07-10-2012 08:01 AM - edited 02-21-2020 04:41 AM
Hi to all,
I am having difficulties with an ISE deployment which I am scratching my head over and can't fathom out why this isn't working.
I have an ISE 3315 doing a captive webportal for my guest users who are on an SSID. The users are successfully redirected by the WLC to the following URL:https://x.x.x.x:8443/guestportal/Login.action?portalname=XXX_Guest_Portal
Now when the user passes through the user authentication splash screen they get redirected to https://x.x.x.x:8443/guestportal/guest/redir.html and recieve the following error:
Error: Resource not found.
Resource: /guestportal/
Does anyone have any ideas why the portal is doing this?
Thanks
Paul
07-12-2012 12:48 AM
Anyone got any ideas on this?
Sent from Cisco Technical Support iPhone App
07-16-2012 10:07 PM
Same issue here, can't find anything that might give me a clue.
08-28-2012 01:35 PM
Well, came to the conclusion that external LWA doesn't work with modern browsers due to the use of iframes to complete the redirect and the page containing http & https data.
The only option is to run LWA on the controller or run CWA from the ISE.
Sent from Cisco Technical Support iPhone App
02-08-2013 09:53 AM
I have a similar problem, but in my case the Error message appears before the login splash. I saw the certificate warning and inmediately the error message.
I saw the browser indicates this URL:
04-03-2013 08:06 AM
I believe that it might be the default HTTPS port is not used or it might be a Routing issue in the Network and you need to review the Network Packet flow.
Moreover, another reason could be the dACL's might not be properly configured, as improperly configured dACL's would intruppt the traffic flow.
04-23-2013 04:05 AM
Hello,
i have also these Problem.
I have an ISE 1.1.2 on VmWare with an WLC 5508 Controller. So when i logged in with a configured Guest-User, i will authenticate correctly, but then the following error occured:
https://
Error Resource not found
Resource: /guestportal/
I think, there is a Problem with the path to the redir.html
Hartmut
06-09-2013 11:04 AM
If this hasnt been resolved yet, I found this article that pretty much goes step by step for this kind of scenario.. I just tried it out and it worked perfectly..
http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml
07-01-2013 12:50 AM
Hello,
As you are not able to get the guest portal, then you need to assure the following things:-
1) Ensure that the two Cisco av-pairs that are configured on the authorization profile should exactly match the example below. (Note: Do not replace the "IP" with the actual Cisco ISE IP address.)
–url-redirect=https://ip:8443/guestportal/gateway?...lue&action=cpp
–url-redirect-acl=ACL-WEBAUTH-REDIRECT (ensure that this ACL is also defined on the access switch)
2) Ensure that the URL redirection portion of the ACL have been applied to the session by entering the show epm session ip
Admission feature : DOT1X
AAA Policies : #ACSACL#-IP-Limitedaccess-4cb2976e
URL Redirect ACL : ACL-WEBAUTH-REDIRECT
URL Redirect :
https://node250.cisco.com:8443/guestportal/gateway?sessionId=0A000A72
0000A45A2444BFC2&action=cpp
3) Ensure that the preposture assessment DACL that is enforced from the Cisco ISE authorization profile contains the following command lines:
remark Allow DHCP
permit udp any eq bootpc any eq bootps
remark Allow DNS
permit udp any any eq domain
remark ping
permit icmp any any
permit tcp any host 80.0.80.2 eq 443 --> This is for URL redirect
permit tcp any host 80.0.80.2 eq www --> Provides access to internet
permit tcp any host 80.0.80.2 eq 8443 --> This is for guest portal
port
permit tcp any host 80.0.80.2 eq 8905 --> This is for posture
communication between NAC agent and ISE (Swiss ports)
permit udp any host 80.0.80.2 eq 8905 --> This is for posture
communication between NAC agent and ISE (Swiss ports)
permit udp any host 80.0.80.2 eq 8906 --> This is for posture
communication between NAC agent and ISE (Swiss ports)
deny ip any any
Note:- Ensure that the above URL Redirect has the proper Cisco ISE FQDN.
4) Ensure that the ACL with the name "ACL-WEBAUTH_REDIRECT" exists on the switch as follows:
ip access-list extended ACL-WEBAUTH-REDIRECT
deny ip any host 80.0.80.2
permit ip any any
5) Ensure that the http and https servers are running on the switch:
ip http server
ip http secure-server
6) Ensure that, if the client machine employs any kind of personal firewall, it is disabled.
7) Ensure that the client machine browser is not configured to use any proxies.
8) Verify connectivity between the client machine and the Cisco ISE IP address.
9) If Cisco ISE is deployed in a distributed environment, make sure that the client machines are aware of the Policy Service ISE node FQDN.
10) Ensure that the Cisco ISE FQDN is resolved and reachable from the client machine.
11) Or you need to do re-image again.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide