cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

430
Views
5
Helpful
2
Replies
Highlighted
Beginner

URL Redirection fail.

The URL redirection page in the client machine's browser does not correctly guide the end user to the appropriate URL. I am using ISE 1.1.4

any help ?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Rising star

There are multiple causes for this issue.

• The two Cisco av-pairs that are configured on the authorization profile should

exactly match the example below. (Note: Do not replace the “IP” with the actual

Cisco ISE IP address.)

– url-redirect=https://ip:8443/guestportal/gateway?...lue&action=cpp

– url-redirect-acl=ACL-WEBAUTH-REDIRECT (ensure that this ACL is

also defined on the access switch)

• Ensure that the URL redirection portion of the ACL have been applied to the

session by entering the show epm session ip command on the

switch. (Where the session IP is the IP address that is passed to the client

machine by the DHCP server.)

Admission feature : DOT1X

AAA Policies : #ACSACL#-IP-Limitedaccess-4cb2976e

URL Redirect ACL : ACL-WEBAUTH-REDIRECT

URL Redirect :

https://node250.cisco.com:8443/guestportal/gateway?sessionId=0A000A72

0000A45A2444BFC2&action=cpp

• Ensure that the preposture assessment DACL that is enforced from the Cisco ISE

authorization profile contains the following command lines:

remark Allow DHCP

permit udp any eq bootpc any eq bootps

remark Allow DNS

permit udp any any eq domain

remark ping

permit icmp any any

permit tcp any host 80.0.80.2 eq 443 --> This is for URL redirect

permit tcp any host 80.0.80.2 eq www --> Provides access to internet

permit tcp any host 80.0.80.2 eq 8443 --> This is for guest portal

port

permit tcp any host 80.0.80.2 eq 8905 --> This is for posture

communication between NAC agent and ISE (Swiss ports)

permit udp any host 80.0.80.2 eq 8905 --> This is for posture

communication between NAC agent and ISE (Swiss ports)

permit udp any host 80.0.80.2 eq 8906 --> This is for posture

communication between NAC agent and ISE

View solution in original post

2 REPLIES 2
Highlighted
Rising star

There are multiple causes for this issue.

• The two Cisco av-pairs that are configured on the authorization profile should

exactly match the example below. (Note: Do not replace the “IP” with the actual

Cisco ISE IP address.)

– url-redirect=https://ip:8443/guestportal/gateway?...lue&action=cpp

– url-redirect-acl=ACL-WEBAUTH-REDIRECT (ensure that this ACL is

also defined on the access switch)

• Ensure that the URL redirection portion of the ACL have been applied to the

session by entering the show epm session ip command on the

switch. (Where the session IP is the IP address that is passed to the client

machine by the DHCP server.)

Admission feature : DOT1X

AAA Policies : #ACSACL#-IP-Limitedaccess-4cb2976e

URL Redirect ACL : ACL-WEBAUTH-REDIRECT

URL Redirect :

https://node250.cisco.com:8443/guestportal/gateway?sessionId=0A000A72

0000A45A2444BFC2&action=cpp

• Ensure that the preposture assessment DACL that is enforced from the Cisco ISE

authorization profile contains the following command lines:

remark Allow DHCP

permit udp any eq bootpc any eq bootps

remark Allow DNS

permit udp any any eq domain

remark ping

permit icmp any any

permit tcp any host 80.0.80.2 eq 443 --> This is for URL redirect

permit tcp any host 80.0.80.2 eq www --> Provides access to internet

permit tcp any host 80.0.80.2 eq 8443 --> This is for guest portal

port

permit tcp any host 80.0.80.2 eq 8905 --> This is for posture

communication between NAC agent and ISE (Swiss ports)

permit udp any host 80.0.80.2 eq 8905 --> This is for posture

communication between NAC agent and ISE (Swiss ports)

permit udp any host 80.0.80.2 eq 8906 --> This is for posture

communication between NAC agent and ISE

View solution in original post

Highlighted

Well, as far as I remember, port 8906 is not used anymore and it has been replaced by 8909..

Content for Community-Ad