cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

340
Views
0
Helpful
4
Replies
Highlighted
Beginner

Redirection is not working (IOL)

Hi,

 

I am using IOL image - Version 15.2(CML_NIGHTLY_20180510) as a L2 switch, and I really cannot understand why the redirection to the sponsored guest portal is not working. 

 

The endpoint is failing DOT1X as expected and is falling over to MAB. The correct REDIRECT ACL is being applied, as intended, and I can even see hits on the REDIRECT ACL when I browse from the client, however, that's about it, when I browse, the actual webpage opens up without being redirected, and on the REDIRECT ACL, I see the corresponding hits. 

 

When I browse to the URL that is applied by ISE on the switchport, I'm able to load the guest portal as intended. However, the switch just refuses to redirect to that URL.

 

Here are some configurations:

ip http server
ip http active-session-modules none

 

 

 

 

S1#show authentication session int ethernet 1/1 policy
Interface: Ethernet1/1
MAC Address: 5000.0008.0000
IPv6 Address: Unknown
IPv4 Address: 10.10.10.22
User-Name: 50-00-00-08-00-00
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Restart timeout: N/A
Periodic Acct timeout: 86400s (local), Remaining: 85492s
Session Uptime: 953s
Common Session ID: 0A0A0A0A0000001500837926
Acct Session ID: 0x0000000A
Handle: 0xF6000009
Current Policy: POLICY_Et1/1

Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure
Security Status: Link Unsecure


Server Policies:
URL Redirect: https://ise.mylab.com:8544/portal/gateway?sessionId=0A0A0A0A0000001500837926&portal=e0591220-3e6a-11e9-815c-5000000e0001&action=cwa&token=d6169cfaf69d133a875c68b6b439c85c
URL Redirect ACL: ACL-WEBAUTH-REDIRECT

Resultant Policies:
Security Policy: Should Secure
Security Status: Link Unsecure
URL Redirect: https://ise.mylab.com:8544/portal/gateway?sessionId=0A0A0A0A0000001500837926&portal=e0591220-3e6a-11e9-815c-5000000e0001&action=cwa&token=d6169cfaf69d133a875c68b6b439c85c
URL Redirect ACL: ACL-WEBAUTH-REDIRECT

Method status list:
Method State

dot1x Stopped
mab Authc Success

 

 

 

 

 

 

 

Extended IP access list ACL-WEBAUTH-REDIRECT
10 deny udp any any eq domain (225 matches)
20 permit tcp any any eq www (11330 matches)
30 permit tcp any any eq 443 (21898 matches)

 

 

So, despite hitting the right ACEs, the switch doesn't re-direct the traffic, and the endpoint simply loads up the webpage. 

 

Any help please? Thank you :) 

 

 

Full config is also attached if interested!

Everyone's tags (2)
4 REPLIES 4
Highlighted
Cisco Employee

Re: Redirection is not working (IOL)

Hi

 

Can you try denying the ISE IP address in your redirect URL and give a try? 

 

Use below ACE as a first entry on your  ACL-WEBAUTH-REDIRECT ACL

deny ip any host < ISE IP address>

Highlighted
Beginner

Re: Redirection is not working (IOL)

Hey, thanks for your reply, but that did not work unfortunately. It's the same issue.

Highlighted
VIP Rising star

Re: Redirection is not working (IOL)

Are you configuring FQDN in portal settings? If so, do you have a dns entry for it? Also, please test this:
Please try modifying the authz profile to use static IP instead of fqdn.
Beginner

Re: Redirection is not working (IOL)

Hi,

 

Did you configure in the Authentication on ISE that if the mab fails to continue the process ?

enable also https on the switch

and add it to the redirect-acl.

 

Also add in the ACL permit to your DNS servers additional to the DHCP server.

 

maybe it is IOS-L issue.

 

Normally you should be redirected to the ise hostname FQDN by default.

 

also make sure you have a DNS entry that can resolve this FQDN on the endpoint side.

 

I hope this helps