Re: Redirection is not working (IOL)

abhisheks · ‎03-04-2019

Hi,

I am using IOL image - Version 15.2(CML_NIGHTLY_20180510) as a L2 switch, and I really cannot understand why the redirection to the sponsored guest portal is not working.

The endpoint is failing DOT1X as expected and is falling over to MAB. The correct REDIRECT ACL is being applied, as intended, and I can even see hits on the REDIRECT ACL when I browse from the client, however, that's about it, when I browse, the actual webpage opens up without being redirected, and on the REDIRECT ACL, I see the corresponding hits.

When I browse to the URL that is applied by ISE on the switchport, I'm able to load the guest portal as intended. However, the switch just refuses to redirect to that URL.

Here are some configurations:

ip http server
ip http active-session-modules none

S1#show authentication session int ethernet 1/1 policy
Interface: Ethernet1/1
MAC Address: 5000.0008.0000
IPv6 Address: Unknown
IPv4 Address: 10.10.10.22
User-Name: 50-00-00-08-00-00
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Restart timeout: N/A
Periodic Acct timeout: 86400s (local), Remaining: 85492s
Session Uptime: 953s
Common Session ID: 0A0A0A0A0000001500837926
Acct Session ID: 0x0000000A
Handle: 0xF6000009
Current Policy: POLICY_Et1/1

Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure
Security Status: Link Unsecure

Server Policies:
URL Redirect: https://ise.mylab.com:8544/portal/gateway?sessionId=0A0A0A0A0000001500837926&portal=e0591220-3e6a-11e9-815c-5000000e0001&action=cwa&token=d6169cfaf69d133a875c68b6b439c85c
URL Redirect ACL: ACL-WEBAUTH-REDIRECT

Resultant Policies:
Security Policy: Should Secure
Security Status: Link Unsecure
URL Redirect: https://ise.mylab.com:8544/portal/gateway?sessionId=0A0A0A0A0000001500837926&portal=e0591220-3e6a-11e9-815c-5000000e0001&action=cwa&token=d6169cfaf69d133a875c68b6b439c85c
URL Redirect ACL: ACL-WEBAUTH-REDIRECT

Method status list:
Method State

dot1x Stopped
mab Authc Success

Extended IP access list ACL-WEBAUTH-REDIRECT
10 deny udp any any eq domain (225 matches)
20 permit tcp any any eq www (11330 matches)
30 permit tcp any any eq 443 (21898 matches)

So, despite hitting the right ACEs, the switch doesn't re-direct the traffic, and the endpoint simply loads up the webpage.

Any help please? Thank you :)

Full config is also attached if interested!

mnagired · ‎03-04-2019

Hi

Can you try denying the ISE IP address in your redirect URL and give a try?

Use below ACE as a first entry on your ACL-WEBAUTH-REDIRECT ACL

deny ip any host < ISE IP address>

abhisheks · ‎03-05-2019

Hey, thanks for your reply, but that did not work unfortunately. It's the same issue.

Mike.Cifelli · ‎03-05-2019

Are you configuring FQDN in portal settings? If so, do you have a dns entry for it? Also, please test this:
Please try modifying the authz profile to use static IP instead of fqdn.

bern81 · ‎03-06-2019

Hi,

Did you configure in the Authentication on ISE that if the mab fails to continue the process ?

enable also https on the switch

and add it to the redirect-acl.

Also add in the ACL permit to your DNS servers additional to the DHCP server.

maybe it is IOS-L issue.

Normally you should be redirected to the ise hostname FQDN by default.

also make sure you have a DNS entry that can resolve this FQDN on the endpoint side.

I hope this helps