cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

3073
Views
0
Helpful
9
Replies
c.s Beginner
Beginner

CWA/ISE/WLC - client timeout when redirected to portal.

Problem: When connecting to the CWA ssid, the client gets redirected to: https://lab-ise01.lab.local:8443/guestportal/gateway?sessionId=3c02a8c00000000878430a51&action=cwa

but the link times out.

I'm currently following this guide: https://supportforums.cisco.com/docs/DOC-26442

Any thoughts or suggestions are appreciated.

Info: ISE 1.1.1 and vWLC 7.3.101.0 is installed on vmware. Identity Source: Internal Users. AP is in FlexConnect mode. MAC filtering enable, no layer 3 security. Allow AAA Override enabled. Radius NAC enabled.

Topology:

Win7/iPad -  -  - AP----labswitch-----switch-----switch-----VMware

(Traffic does not pass through FW and there are no ACL on the switches.)

ACL on WLC:

acl_wlc.PNG

Client on WLC

client_on_wlc.PNG

Everyone's tags (5)
9 REPLIES 9
Contributor

Re: CWA/ISE/WLC - client timeout when redirected to portal.


Can you see if DNS is working for the client?

Regard
Mikael

Sent from Cisco Technical Support iPad App

c.s Beginner
Beginner

Re: CWA/ISE/WLC - client timeout when redirected to portal.

The DNS work fine, but it can't reach the ISE for some reason.

The wlan works fine without web-auth (ise) btw

c.s Beginner
Beginner

CWA/ISE/WLC - client timeout when redirected to portal.

I thought I might be hitting the bug mentioned in the following thread. https://supportforums.cisco.com/thread/2191587

Oddly enough, updating the vWLC to v7.3.112.0 did not resolve the problem. (ISE is v1.1.2)

I still cannot reach anything from the the CWA wlan unless I remove CWA.

Advocate

Re:CWA/ISE/WLC - client timeout when redirected to portal.

Are you sending the airespace acl so the client can hit the ise node with the dns services allowed. Please provide the screenshots of the client session from the wlc. Also hover over the green button in the ise live authentications portal and provide a screenshot of the radius attributes that are sent back to the controller.


Sent from Cisco Technical Support Android App

Tarik Admani
*Please rate helpful posts*
Highlighted
Enthusiast

CWA/ISE/WLC - client timeout when redirected to portal.

I am having this exact issue as well. I followed the FlexConnect Wireless BYOD guide but I just timeout getting the redirect page. I've even opened the ACL to any/any. The guide makes mention of sending a flex ACL as the CWA Airespace-ACL-Name but that does not appear right. Controller is on 7.4 and ISE 1.1.2

Contributor

CWA/ISE/WLC - client timeout when redirected to portal.

Another test is to copy the redirect url from the WLC and swap domain name part in the url to the ISE IP address, then past it in the browser.  Just to test without DNS and narrow down the troubleshooting.

Ex

[hxxps://198.51.100.10:8443/guestportal/gateway?sessionId=3c02a8c00000000878430a51&action=cwa]

CWA/ISE/WLC - client timeout when redirected to portal.

Hi all.

Accoding with this behaviour, I have a similar problem with the renew of the IP address. In a similar scenario (ISE1.1.2 + vWLC 7.3.101. + CWA + DVLAN assigment); for test purposses I need to use the AP in flexconnect mode with central control and traffic data due to vWLC does not support APs in a local mode.

Applying WCA in a SSID with a "non-routed" interface and two interfaces for both different profiles. Client passes CWA profile in "non route" subnet when redirected;  after a successful web authetication ISE sends to WLC the new attributes including the new VLAN, new ACL and the access-accept, but the client is not trying to change the IP address through DHCP.

I use two rules for authentication

First: Guest Redirection; condition "Wireless MAB" then "WLC-CWA" (central authentication - ACL-POSTURE-REDIRECT)

Second (This rule above the first) Guest Traffic; Condition "Network access: UseCase EQUALS GuestFlow) then "Guest Permit Access"(with includes new vlan assigment in function of the role based - new ACL asigment - Termination-Action=0)

WLC shows me the data correctly, it changes the interface, the ACL and changes the client status to RUN but maintains the IP address belonging to the old VLAN (non-routed vlan)

Could be possible that this bug will be hitting me?

Are there any Radius Attribute to force a DHCP IP procces for this devices?

Thanks in advanced.

Best Regards.

Contributor

CWA/ISE/WLC - client timeout when redirected to portal.

Hi

The client dosent know that the WLC changed VLAN and is not asking for a new IP.

To get that you need to use the 802.1x supplicant on the client, hence its better to only use ACL for MAB/guest flow.

On a switch you can bounce the port but I dont think there is a good way to do that on wireless.

Regards

Beginner

CWA/ISE/WLC - client timeout when redirected to portal.

Hello,

it's work only for windows.

1. Click on "Administration" menu

2. Click on "Guest Management"

3. Click on "Settings"

4.Expand "Guest". Expand "Mult-Portal Configuration"

5. Click on "DefaultGuestPortal" or the name of a custom portal you may have created

6. Enable "Vlan DHCP Release".

here is a link: https://supportforums.cisco.com/docs/DOC-18325

regards