03-04-2019 10:49 AM - edited 03-04-2019 10:54 AM
Hi,
I am using IOL image - Version 15.2(CML_NIGHTLY_20180510) as a L2 switch, and I really cannot understand why the redirection to the sponsored guest portal is not working.
The endpoint is failing DOT1X as expected and is falling over to MAB. The correct REDIRECT ACL is being applied, as intended, and I can even see hits on the REDIRECT ACL when I browse from the client, however, that's about it, when I browse, the actual webpage opens up without being redirected, and on the REDIRECT ACL, I see the corresponding hits.
When I browse to the URL that is applied by ISE on the switchport, I'm able to load the guest portal as intended. However, the switch just refuses to redirect to that URL.
Here are some configurations:
ip http server
ip http active-session-modules none
S1#show authentication session int ethernet 1/1 policy
Interface: Ethernet1/1
MAC Address: 5000.0008.0000
IPv6 Address: Unknown
IPv4 Address: 10.10.10.22
User-Name: 50-00-00-08-00-00
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Restart timeout: N/A
Periodic Acct timeout: 86400s (local), Remaining: 85492s
Session Uptime: 953s
Common Session ID: 0A0A0A0A0000001500837926
Acct Session ID: 0x0000000A
Handle: 0xF6000009
Current Policy: POLICY_Et1/1
Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure
Security Status: Link Unsecure
Server Policies:
URL Redirect: https://ise.mylab.com:8544/portal/gateway?sessionId=0A0A0A0A0000001500837926&portal=e0591220-3e6a-11e9-815c-5000000e0001&action=cwa&token=d6169cfaf69d133a875c68b6b439c85c
URL Redirect ACL: ACL-WEBAUTH-REDIRECT
Resultant Policies:
Security Policy: Should Secure
Security Status: Link Unsecure
URL Redirect: https://ise.mylab.com:8544/portal/gateway?sessionId=0A0A0A0A0000001500837926&portal=e0591220-3e6a-11e9-815c-5000000e0001&action=cwa&token=d6169cfaf69d133a875c68b6b439c85c
URL Redirect ACL: ACL-WEBAUTH-REDIRECT
Method status list:
Method State
dot1x Stopped
mab Authc Success
Extended IP access list ACL-WEBAUTH-REDIRECT
10 deny udp any any eq domain (225 matches)
20 permit tcp any any eq www (11330 matches)
30 permit tcp any any eq 443 (21898 matches)
So, despite hitting the right ACEs, the switch doesn't re-direct the traffic, and the endpoint simply loads up the webpage.
Any help please? Thank you :)
Full config is also attached if interested!
03-04-2019 04:04 PM
Hi
Can you try denying the ISE IP address in your redirect URL and give a try?
Use below ACE as a first entry on your ACL-WEBAUTH-REDIRECT ACL
deny ip any host < ISE IP address>
03-05-2019 09:28 AM
Hey, thanks for your reply, but that did not work unfortunately. It's the same issue.
03-05-2019 09:41 AM
03-06-2019 12:33 AM
Hi,
Did you configure in the Authentication on ISE that if the mab fails to continue the process ?
enable also https on the switch
and add it to the redirect-acl.
Also add in the ACL permit to your DNS servers additional to the DHCP server.
maybe it is IOS-L issue.
Normally you should be redirected to the ise hostname FQDN by default.
also make sure you have a DNS entry that can resolve this FQDN on the endpoint side.
I hope this helps
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide