cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
647
Views
0
Helpful
0
Replies
Highlighted

CWA for guest Failure to redirect domain traffic on a cat 2960-x

Hello Team,

 

I have a 2960-x switch and it has failed to redirect domain traffic to ise using the redirect ACL, 

but when i type in something like 1.1.1.1 in the client computer, the redirection takes place and it redirects to the ISE's guest portal but when i enter www.google.com the redirection fails to happen

 

Please note that in the cwa profile i enable a static ip of the ISE not the FQDN,

Please note that the ISE has no internet access because its in the segment of the network which is not allowed to have internet access.

 

I need assistance with how to make the redirection automatic.

The DACL is

permit tcp any any eq www

permit tcp any any eq 443

permit tcp any any eq 8443

permit udp any any eq domain

deny ip any any

 

 

below is the running configuration of the switch.

 


!
version 15.2

aaa new-model
!
!
aaa group server radius ISE
server name ISE
server 172.16.1.35
!
aaa group server tacacs+ ISE_SW
server name Cisco-ISE
ip tacacs source-interface Vlan175
!
aaa authentication login default group ISE_SW local
aaa authentication login CONSOLE none
aaa authentication dot1x default group ISE
aaa authorization config-commands
aaa authorization exec default group ISE_SW local if-authenticated
aaa authorization exec CONSOLE none
aaa authorization commands 1 default group ISE_SW local if-authenticated
aaa authorization commands 15 default group ISE_SW local if-authenticated
aaa authorization network default group ISE
aaa authorization auth-proxy default group ISE
aaa accounting update periodic 5
aaa accounting dot1x default start-stop group ISE
aaa accounting exec default start-stop group ISE_SW
aaa accounting commands 1 default start-stop group ISE_SW
aaa accounting commands 15 default start-stop group ISE_SW
!
!
!
!
!
aaa server radius dynamic-author
client 172.16.1.35 server-key xxxxx

aaa session-id common
switch 1 provision ws-c2960x-24ps-l
!
device-sensor filter-list lldp list LLDP_LIST
tlv name system-description
device-sensor filter-spec lldp include list LLDP_LIST
device-sensor accounting
device-sensor notify all-changes
ip routing
!
!
!
!
!
!
!
authentication mac-move permit
!
dot1x system-auth-control


lldp run

interface GigabitEthernet1/0/19
switchport access vlan 192
switchport mode access
ip access-group webauth in
authentication event fail action next-method
authentication event server dead action authorize
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
!

!
interface GigabitEthernet1/0/23
switchport access vlan 192
switchport mode access
ip access-group webauth in
authentication event fail action next-method
authentication event server dead action authorize
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10

!
interface Vlan10
ip address 10.1.1.13 255.255.255.0
!
interface Vlan175
ip address 172.16.1.209 255.255.255.0
!
interface Vlan192
ip address 192.168.2.209 255.255.255.0
!
ip default-gateway 10.1.1.1
ip http server
ip http secure-server
!
ip tacacs source-interface Vlan175
!
ip access-list extended redirect
deny ip any host 172.16.1.35
permit tcp any any eq www
permit tcp any any eq 443
ip access-list extended webauth
permit ip any any
ip radius source-interface Vlan175
!
tacacs server Cisco-ISE
address ipv4 172.16.1.35
key xxxxxxx
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server dead-criteria time 30 tries 3
radius-server deadtime 30
!
radius server ISE
address ipv4 172.16.1.35 auth-port 1812 acct-port 1813
key xxxxxx