Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2220
Views
5
Helpful
5
Replies

Redirection to an internal web server

Go to solution
Chess Norris
Level 4
Level 4

‎11-21-2018 05:03 AM

I am trying to get ISE (2.4) to redirect clients to an internal web server. The redirection is part of an authorization policy used for quarantine clients, but I am a bit stuck getting this to work properly. I can get the redirection to work without any issues if I am using the web redirection option and point it directly to a portal page on the ISE server itself, but my customer wants to use an internal MS web server. I used the advanced attribute settings in the authorization policy and used the cisco-av-pair. The config looks like this:

cisco-av-pair = url-redirect-acl=CWA-URL-REDIRECT-ACL

cisco-av-pair = url-redirect=http://10.159.9.29:80/pxgrid/unquaran.html

When looking at the switch, I can see the redirection url and the address is correct. If I just copy/paste the url, the client have no problem to reach the page, but no redirection is happening.

Here is the output from the switch:

SW01-FIPWR-SBOX#show authentication sessions interface gigabitEthernet1/0/1 details 

Server Policies:
Security Policy: None
Security Status: Link Unsecured
URL Redirect ACL: CWA-URL-REDIRECT-ACL
URL Redirect: https://10.159.9.29/pxgrid/unquaran.html
ACS ACL: xACSACLx-IP-LimitedAccessDACL-5bec09c6

 

Any suggestion how to get this to work?

 

Thanks

/Jorgen

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
pan
Cisco Employee
Cisco Employee

‎11-21-2018 08:32 AM

I have tested it works:

 

3750#show access-lists redirect-test
Extended IP access list redirect-test
    10 deny ip any host 10.127.196.230
    20 permit tcp any any eq www (20 matches)
    30 permit tcp any any eq 443

 

3750#show authentication sessions int g2/0/1   
            Interface:  GigabitEthernet2/0/1
          MAC Address:  b496.9126.dec0
           IP Address:  10.106.37.240
            User-Name:  panadmin
               Status:  Authz Success
               Domain:  DATA
      Security Policy:  Should Secure
      Security Status:  Unsecure
       Oper host mode:  single-host
     Oper control dir:  both
        Authorized By:  Authentication Server
          Vlan Policy:  N/A
     URL Redirect ACL:  redirect-test
         URL Redirect:  https://10.127.196.230
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  0A6A25DE000031FF914E75EE
      Acct Session ID:  0x0000385A
               Handle:  0x420001E1

Runnable methods list:
       Method   State
       dot1x    Authc Success

 

redirect.png

I have tried to open some http website and it automatically redirected me to redirect urlredirect2.png

View solution in original post

5 Replies 5

Go to solution
pan
Cisco Employee
Cisco Employee

‎11-21-2018 08:20 AM

Could you answer following:

 

1> Do you have CWA-URL-REDIRECT-ACL ACL configured on switch?

2> Does the ACL CWA-URL-REDIRECT-ACL have 10.159.9.29 in deny statement?

 

In authorization policy you have http://10.159.9.29 but on switch you have https://10.159.9.29

 

0 Helpful

Go to solution
pan
Cisco Employee
Cisco Employee

‎11-21-2018 08:32 AM

I have tested it works:

 

3750#show access-lists redirect-test
Extended IP access list redirect-test
    10 deny ip any host 10.127.196.230
    20 permit tcp any any eq www (20 matches)
    30 permit tcp any any eq 443

 

3750#show authentication sessions int g2/0/1   
            Interface:  GigabitEthernet2/0/1
          MAC Address:  b496.9126.dec0
           IP Address:  10.106.37.240
            User-Name:  panadmin
               Status:  Authz Success
               Domain:  DATA
      Security Policy:  Should Secure
      Security Status:  Unsecure
       Oper host mode:  single-host
     Oper control dir:  both
        Authorized By:  Authentication Server
          Vlan Policy:  N/A
     URL Redirect ACL:  redirect-test
         URL Redirect:  https://10.127.196.230
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  0A6A25DE000031FF914E75EE
      Acct Session ID:  0x0000385A
               Handle:  0x420001E1

Runnable methods list:
       Method   State
       dot1x    Authc Success

 

redirect.png

I have tried to open some http website and it automatically redirected me to redirect urlredirect2.png

Go to solution
Chess Norris
Level 4
Level 4
In response to pan

‎11-21-2018 10:17 AM

Thank you for the suggestions, We do have the CWA-URL-REDIRECT-ACL ACL on the switch and
it is including deny ip any 10.159.9.29.

I will not be able to test this until monday next week, but I will have a look at your config and compare it to what we have.

 

Thanks
/Jorgen

0 Helpful

Go to solution
mnagired
Cisco Employee
Cisco Employee
In response to Chess Norris

‎11-21-2018 11:29 AM

Jorgen,

 

I do notice a dACL - ACS ACL: xACSACLx-IP-LimitedAccessDACL-5bec09c6 which is part of auth policy.. Can you share the content of the dACL and i hope dACL isnt denying http/https access.

0 Helpful

Go to solution
Chess Norris
Level 4
Level 4
In response to mnagired

‎11-21-2018 10:15 PM - edited ‎11-21-2018 10:17 PM

The  ACL: xACSACLx-IP-LimitedAccessDACL-5bec09c6 is permitting http and https traffic to the web server and also domain traffic. Reaching the url directly from the client works without any issues,

 

Thanks

/Jorgen 

0 Helpful
Customers Also Viewed These Support Documents