cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
22149
Views
12
Helpful
20
Replies

url web-redirect is not working

apatel2489
Level 1
Level 1

i have deployed ISE 2.3 and everythign works fine except client is not getting url redirect page when they open web page on browser.

is there any way that can install manually and doesn't require url redirect. i have copied and paste url from switch port and it worked and compliment but doesn't work automatically.

Thanks

Ashish

2 Accepted Solutions

Accepted Solutions

To clarify multiple posts...

Typical config assumes local SVI as the redirect can occur locally.  The redirect packet is sent from the management VLAN (or VRF) and must have an IP route to destination access VLAN network. That path may require packet to travel back upstream to L3 gateway for routing back to same switch.

It sounds like the network path may be there, but firewall blocks the one-way traffic from spoofed IP to client VLAN.  As was noted, the firewall may not have access rule to permit that flow, or drop due to unexpected IP source.  Firewall logs can confirm, and if packet dropped, then suggest a different resource/community to review firewall configuration.

Yes, there was a feature introduced in IOS-XE to support L2 redirect.  I know there were some inconsistencies but certainly an option if running feature set that supports it.

Craig

View solution in original post

The switch intercepts and does the redirection to the ISE URL. You need something inline to do the redirect. ISE is not inline.

https://community.cisco.com/t5/security-documents/ise-guest-access-prescriptive-deployment-guide/ta-p/3640475

see Configure a Catalyst Switch for Guest Access

View solution in original post

20 Replies 20

kthiruve
Cisco Employee
Cisco Employee

It usually means that the URL-redirect ACL is not working or not correct.

1. Make sure the name of the UR-redirect ACL is the same in ISE and switch.

2. In switch the permits in ACL allows redirect, denys bypasses redirect. In WLC it is the opposite.

Please tweak these as needed and try again.

-Krishnan

Hi Krishnan,

the name of URL is correct

i have attached the pics of acl and i am not using any WLC config here just trying wired client only

switch acl.PNGACL.PNG

did you enabled the http and http secure-server on the switch?

Those are required on the switch for a working redirect

Yes, those are enabled and i did follow setup guide and other references

i am thinking may be firewall is blocking the packets.

the client is connected to Access switch and access switch connected to core layer 3 switch which has svi created then it is connected to Firewall which has gateway for that management svi. so not sure how i can check if firewall issue or not?

when i copy that url and paste it to client browser, it opened the page and install the anyconnect client without any issues.

this could be your problem.

If for example you open http://google.com in your browser the switch spoofes the answer from google.com from his managemnt svi to redirect you, which will in most cases be blocked by your firewall due to anti-spoofing rules.

If im correct on iOS-XE was a change in the past to enable redirect without a L3 SVI

AFAIK the L3 SVI needs to be on the switch the client is connected to. Not an upstream switch.

svi is on access switch but vlan is created on l3 switch and it is on asa management vlan

Is there a firewall between that vlan and the client’s vlan? One quick test is to put an SVI on the switch in the same subnet as the client you are testing with. If that works, then it’s most likely a firewall. Check your firewall logs for blocks. As mentioned previously, the switch will spoof the IP address of the server the client is initiating its communication with. Most firewalls will block this. You will probably have to explicitly permit this traffic and bypass state checking for this traffic as well if there’s a firewall involved. The fir-acewall will never see the client’s syn but it will see the server’s syn-ack.

The Switch SVI for redirects has to be in the same vlan in your Scenario to avoid the firewall from blocking the requests but it didn‘t has to be in the same Subnet, you can assign any dummy IP to the SVI since the switch is spoofing the server‘s IP.

there is a firewall between client vlan and switch management vlan and i have allow all traffic between this two vlan but it is still not able to work so please let me know if you guys have any sample configuration for firewall to bypass the traffic or any reference document ?

Can the mgmt ip ping (reach) the clients? If not then redirect won’t work

yes, managment ip can ping the client. i can ping client ip from switch and it worked fine

Pinging is not enough to validate functionality because the packets will have a spoofed source while ping has the true ip address of the switch. Additionally, the firewall will see only half the traffic when the client is being redirected.

I will repeat my recommendation that you create an SVI on the access switch in the vlan with the endpoint to validate redirect functionality. Then troubleshoot the firewall if that test is successful.

Is your firewall an ASA or FTD appliance?

Thanks

George

Warning: I either dictated this to my device, or typed it with my thumbs. Erroneous words are a feature, not a typo.

To clarify multiple posts...

Typical config assumes local SVI as the redirect can occur locally.  The redirect packet is sent from the management VLAN (or VRF) and must have an IP route to destination access VLAN network. That path may require packet to travel back upstream to L3 gateway for routing back to same switch.

It sounds like the network path may be there, but firewall blocks the one-way traffic from spoofed IP to client VLAN.  As was noted, the firewall may not have access rule to permit that flow, or drop due to unexpected IP source.  Firewall logs can confirm, and if packet dropped, then suggest a different resource/community to review firewall configuration.

Yes, there was a feature introduced in IOS-XE to support L2 redirect.  I know there were some inconsistencies but certainly an option if running feature set that supports it.

Craig