Hi all,

i looked two cisco web page describing web redirection ACL, however, seems they are total different? or am i missing something? or configuration of redirection  ACL total different on ISE and WLC?

1)

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html

The final step is to create a redirect ACL. This ACL is referenced in the access-accept of the ISE and defines what traffic should be redirected (denied by the ACL) and what traffic should not be redirected (permitted by the ACL). Here you just prevent from redirection traffic towards the ISE. You might want to be more specific and only prevent traffic to/from the ISE on port 8443 (guest portal), but still redirect if a user tries to access the ISE on port 80/443.

2)

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213920-central-web-authentication-cwa-on-cata.html

For the redirection ACL, think of denying action as a deny redirection (not deny traffic), and permit action as permit redirection. The WLC will only look into traffic that it can redirect (port 80 and 443 by default).