cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

524
Views
0
Helpful
1
Replies

Wired URL Redirect for Central WebAuth not working

Hi,

 

I have been trying to set up wired CWA with ISE, but URL redirection is not working.

Switch is a WS-C3850-12S, IOS XE version 16.12.3.

 

MAB authentication and device tracking seem to be working:

 

LAB-CORE-SW01#sh authentication sessions int g1/0/6 details
Interface: GigabitEthernet1/0/6
IIF-ID: 0x198EBDB5
MAC Address: 3c52.822c.d3b6
IPv6 Address: fe80::5c4e:2525:8dd8:b66e
IPv4 Address: 172.21.102.104
User-Name: 3C-52-82-2C-D3-B6
Status: Authorized
Domain: DATA
Oper host mode: single-host
Oper control dir: both
Session timeout: N/A
Common Session ID: AC1563040000004A64BCEE7E
Acct Session ID: Unknown
Handle: 0x7500002e
Current Policy: POLICY_Gi1/0/6


Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure

Server Policies:
URL Redirect ACL: ACL-WEBAUTH-REDIRECT
URL Redirect: https://172.21.102.150:8443/portal/gateway?sessionId=AC1563040000004A64BCEE7E&portal=50fbc805-6bde-4e28-8a3e-17750f938538&action=cwa&token=5ae4ba4c57bee8eb454b42c fab705cfa
ACS ACL: xACSACLx-IP-Pre-Webauth-Test-605b5018


Method status list:
Method State
mab Authc Success

 

The dACL:

permit udp any eq bootpc any eq bootps
permit udp any any eq domain
permit tcp any host 172.21.102.150 eq 8443
permit tcp any any eq www
permit tcp any any eq 443

 

The redirect ACL:

Extended IP access list ACL-WEBAUTH-REDIRECT
10 deny udp any any eq domain
15 deny tcp any host 172.21.102.150 eq 8443
20 permit tcp any any eq www
30 permit tcp any any eq 443

 

Interface config:

interface GigabitEthernet1/0/6
description ISE-LAB_WebAuth-Test
switchport access vlan 102
switchport mode access
device-tracking attach-policy DT-Policy-Test
authentication order mab
authentication priority mab
authentication port-control auto
mab
dot1x pae authenticator
spanning-tree portfast
spanning-tree bpduguard enable
end

 

ISE and the test client are in the same subnet, switch SVI is in another subnet, with a firewall (palo alto) in between. No deny logs on firewall, and the switch can ping both the endpoint and ISE. No IP spoofing protection enabled on the firewall.

 

After MAB authentication, the client can telnet to ISE IP on port 8443, but redirection does not work when browsing to e.g. http://10.10.10.10

 

ISE does not show any logs after the succesful MAB authentication and its associated session.

 

Debugging commands like 'debug authentication all' and 'debug aaa coa' do not work for me. I think I am hitting the issue mentioned in this post: https://community.cisco.com/t5/network-access-control/cisco-3650-no-radius-debug-output/td-p/4090369. The suggested debug commands mentioned in this post also do not work for me.

 

Attached, you can find the switch config.

 

I have tried many different settings and slight configuration changes, but nothing seems to be working.

Any help or suggestions would be greatly appreciated.

Thanks in advance!

1 ACCEPTED SOLUTION

Accepted Solutions

Problem is solved. I had to create a switch SVI in the vlan of the clients. After this, the redirection worked instantly.

View solution in original post

1 REPLY 1

Problem is solved. I had to create a switch SVI in the vlan of the clients. After this, the redirection worked instantly.

View solution in original post

Content for Community-Ad