CWA for guest Failure to redirect domain traffic on a cat 2960-x
I have a 2960-x switch and it has failed to redirect domain traffic to ise using the redirect ACL,
but when i type in something like 188.8.131.52 in the client computer, the redirection takes place and it redirects to the ISE's guest portal but when i enter www.google.com the redirection fails to happen
Please note that in the cwa profile i enable a static ip of the ISE not the FQDN,
Please note that the ISE has no internet access because its in the segment of the network which is not allowed to have internet access.
I need assistance with how to make the redirection automatic.
The DACL is
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq 8443
permit udp any any eq domain
deny ip any any
below is the running configuration of the switch.
! version 15.2
aaa new-model ! ! aaa group server radius ISE server name ISE server 172.16.1.35 ! aaa group server tacacs+ ISE_SW server name Cisco-ISE ip tacacs source-interface Vlan175 ! aaa authentication login default group ISE_SW local aaa authentication login CONSOLE none aaa authentication dot1x default group ISE aaa authorization config-commands aaa authorization exec default group ISE_SW local if-authenticated aaa authorization exec CONSOLE none aaa authorization commands 1 default group ISE_SW local if-authenticated aaa authorization commands 15 default group ISE_SW local if-authenticated aaa authorization network default group ISE aaa authorization auth-proxy default group ISE aaa accounting update periodic 5 aaa accounting dot1x default start-stop group ISE aaa accounting exec default start-stop group ISE_SW aaa accounting commands 1 default start-stop group ISE_SW aaa accounting commands 15 default start-stop group ISE_SW ! ! ! ! ! aaa server radius dynamic-author client 172.16.1.35 server-key xxxxx
aaa session-id common switch 1 provision ws-c2960x-24ps-l ! device-sensor filter-list lldp list LLDP_LIST tlv name system-description device-sensor filter-spec lldp include list LLDP_LIST device-sensor accounting device-sensor notify all-changes ip routing ! ! ! ! ! ! ! authentication mac-move permit ! dot1x system-auth-control
interface GigabitEthernet1/0/19 switchport access vlan 192 switchport mode access ip access-group webauth in authentication event fail action next-method authentication event server dead action authorize authentication event server dead action authorize voice authentication event server alive action reinitialize authentication host-mode multi-auth authentication order dot1x mab authentication priority dot1x mab authentication port-control auto authentication violation restrict mab dot1x pae authenticator dot1x timeout tx-period 10 !
! interface GigabitEthernet1/0/23 switchport access vlan 192 switchport mode access ip access-group webauth in authentication event fail action next-method authentication event server dead action authorize authentication event server dead action authorize voice authentication event server alive action reinitialize authentication host-mode multi-auth authentication order dot1x mab authentication priority dot1x mab authentication port-control auto authentication violation restrict mab dot1x pae authenticator dot1x timeout tx-period 10
! interface Vlan10 ip address 10.1.1.13 255.255.255.0 ! interface Vlan175 ip address 172.16.1.209 255.255.255.0 ! interface Vlan192 ip address 192.168.2.209 255.255.255.0 ! ip default-gateway 10.1.1.1 ip http server ip http secure-server ! ip tacacs source-interface Vlan175 ! ip access-list extended redirect deny ip any host 172.16.1.35 permit tcp any any eq www permit tcp any any eq 443 ip access-list extended webauth permit ip any any ip radius source-interface Vlan175 ! tacacs server Cisco-ISE address ipv4 172.16.1.35 key xxxxxxx ! radius-server attribute 6 on-for-login-auth radius-server attribute 6 support-multiple radius-server attribute 8 include-in-access-req radius-server dead-criteria time 30 tries 3 radius-server deadtime 30 ! radius server ISE address ipv4 172.16.1.35 auth-port 1812 acct-port 1813 key xxxxxx
Hi experts,I would like any suggestions on this topology. We are is the middle of replacing our old ASA5520 with the new FirePower. Our current firewall terminate our IPsec tunnels and the GRE is terminated on the first inside router's loopback on the sec...
Hi All, A customer wants to authenticate Anyconnect VPN users from an ASA using the client installed certificate and then with AD. i.e. Is this a corporate device?Would we recommend authenticating the cert on the ASA then passing the AD check to ISE ...
Hello Team, we are getting alert in FMC stating policy deployment failed, we are running on 6.2.0 version and not sure which version is stable version to re mediate this issue, in one event i have seen restart will resolve this issue but is it perman...
Threat Hunting 101
In the latest Cisco Cybersecurity report, we explore all there is to know about threat hunting and provide a how-to guide for creating a threat hunting team.
Here are some of th...
What Is Cisco Identity Services Engine?
Cisco Identity Services Engine (ISE) is an all-in-one enterprise policy control product that enables comprehensive secure wired, wireless, and Virtual Private Networking (VPN) access.
Cisco ISE offers...