Solved: URL Redirection fail.

lucina.donhue · ‎05-26-2013

The URL redirection page in the client machine's browser does not correctly guide the end user to the appropriate URL. I am using ISE 1.1.4

any help ?

Ravi Singh · ‎05-26-2013

There are multiple causes for this issue.

• The two Cisco av-pairs that are configured on the authorization profile should

exactly match the example below. (Note: Do not replace the “IP” with the actual

Cisco ISE IP address.)

– url-redirect=https://ip:8443/guestportal/gateway?...lue&action=cpp

– url-redirect-acl=ACL-WEBAUTH-REDIRECT (ensure that this ACL is

also defined on the access switch)

• Ensure that the URL redirection portion of the ACL have been applied to the

session by entering the show epm session ip command on the

switch. (Where the session IP is the IP address that is passed to the client

machine by the DHCP server.)

Admission feature : DOT1X

AAA Policies : #ACSACL#-IP-Limitedaccess-4cb2976e

URL Redirect ACL : ACL-WEBAUTH-REDIRECT

URL Redirect :

https://node250.cisco.com:8443/guestportal/gateway?sessionId=0A000A72

0000A45A2444BFC2&action=cpp

• Ensure that the preposture assessment DACL that is enforced from the Cisco ISE

authorization profile contains the following command lines:

remark Allow DHCP

permit udp any eq bootpc any eq bootps

remark Allow DNS

permit udp any any eq domain

remark ping

permit icmp any any

permit tcp any host 80.0.80.2 eq 443 --> This is for URL redirect

permit tcp any host 80.0.80.2 eq www --> Provides access to internet

permit tcp any host 80.0.80.2 eq 8443 --> This is for guest portal

port

permit tcp any host 80.0.80.2 eq 8905 --> This is for posture

communication between NAC agent and ISE (Swiss ports)

permit udp any host 80.0.80.2 eq 8905 --> This is for posture

communication between NAC agent and ISE (Swiss ports)

permit udp any host 80.0.80.2 eq 8906 --> This is for posture

communication between NAC agent and ISE

View solution in original post

Ravi Singh · ‎05-26-2013

There are multiple causes for this issue.

• The two Cisco av-pairs that are configured on the authorization profile should

exactly match the example below. (Note: Do not replace the “IP” with the actual

Cisco ISE IP address.)

– url-redirect=https://ip:8443/guestportal/gateway?...lue&action=cpp

– url-redirect-acl=ACL-WEBAUTH-REDIRECT (ensure that this ACL is

also defined on the access switch)

• Ensure that the URL redirection portion of the ACL have been applied to the

session by entering the show epm session ip command on the

switch. (Where the session IP is the IP address that is passed to the client

machine by the DHCP server.)

Admission feature : DOT1X

AAA Policies : #ACSACL#-IP-Limitedaccess-4cb2976e

URL Redirect ACL : ACL-WEBAUTH-REDIRECT

URL Redirect :

https://node250.cisco.com:8443/guestportal/gateway?sessionId=0A000A72

0000A45A2444BFC2&action=cpp

• Ensure that the preposture assessment DACL that is enforced from the Cisco ISE

authorization profile contains the following command lines:

remark Allow DHCP

permit udp any eq bootpc any eq bootps

remark Allow DNS

permit udp any any eq domain

remark ping

permit icmp any any

permit tcp any host 80.0.80.2 eq 443 --> This is for URL redirect

permit tcp any host 80.0.80.2 eq www --> Provides access to internet

permit tcp any host 80.0.80.2 eq 8443 --> This is for guest portal

port

permit tcp any host 80.0.80.2 eq 8905 --> This is for posture

communication between NAC agent and ISE (Swiss ports)

permit udp any host 80.0.80.2 eq 8905 --> This is for posture

communication between NAC agent and ISE (Swiss ports)

permit udp any host 80.0.80.2 eq 8906 --> This is for posture

communication between NAC agent and ISE

Octavian Szolga · ‎06-09-2013

Well, as far as I remember, port 8906 is not used anymore and it has been replaced by 8909..