Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


Redirection URL missing

Hi Experts,

While configuring for wired guest redirection using the sponsor guest portal, I have seen something weird that is happening here.

When I have the user redirect from a test switch to the Test ISE server, the redirection URL is working and can be seen on switch as well as the Test endpoint browser.

Then I, make the same to same configuration on our Production server, but there is no redirection URL!!

I have the same guest redirect ACL in test and production ISE instances.

Also, the AuthZ profiles and Policy and conditions are same as well.

Not sure what is going on?

Could any shed some light on this issue, and what are the things that could be missing out?

Any pointers are really helpful.


Accepted Solutions

Authorized By: Critical Auth

Critical Auth kicks in when the switch can’t communicate to the radius server. It’s probably a firewall issue. As far as the redirect being on another switch, it’s possible that happens if you have a switch upstream that is doing multi-auth on the downlink port…then than switch could possibly be sending an authc request to ISE for the same endpoint via MAB. I don’t recommend this design if you have it configured that way.


View solution in original post


Firewall between deployment switch and ISE ??

Blocked port 1812,1813 ,1645,1646


Yes, these ports are open and I can see that the request is hitting the right policy and condition on ISE server.

Cisco Employee

Would suggest trying a new portal on your production

Use the tac to debug

Cisco Employee

Also try different browser


  • Make sure hitting the right policy rule and authorization profile -- check live log entry -- should see URL redirect.
  • Make sure URL redirect ACL configured on production switch.  For wireless, only need redirect ACL.  For wired, need to include the dACL as well.  Redirect ACL logic is different between wired and wireless in terms of what is denied and permitted.
  • Make sure client has IP address, else cannot redirect.  For wired, dACL cannot be instantiated on port.
  • Make sure host/subnet entries are correct for production.

I have rechecked the configuration and all the things are in the right place.

There is a redirect ACL on the switch, and as off now I have only included only one PSN in the ACL.

I can see that the its hitting the right policy and condition, but even then I am not able to see any redirection URL on the switch.

The user is then presented with the guest login page, he enters the credentials, but then authentication fails and there is no access..

This is happening even when the user is present...


Tried with a completely new portal, yet I don't see the redirect URL on the switch where as on ISE I can see that its hitting the right policy and condition.

Also, the user is able to see the guest login page on his endpoint, but his authentication fails, even when the user is present in the guest users...


While further troubleshooting found that the redirection URL was being sent. but it was being sent by another switch.

User was able to authenticate and was able to gain access normally it would do.

So the question is that, if this switch is in open mode, in that case...

if the port 1812 and 1813 are not open between ISE and switch, will another switch that has ports open between ISE process the request?

Is this something strange or has been faced earlier as well?


Not clear what is meant by "sent by another switch".   The redirection is originated by ISE, not the switch.  Once redirect authorization applied to the access device, the user is redirected by the wireless controller or wired switch to which it is connected.  The only way I see that happening is if you are hanging additional hubs/switches off an authenticating switch port.

You will see in RADIUS Live Logs the switch IP (Device IP and NAS-IP-Address) of the authenticating network access device.  Authorization will be sent to that switch only.  The URL redirect should be seen on connected switchport using the "sh auth session interface <x> detail" command (or similar command depending on model/version).


I think the answer is NO ,endpoint is connected to the 1 switch no mater if there are any other switches ,the request will be send exact form this switch and the answer must be on same switch on same port that endpoint is . Give us some configuration on the switch my opinion is NO.


I could see where 2 different switches are running and svi for same vlan perhaps and traffic is being proxied perhaps by another switch?


Ok lets say same SVI interface but this interface must have different IP address . 1 switch 1 ip address

and other 2 ip address on svi

In mine deployment  most of  switches are on same SVI example interface VLan 570  but all are have different

but all of them different IP address. And i never face this. ANd according to netowrok i dont think it is possible


show authentication sessions interface fastEthernet 1/0/3 details please

And screen shot from radius live logs


Here is the output for Auth sessions:

NAC-3750v1#sh auth sess int fa1/0/3

            Interface:  FastEthernet1/0/3

          MAC Address:  54e1.ad5d.194a

           IP Address:

            User-Name:  54e1ad5d194a

               Status:  Authz Success

               Domain:  DATA

      Security Policy:  Should Secure

      Security Status:  Unsecure

       Oper host mode:  multi-host

     Oper control dir:  both

        Authorized By:  Critical Auth

          Vlan Policy:  231

      Session timeout:  N/A

         Idle timeout:  N/A

    Common Session ID:  0AE2E8190000008B0F0373F3

      Acct Session ID:  0x000000A6

               Handle:  0x1400008B

Runnable methods list:

       Method   State

       mab      Authc Failed

       dot1x    Not run

Critical Authorization is in effect for domain(s) DATA and VOICE

Live logs:

What exactly is needed from ilve logs?

Content for Community-Ad