Wired Hotspot portal redirect fails

rob.drye · ‎04-16-2015

I'm working on wired guest access from a 2960-X switch stack running 15.0(2)EX4. The ISE 1.3 policy delivers the access-accept with the redirect URL, but the switch doesn't seem to do anything with it. The client can do DNS resolution, so there is web traffic to redirect. What I get is "Connecting". The ISE can be reached directly from the client, so routing and ACL seem to be OK. It also doesn't make any difference whether the name or the IP address of the ISE policy server is used. Anyone else seen this behavior?

Here's the session info as seen by the switch

EF3211# sh auth sess int gi6/0/12
            Interface: GigabitEthernet6/0/12
          MAC Address: 28d2.440e.5662
           IP Address: Unknown
            User-Name: 28-D2-44-0E-56-62
               Status: Authz Success
               Domain: DATA
       Oper host mode: single-host
     Oper control dir: both
        Authorized By: Authentication Server
          Vlan Policy: 648
     URL Redirect ACL: Blackhole
         URL Redirect: https://DHISE1P2.hitchcock.org:8445/portal/gateway?sessionId=82bd783e000E38FF552FED1B&portal=59c60952-e443-11e4-a2a2-0050568a6a89&action=cwa&type=drw&token=36c5ae30b39dd01e8a6b9852096a3924
      Session timeout: N/A
         Idle timeout: N/A
    Common Session ID: 82BDF8060004560D109E916F
      Acct Session ID: 0x00048CA9
               Handle: 0xD800088F

Runnable methods list:
       Method   State

       dot1x    Failed over
       mab      Authc Success

The ACL looks like this

Extended IP access list Blackhole
    10 permit udp any any eq domain
    20 permit tcp any any established
    30 permit ip any host 130.189.120.62
    40 permit ip any host 130.189.120.63
    50 permit icmp any any echo
    60 permit icmp any any echo-reply
    70 permit udp any eq bootpc any eq bootps
    80 deny ip any any

phosawyer · ‎04-17-2015

Problem I believe is the Redirect ACL. The ACL isn't used as access control, it's used as a filter to say which traffic is redirected. So you want HTTP and HTTPS traffic to be redirected. Should look more like the following:

deny ip any host <PSN_IP>

permit ip tcp any any eq www 443 8443

deny ip any any

So the Permit is actually saying "redirect this traffic" to ISE for CWA and the deny is saying "dont redirect". The first line is there because there used to be a bug where any traffic towards the ISE box turned into somekind of redirect loop so I've included it just to be sure.

rob.drye · ‎04-17-2015

Here's what I replaced the redirect ACL with:

Extended IP access list Blackhole
    10 deny ip any host 130.189.120.63
    20 deny ip any host 130.189.120.62
    30 permit tcp any any eq www
    40 permit tcp any any eq 443
    50 permit tcp any any eq 8443
    60 deny ip any any

I still end up with the "connecting" state. I've tried this with the ISE set to return the portal redirect with an IP address as well as a host name.

I took the VLAN change out of the radius reply to see if that was the cause of the problem, but that stopped redirection entirely, even with the same ACL.

phosawyer · ‎04-27-2015

"The ISE can be reached directly from the client, so routing and ACL seem to be OK"

Does this mean you can hit the portal page? Or can you just ping from the device? I'm assuming the portal is setup in the guest section of ISE?

rob.drye · ‎04-28-2015

After the redirect is issued to the port I can telnet to the portal port, so at least a TCP connection gets there. Any other address or DNS name with port 80 or 443 just hangs.

% telnet [portal] 8443

Trying [ISE PSN]...

Connected to [ISE PSN].

Escape character is "^]".

rob.drye · ‎04-28-2015

It turns out I didn't have the http server enabled on the switch, which is covered in a different document... But even though the redirect is clearly getting set up on the switch, the client doesn't get to the portal.

phosawyer · ‎05-07-2015

So what is it redirecting to? an IP or a hostname? if its a hostname, does it have a record on your DNS which your client is using??

Just for testing I usually change the Authorization policy in ISE to point to the PSN IP so that it takes DNS out of the problem.

jan.nielsen · ‎05-09-2015

This could also be a networking problem, the redirect in the switch works in a funny way. When your switch is L2 with no routing enabled, the flow is as follows :

- client sends tcp syn

- switch swallows the packet and sends a ack, but it sends it to the "ip default-gateway" configured on the switch.

This means, you need to have routing between your management vlan and your guest vlan and also means that any stateful filtering/firewall between thos two networks will drop the redirect traffic, as the switch has kept the syn packet, so a firewall will only see the ack packet, which it will drop. This is normally why you can reach ise, but not get redirected to ise.

rob.drye · ‎04-28-2015

After the redirect is issued to the port I can telnet to the portal port, so at least a TCP connection gets there. Any other address or DNS name with port 80 or 443 just hangs.

% telnet [portal] 8443

Trying [ISE PSN]...

Connected to [ISE PSN].

Escape character is "^]".