Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
19515
Views
0
Helpful
22
Replies

WebAuth redirect does not work WLC/ISE

Kn1ghtR1d3rOfD00m
Level 1
Level 1

‎07-15-2016 02:27 PM - edited ‎03-10-2019 11:56 PM

Hello, 

I hope you have seen this behavior, if not, please share your ideas. we have a deployment of one PAN and 6 PSN nodes across multiples regions in the world. 

Background:

Each location has its own WLC 8500 series and we have a ISE 2.0.

Each WLC redirect to endpoint request to the PAN, the PAN acts as the main central radius.

Behavior:

All sites/branches, the URL redirection portal works fine, in other words, when a endpoint user joing the open SSID Guest, it gets the DHCP settings and when they open or go to any web site, it will automatically redirect to SSL certificate warning and click on continue adn then get the Portal Credentials. 

However, on Google Chrome, it does not open, instead, when they type in the address bar any web site, http or https, it will automatically open a new tab saying: gstatic.com/generate_204 and keeps trying until it says a button connect but it does not do anything. 

What could be the culplrit of this crap URL redirection? 

Troubleshooting made: 

We created another WLAN, still the same behavior. 

Under the same SSID, we set it up a local web aut redirection portal, the same behavior.

Please check the attach file and you will see what Im saying.

Updated Chrome and does not work on Windows 7

On Windows 10, sometimes it works and sometimes it does not work.

On Chrome books, one work and the other one does not work the first attempt.

Debug the client mac address for the endpoint that works and for the one that does not work. Checked everything and they have the same thing. TAC says that the endpoint receives the URL but for some reason the Chrome stops the process and start the redirection to the gstatic.com web site.

Did a comparison with firefox and IE and Microsoft EDge and debug and Chrome with the same and other laptops and the same config appeared as per Cisco TAC. 

They could not determine right away if this was a problem with the WLC or the Chrome app. But do I know that it should be compatible with all top browsers like chrome.

Why it does not work on on WLC if the solution and design was to have the same config across all regions. 

Only on on brach does not work. other ones work fine. 

I regirsted one AP on another WLC and it worked fine. 

other region reigisted their AP with own WLC and the first time they got the gstatic.com web site 

Is it the WLC faulty or what?

Pleas help, what else could I try and prove it is the WLC config or damaged, corrupted , it is very weird cause as I mentioned before, it works fine on firefox, IE, Opera, etc, execpt Google Chrome and Chrome OS, but only on this site, but other say they have not experienced this issue.

Thank you for  your help, 

5 people had this problem
Labels:
Preview file
1194 KB
0 Helpful
22 Replies 22

M.Netuschil5148
Level 1
Level 1

‎07-21-2016 11:42 PM

Hi,

can you tell us what versions do you using on the WLC and on the ISE with Patch?.

BR,

Mario

0 Helpful

dalporto34
Level 1
Level 1
In response to M.Netuschil5148

‎02-20-2018 04:08 PM

Has there been a resolution to this issue?

0 Helpful

cassiohonorio
Level 1
Level 1

‎01-16-2018 07:47 AM

Did You Find Some Solution

0 Helpful

dalporto34
Level 1
Level 1

‎02-23-2018 11:39 AM

Has there been a remedy to your issue, we are seeing this issue also. Very odd that the page doesn't work with Chrome, but is receiving the proceed link in Mozilla Firefox and Safari. 

0 Helpful

cassiohonorio
Level 1
Level 1
In response to dalporto34

‎02-23-2018 11:42 AM

The TAC wants me to do this.

 

The solution is adding your ISE self-signed certificate to the trusted zone of your browser. Unfortunately, it is Google Chrome’s security feature.

0 Helpful

daemibros
Level 1
Level 1
In response to cassiohonorio

‎03-12-2018 01:05 PM

i have done this and still its not working. This is the default self-signed server certificate in system certificates under certificates in ISE right?  IE works fine but chrome and mozilla are not redirecting

0 Helpful

daemibros
Level 1
Level 1
In response to cassiohonorio

‎03-12-2018 01:09 PM

So in a large deployment...i guess if adding the self-signed is a solution, then this cert will have to be pushed to all the clients...Or how to go about it?

0 Helpful

jan.nielsen
Level 7
Level 7

‎03-14-2018 01:53 PM

Your redirect ACL content would be interesting to see. Regarding Chrome, the gstatic url, is the url that chrome uses to detect if it has internet access, and if it's being blocked somehow, what you should see is the redirect to your portal, but i would suggest you get yourself a trusted public cert instead of some self-signed cert, also certs with SHA1 and not SHA256 algorithm (minimum) , will also have issues and chrome is especially security aware.
0 Helpful

dalporto34
Level 1
Level 1
In response to jan.nielsen

‎03-15-2018 08:37 AM

We already have a public certificate in place.
0 Helpful

jan.nielsen
Level 7
Level 7
In response to dalporto34

‎03-15-2018 09:04 AM

Ok, but are you sure thats the cert that ise is actually sending to the browser? Also, if the cert is sha1, chrome will still not like it.

0 Helpful

Josh.Kurtz
Level 1
Level 1

‎12-17-2018 10:55 AM

I have this same issue, even before the user gets past the web redirect acl, the controller is proxying connections to connectivitycheck.gstatic.com and replying to the client /generate_204 which tells the client its not behind a captive portal...so the device doesnt listen to the redirect.

 

*webauthRedirect: Dec 14 16:42:32.142: 40:4e:36:23:85:c5- parser host is connectivitycheck.gstatic.com
*webauthRedirect: Dec 14 16:42:32.142: 40:4e:36:23:85:c5- parser path is /generate_204

 

Has anyone resolved this issue yet?

 

0 Helpful

Josh.Kurtz
Level 1
Level 1
In response to Jason Kunst

‎12-17-2018 02:12 PM

No unfortunately this didnt work, see the attached logs, no matter what I do, androids are bypassing the web auth acl and thinking they are online?? (the below acl also allowed dns...that was removed for testing...that isnt the issue)

 

...the more urls we see, we try and block...but we cant seem to block *.google.com/gen_204

 

 

Source Destination Source Port Dest Port
Index Dir IP Address/Netmask IP Address/Netmask Prot Range Range DSCP Action Counter
------ --- ------------------------------- ------------------------------- ---- ----------- ----------- ----- ------- -----------
1 Any 0.0.0.0/0.0.0.0 (ip removed for security)/255.255.255.255 Any 0-65535 0-65535 Any Permit 22
2 Any (ip removed for security)/255.255.255.255 0.0.0.0/0.0.0.0 Any 0-65535 0-65535 Any Permit 18

DenyCounter : 469

URLs configured in this ACL
---------------------------
*.connectivitycheck.android.com/generate_204
*.connectivitycheck.gstatic.com/generate_204
*.google.com/generate_204
*.clients3.google.com/generate_204
*.check.googlezip.net/connect
*.connectivitycheck.gstatic.com/favicon.ico
*.connectivitycheck.android.com
*.clients3.google.com
*.connectivitycheck.gstatic.com
*.google.com/gen_204

Preview file
19 KB
0 Helpful

Jason Kunst
Cisco Employee
Cisco Employee
In response to Josh.Kurtz

‎12-17-2018 02:53 PM

If captive portal bypass is disabled and still unable to get auto browser does the standard browser work going to an http site? Try enroll.cisco.com

Also work through tac
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents