cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
731
Views
5
Helpful
4
Replies

NAC Web Login Redirect Stopped Working

jmeggers
Level 1
Level 1

What would stop login redirect from working?  It was working on Friday, and something must have changed because I'm no longer getting redirected to log in to the guest network.  The architecture is L3 OOB Real-IP.  Browser is still running Java and Java Script, and login works fine if I browse to the untrusted interface of the NAS.  It's just not doing the redirect automatically any more.  I've tried more than one computer so I know it's not just my laptop.  Any suggestions on how to troubleshoot this?  Thanks for any comments.

John

1 Accepted Solution

Accepted Solutions

Filters take precedence over the Traffic Policies on the CAM so check to make sure you don't have a Subnet filter on the CAM (or on the CAS - they can be configured there). Same with a mac-filter. If there is an allow mac-filter with the last hop's mac address before the CAS then that can cause all traffic to pass.

Nate

View solution in original post

4 Replies 4

Tiago Antunes
Cisco Employee
Cisco Employee

Hi,

Is DNS working?

If you open the browser and type a random IP address in the url like http://10.0.0.1, does it get redirected?

If you do a sniffer trace on the client PC interface using Wireshark, can you share this packet capture with us?

HTH,

Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

DNS is working fine.  I can browse to the URL of the untrusted CAS interface and get the login page.  I just don't get redirected if I try to go elsewhere.  If the web page I'm trying to reach is external, I get a message that the browser can't connect to the server.  But, interestingly, I can get to internal servers I shouldn't be able to reach from the untrusted area.  I've reviewed the switch configurations and routing tables and don't see any evidence traffic is bypassing the CAS, and when I shut down the CAS link on the untrusted side, all traffic ceases.  I even activated a "block all" entry on the traffic policy for the Unauthenticated role at the top of the list, and it did not block traffic.  So my guess is either I'm wrong about traffic bypassing the CAS (which would explain the redirect issue) or something is going on in the CAS such that it's allowing traffic through in violation of its own policies, which is also resulting in the lack of browser redirection.

Filters take precedence over the Traffic Policies on the CAM so check to make sure you don't have a Subnet filter on the CAM (or on the CAS - they can be configured there). Same with a mac-filter. If there is an allow mac-filter with the last hop's mac address before the CAS then that can cause all traffic to pass.

Nate

Bingo!  You just won the grand prize.  The MAC address of the last hop before the CAS being in the filter list is exactly what the problem was.  I had an event in Profiler that populated infrastructure MAC addresses to the CAM not realizing this was going to be the result. I always thought the filters were only involved in the decision of what to do with the host when it first connects to the network, but clearly they're more involved than that in determining what traffic is allowed through the CAS.  Having gone back and re-read the documentation, I have to say that's not well documented at all. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: