Hi

I am using fqdn , client can resolve any fqdn including node .

If it is dns issue atleast I could see the something like below on the broswer  

  https://psn01.test.com:8443/portal/gateway?sessionId=0a007c0a59feec27000034cd&portal=27963fb0-e96e-11e4-a30a-005056bf01c9&action=cwa&token=9a7eb36c3ca61138c6adba47c9b23cde

In my case  Ican't see anything like that above 

Thanks

Hi,

Sorry .It's not static fqdn

Thanks

Hi,

Here is the preauth acl

ip access-list extended redirect_acl
deny udp any any eq bootps
deny udp any any eq bootpc
deny udp any any eq domain
deny ip any host 192.168.5.41 (ise)
deny ip any host 192.168.5.42
permit tcp any any eq www
permit tcp any any eq 443

Thanks

We are using hotspot portal, sponsor portal for guest account creation, guest webauth portal (WLC URL Redirect), etc with no issues. Try to keep it simple. AND Mohammed is correct.

The preauth acl is intended to keep the communication ONLY between enduser and ISE/DNS so no navigation is involved at all until your AUTHC/AUTHZ is completed (including AUP page accepted if it applies).

A few links that you could take a look:

https://supportforums.cisco.com/t5/wireless-mobility-documents/understanding-https-redirect-over-web-auth/ta-p/3143359

https://supportforums.cisco.com/t5/security-and-network-management/controllers-not-re-directing-client-requests-to-ise/td-p/2225094

https://supportforums.cisco.com/t5/wireless-mobility-documents/central-web-authentication-cwa-for-guests-with-ise/ta-p/3121101

Hi,

I could not follow what you have said ,Can you  explain 

Sorry for that 

Thanks