Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3577
Views
1
Helpful
1
Replies

Wired URL Redirect for Central WebAuth not working

Go to solution
Michiel Vercoutter
Level 1
Level 1

‎03-24-2021 08:51 AM - edited ‎03-24-2021 11:55 PM

Hi,

 

I have been trying to set up wired CWA with ISE, but URL redirection is not working.

Switch is a WS-C3850-12S, IOS XE version 16.12.3.

 

MAB authentication and device tracking seem to be working:

 

LAB-CORE-SW01#sh authentication sessions int g1/0/6 details
Interface: GigabitEthernet1/0/6
IIF-ID: 0x198EBDB5
MAC Address: 3c52.822c.d3b6
IPv6 Address: fe80::5c4e:2525:8dd8:b66e
IPv4 Address: 172.21.102.104
User-Name: 3C-52-82-2C-D3-B6
Status: Authorized
Domain: DATA
Oper host mode: single-host
Oper control dir: both
Session timeout: N/A
Common Session ID: AC1563040000004A64BCEE7E
Acct Session ID: Unknown
Handle: 0x7500002e
Current Policy: POLICY_Gi1/0/6


Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure

Server Policies:
URL Redirect ACL: ACL-WEBAUTH-REDIRECT
URL Redirect: https://172.21.102.150:8443/portal/gateway?sessionId=AC1563040000004A64BCEE7E&portal=50fbc805-6bde-4e28-8a3e-17750f938538&action=cwa&token=5ae4ba4c57bee8eb454b42c fab705cfa
ACS ACL: xACSACLx-IP-Pre-Webauth-Test-605b5018


Method status list:
Method State
mab Authc Success

 

The dACL:

permit udp any eq bootpc any eq bootps
permit udp any any eq domain
permit tcp any host 172.21.102.150 eq 8443
permit tcp any any eq www
permit tcp any any eq 443

 

The redirect ACL:

Extended IP access list ACL-WEBAUTH-REDIRECT
10 deny udp any any eq domain
15 deny tcp any host 172.21.102.150 eq 8443
20 permit tcp any any eq www
30 permit tcp any any eq 443

 

Interface config:

interface GigabitEthernet1/0/6
description ISE-LAB_WebAuth-Test
switchport access vlan 102
switchport mode access
device-tracking attach-policy DT-Policy-Test
authentication order mab
authentication priority mab
authentication port-control auto
mab
dot1x pae authenticator
spanning-tree portfast
spanning-tree bpduguard enable
end

 

ISE and the test client are in the same subnet, switch SVI is in another subnet, with a firewall (palo alto) in between. No deny logs on firewall, and the switch can ping both the endpoint and ISE. No IP spoofing protection enabled on the firewall.

 

After MAB authentication, the client can telnet to ISE IP on port 8443, but redirection does not work when browsing to e.g. http://10.10.10.10

 

ISE does not show any logs after the succesful MAB authentication and its associated session.

 

Debugging commands like 'debug authentication all' and 'debug aaa coa' do not work for me. I think I am hitting the issue mentioned in this post: https://community.cisco.com/t5/network-access-control/cisco-3650-no-radius-debug-output/td-p/4090369. The suggested debug commands mentioned in this post also do not work for me.

 

Attached, you can find the switch config.

 

I have tried many different settings and slight configuration changes, but nothing seems to be working.

Any help or suggestions would be greatly appreciated.

Thanks in advance!

Preview file
7 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Michiel Vercoutter
Level 1
Level 1

‎03-25-2021 08:43 AM

Problem is solved. I had to create a switch SVI in the vlan of the clients. After this, the redirection worked instantly.

View solution in original post

1 Reply 1

Go to solution
Michiel Vercoutter
Level 1
Level 1

‎03-25-2021 08:43 AM

Problem is solved. I had to create a switch SVI in the vlan of the clients. After this, the redirection worked instantly.

Customers Also Viewed These Support Documents