Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3130
Views
5
Helpful
5
Replies

XIRRUS access points --> ISE guest portal

Go to solution
matty-boy
Level 1
Level 1

‎10-02-2020 02:00 AM

Hi,

Does anybody have experience of getting XIRRUS APs to work with ISE guest portals?

We've installed the Xirrus NAD profile and in the authz profile, ISE tells us that we need to statically configure a special redirect URL on the AP.

When a user connects to the SSID, I can see the redirect window come up and the URL is populated but the Xirrus AP appends a whole bunch of other stuff (mac, ssid, etc) that ISE does not like and responds with a 500 error.

If I then manually edit the URL and remove all the stuff added by the Xirrus AP, the user hits ISE, which then sends another redirect to the correct portal which works fine. It's the first redirect that does not work.

Anybody come across this with non-Cisco APs?

Thank in advance!

Matt.

Preview file
45 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
matty-boy
Level 1
Level 1
In response to tom.dw

‎11-27-2020 02:27 AM

Hi Tom,

Yes, we got there in the end after many hours on the phone with TAC and with Cambium Networks, testing this, that and the other, while taking logs of packets captures!

In a nutshell, you need to do the following:-

1. Do not configure WPR on the SSID on the Xirrus AP

2. Create a user group on the Xirrus AP and configure the WPR details here

3. In the ISE authz profile, you need to reference this user group as the RADIUS filter-id, this will remove the walled garden.

Hope this helps,

Matt.

View solution in original post

5 Replies 5

Go to solution
hslai
Cisco Employee
Cisco Employee

‎10-03-2020 11:12 AM

The 3rd-party implementations vary a great deal. I would suggest you to divide-and-conquer to find out which set of parameters are causing ISE guest portal unhappy.

0 Helpful

Go to solution
matty-boy
Level 1
Level 1
In response to hslai

‎10-12-2020 06:21 AM - edited ‎10-12-2020 06:22 AM

Hi again,

Unfortunately we're no closer to resolving the issue but I have noticed something about the redirect URL...

Here is the URL that ISE says we need to apply to the AP as the redirect URL (obviously we substitute "iseHost" with a publicly resolvable hostname that points to our ISE PSN):

https://iseHost:8443/portal/g?p=1OGJQ9dyvePvEUxVkVQ1WOE48O

The URL is perfectly valid and consists of the scheme (https://), the host & port, the path and finally the query string.

Here is the URL as seen by the client (after the AP appends it's own attributes to the URL):

https://iseHost:8443/portal/g?p=1OGJQ9dyvePvEUxVkVQ1WOE48O?res=notyet&uamip=185.0.0.1&uamport=10000&challenge=6129cfd986212512585f4fab1e3f07e6&userurl=http%3a%2f%2fwww.msftconnecttest.com%2fredirect&mac=74-df-bf-ab-c4-b3&apmac=50-60-28-06-25-26&ssid=...

This URL is not valid, which is causing ISE to respond with "[500] Internal Error - Internal system error encountered. Please contact System Adminstrator"

The reason the URL is not valid, is because the Xirrus AP is adding it's own query string to the URL and it's doing so by adding a second '?' symbol. URLs with multiple AV pairs in the query string usually start with one '?' and then every other AV pair is delimited with a '&'.

If I manually edit the URL after the initial (failed) redirect and change the second '?' for a '&', the client hits ISE which then replies with another redirect to the portal page along with with sessionID and so on.

I have a TAC case open but I'm interested to see if anyone has any experience with this sort of problem?

Thanks!

Matt.

Preview file
72 KB
0 Helpful

Go to solution
tom.dw
Level 1
Level 1

‎11-18-2020 06:17 AM

Hi Matt,

 

I'm also having issues getting the guest portal redirect working with Xirrus.

Did you happen to find a solution for this?

 

Kind regards,

Tom

0 Helpful

Go to solution
matty-boy
Level 1
Level 1
In response to tom.dw

‎11-27-2020 02:27 AM

Hi Tom,

Yes, we got there in the end after many hours on the phone with TAC and with Cambium Networks, testing this, that and the other, while taking logs of packets captures!

In a nutshell, you need to do the following:-

1. Do not configure WPR on the SSID on the Xirrus AP

2. Create a user group on the Xirrus AP and configure the WPR details here

3. In the ISE authz profile, you need to reference this user group as the RADIUS filter-id, this will remove the walled garden.

Hope this helps,

Matt.

Go to solution
tom.dw
Level 1
Level 1
In response to matty-boy

‎12-07-2020 07:33 AM

Hi Matt,

 

Thanks a lot for your reply.

 

In the end we decided to use ISE as a DNS sinkhole for the redirection.

This is working fine on the AOS access points.

We also have some AOS Lite access points in the setup and are currently having trouble to get CoA working on these.

 

Best regards,

Tom

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents