEST PORTAL IN THE PC THIS IS CONFIGURATION SWITCH:

Switch Ports Model SW Version SW Image

------ ----- ----- ---------- ----------
* 1 52 WS-C3560V2-48PS 15.0(2)SE11 C3560-IPSERVICESK9-M

!
interface FastEthernet0/2
switchport access vlan 50
switchport mode access
authentication order mab
authentication priority mab
authentication port-control auto
mab
spanning-tree portfast
end

Extended IP access list Auth-Default-ACL
10 permit udp any range bootps 65347 any range bootpc 65348 (20 matches)
20 permit udp any any range bootps 65347
30 deny ip any any (19 matches)
Extended IP access list WEBREDIRECT
10 deny udp any eq bootpc any eq bootps
20 deny udp any any eq domain
30 deny ip any host 10.20.30.230
40 permit tcp any any eq www
50 permit tcp any any eq 443
Extended IP access list xACSACLx-IP-myDACL-5d93ba21 (per-user)
10 permit udp any any eq bootps
20 permit udp any any eq domain
30 permit tcp any any eq domain
40 permit icmp any any echo
50 permit icmp any any echo-reply
60 permit tcp any any eq www
70 permit tcp any any eq 443
80 permit tcp any host 10.20.30.230 eq 8080
90 permit tcp any host 10.20.30.230 eq 8443
100 permit tcp any host 10.20.30.230 eq 8905
110 permit tcp any host 10.20.30.230 eq 8909
120 permit udp any host 10.20.30.230 eq 8905
130 permit udp any host 10.20.30.230 eq 8909
SW-ISE#

W-ISE#show authentication sessions interface fastEthernet 0/2
Interface: FastEthernet0/2
MAC Address: 6451.0607.4cc9
IP Address: Unknown
User-Name: 64-51-06-07-4C-C9
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: single-host
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: 50
ACS ACL: xACSACLx-IP-myDACL-5d93ba21
URL Redirect ACL: WEBREDIRECT
URL Redirect: https://ISE-AXTEL.rcb.com.mx:8443/portal/gateway?sessionId=0A141EFD000000250055C7F7&portal=42774da0-df0b-11e9-89cf-2a4ec60c8158&action=cwa&token=8f46605d73600cd97c4e7c3f75d43a35
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A141EFD000000250055C7F7
Acct Session ID: 0x00000029
Handle: 0x1A000026

Runnable methods list:
Method State
mab Authc Success

SW-ISE#

Colby LeMaire · ‎10-04-2019

Have you checked to see if the Windows firewall is blocking anything? Try disabling the Windows firewall and try again. You can also SPAN the switchport to see if any HTTP or HTTPS requests are even hitting the switch. I have seen cases where Windows thinks there is no connection and blocks outgoing traffic. If the switch never receives an HTTP or HTTPS request, then it cannot respond with the redirect instructions.

View solution in original post

CruzBarrera · ‎10-04-2019

Thanks to all for the help; the issue was the corporate antivirus.; it was blocking the url

View solution in original post

Colby LeMaire · ‎10-03-2019

Do you have "ip http server" and "ip http secure-server" enabled on the switch? Everything else looks fine. Assuming you do have http server enabled on the switch, try the next steps.

Once you are connected with the client PC and the switch shows authorized with the URL redirect there, open the CLI on the PC and try to do a nslookup for ise-axtel.rcb.com.mx and make sure it resolves to the correct IP address. Then open a browser. Does the browser attempt to redirect at all? Or does it just sit there and timeout? Try putting the redirect URL directly into the browser and see if the PC browser can reach the ISE guest portal. If you don't want to type the whole thing, just put the portion up to 8443 like https://ise-axtel.rcb.com.mx:8443. You should at least see something. If none of that works, check to make sure there is no firewall or something else blocking the traffic from the client PC to the ISE server on TCP 8443.

Jason Kunst · ‎10-03-2019

Also make sure your certificate and DNS work with that name.

Here is secure wired guide
https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

CruzBarrera · ‎10-04-2019

Yes we have:

ip https server

ip https secure-server

but do not redirect

Jason Kunst · ‎10-04-2019

Did you validate that the client can resolve the DNS for the portal?

CruzBarrera · ‎10-04-2019

Yes; the DNS response correctly; it was the first test

Colby LeMaire · ‎10-04-2019

What happens if you put the URL manually into the browser on the client PC? Does it go there? Or does it timeout?

Jason Kunst · ‎10-04-2019

ok i'd recommend tac if you looked at the docs and checked DNS, etc, you don't have a proxy configured do you? did you try multiple machines and browsers? any firewall on machine? the switch looks correct

CruzBarrera · ‎10-04-2019

We do not have proxy configured, and we have tried with different browsers,
the wireless portal works good, but only We have problems with the guest portal wired.

Here is the topology

Colby LeMaire · ‎10-04-2019

Try going to the redirect URL manually in the browser. Does it respond at all? Or just timeout?

Colby LeMaire · ‎10-04-2019

Have you checked to see if the Windows firewall is blocking anything? Try disabling the Windows firewall and try again. You can also SPAN the switchport to see if any HTTP or HTTPS requests are even hitting the switch. I have seen cases where Windows thinks there is no connection and blocks outgoing traffic. If the switch never receives an HTTP or HTTPS request, then it cannot respond with the redirect instructions.

CruzBarrera · ‎10-04-2019

Thanks to all for the help; the issue was the corporate antivirus.; it was blocking the url

Jason Kunst · ‎10-05-2019

Makes sense