11-21-2018 05:03 AM
I am trying to get ISE (2.4) to redirect clients to an internal web server. The redirection is part of an authorization policy used for quarantine clients, but I am a bit stuck getting this to work properly. I can get the redirection to work without any issues if I am using the web redirection option and point it directly to a portal page on the ISE server itself, but my customer wants to use an internal MS web server. I used the advanced attribute settings in the authorization policy and used the cisco-av-pair. The config looks like this:
cisco-av-pair = url-redirect-acl=CWA-URL-REDIRECT-ACL
cisco-av-pair = url-redirect=http://10.159.9.29:80/pxgrid/unquaran.html
When looking at the switch, I can see the redirection url and the address is correct. If I just copy/paste the url, the client have no problem to reach the page, but no redirection is happening.
Here is the output from the switch:
SW01-FIPWR-SBOX#show authentication sessions interface gigabitEthernet1/0/1 details
Server Policies:
Security Policy: None
Security Status: Link Unsecured
URL Redirect ACL: CWA-URL-REDIRECT-ACL
URL Redirect: https://10.159.9.29/pxgrid/unquaran.html
ACS ACL: xACSACLx-IP-LimitedAccessDACL-5bec09c6
Any suggestion how to get this to work?
Thanks
/Jorgen
Solved! Go to Solution.
11-21-2018 08:32 AM
I have tested it works:
3750#show access-lists redirect-test
Extended IP access list redirect-test
10 deny ip any host 10.127.196.230
20 permit tcp any any eq www (20 matches)
30 permit tcp any any eq 443
3750#show authentication sessions int g2/0/1
Interface: GigabitEthernet2/0/1
MAC Address: b496.9126.dec0
IP Address: 10.106.37.240
User-Name: panadmin
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: single-host
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
URL Redirect ACL: redirect-test
URL Redirect: https://10.127.196.230
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A6A25DE000031FF914E75EE
Acct Session ID: 0x0000385A
Handle: 0x420001E1
Runnable methods list:
Method State
dot1x Authc Success
I have tried to open some http website and it automatically redirected me to redirect url
11-21-2018 08:20 AM
Could you answer following:
1> Do you have CWA-URL-REDIRECT-ACL ACL configured on switch?
2> Does the ACL CWA-URL-REDIRECT-ACL have 10.159.9.29 in deny statement?
In authorization policy you have http://10.159.9.29 but on switch you have https://10.159.9.29
11-21-2018 08:32 AM
I have tested it works:
3750#show access-lists redirect-test
Extended IP access list redirect-test
10 deny ip any host 10.127.196.230
20 permit tcp any any eq www (20 matches)
30 permit tcp any any eq 443
3750#show authentication sessions int g2/0/1
Interface: GigabitEthernet2/0/1
MAC Address: b496.9126.dec0
IP Address: 10.106.37.240
User-Name: panadmin
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: single-host
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
URL Redirect ACL: redirect-test
URL Redirect: https://10.127.196.230
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A6A25DE000031FF914E75EE
Acct Session ID: 0x0000385A
Handle: 0x420001E1
Runnable methods list:
Method State
dot1x Authc Success
I have tried to open some http website and it automatically redirected me to redirect url
11-21-2018 10:17 AM
Thank you for the suggestions, We do have the CWA-URL-REDIRECT-ACL ACL on the switch and
it is including deny ip any 10.159.9.29.
I will not be able to test this until monday next week, but I will have a look at your config and compare it to what we have.
Thanks
/Jorgen
11-21-2018 11:29 AM
Jorgen,
I do notice a dACL - ACS ACL: xACSACLx-IP-LimitedAccessDACL-5bec09c6 which is part of auth policy.. Can you share the content of the dACL and i hope dACL isnt denying http/https access.
11-21-2018 10:15 PM - edited 11-21-2018 10:17 PM
The ACL: xACSACLx-IP-LimitedAccessDACL-5bec09c6 is permitting http and https traffic to the web server and also domain traffic. Reaching the url directly from the client works without any issues,
Thanks
/Jorgen
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide