cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1766
Views
0
Helpful
4
Replies

ISE 1.4 - CWA Redirection Not working

khizerkhan
Level 1
Level 1

Hello Guys,

I am studying for Cisco SISAS exam and trying to learn CWA using ISE 1.4 and the test PC is connected to a 3750V2 Switch Running code 15.0(2)SE10. The problem I am having is that the redirect is not working. Switch is successfully able to download the Dynamic ACL for Phase 1 (which I set to permit ip any any for now). I have searched and tried different REDIRECT ACLs but nothing make the client PC to get the redirect page when trying from client PC. When I am trying to directly access the link downloaded from ISe I get "400 Bad Request"

I am pasting my relevant switch configs here:

 

aaa new-model
aaa group server radius ISE
 server name ISE
aaa authentication login default local
aaa authentication dot1x default group ISE
aaa authorization exec default local
aaa authorization network default group ISE
aaa authorization auth-proxy default group ISE
aaa accounting auth-proxy default start-stop group ISE
aaa accounting dot1x default start-stop group ISE

aaa server radius dynamic-author
 client 172.16.3.100 server-key KEY

radius server ISE
 address ipv4 172.16.3.100 auth-port 1812 acct-port 1813
 timeout 10
 retransmit 5
 key KEY

 

ip access-list extended CWA-REDIRECT
 deny   ip any host 172.16.3.100
 deny   udp any any eq domain
 deny   icmp any any
 permit tcp any any eq www
 permit tcp any any eq 443
!
ip radius source-interface Vlan301
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server vsa send accounting
radius-server vsa send authentication

 

 

interface Vlan301
 ip address 150.1.100.10 255.255.255.0
 no ip route-cache
!
ip default-gateway 150.1.100.16

ip http server
ip http secure-server

 

interface FastEthernet1/0/4
 description For Testing CWA
 switchport access vlan 91
 switchport mode access
 authentication order mab dot1x
 authentication priority dot1x mab
 authentication port-control auto
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 10

p domain-name inelab.local
ip name-server 172.16.20.100

 

ip device tracking probe count 2
ip device tracking probe interval 200
ip device tracking probe use-svi
ip device tracking

 

3750V2#show authen ses
*Mar  1 00:37:08.777: %SYS-5-CONFIG_I: Configured from console by root on consoles int fa 1/0/4
            Interface:  FastEthernet1/0/4
          MAC Address:  848f.69c9.b545
           IP Address:  136.1.91.10
            User-Name:  84-8F-69-C9-B5-45
               Status:  Authz Success
               Domain:  DATA
      Security Policy:  Should Secure
      Security Status:  Unsecure
       Oper host mode:  single-host
     Oper control dir:  both
        Authorized By:  Authentication Server
          Vlan Policy:  N/A
              ACS ACL:  xACSACLx-IP-CWA-PHASE1-DACL-59e3d98b
     URL Redirect ACL:  CWA-REDIRECT
         URL Redirect:  https://ise.inelab.local:8443/portal/gateway?sessionId=9601640A0000000C000AD3B6&portal=27ffafe0-e96e-11e4-a30a-005056bf01c9&action=cwa&token=a4c8c56277b83b5eb81e289db7adec70
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  9601640A0000000C000AD3B6
      Acct Session ID:  0x0000000E
               Handle:  0xF000000D

          
Runnable methods list:
       Method   State
       mab      Authc Success
       dot1x    Not run

 

3750V2#show epm sess ip 136.1.91.10
    Admission feature:  DOT1X
              ACS ACL:  xACSACLx-IP-CWA-PHASE1-DACL-59e3d98b
     URL Redirect ACL:  CWA-REDIRECT
         URL Redirect:  https://ise.inelab.local:8443/portal/gateway?sessionId=9601640A0000000C000AD3B6&portal=27ffafe0-e96e-11e4-a30a-005056bf01c9&action=cwa&token=a4c8c56277b83b5eb81e289db7adec70

 

3750V2#show access-list
Extended IP access list Auth-Default-ACL
    10 permit udp any range bootps 65347 any range bootpc 65348
    20 permit udp any any range bootps 65347
    30 deny ip any any (7 matches)
Extended IP access list CWA-REDIRECT ===>> This is REDIRECT ACL
    10 deny ip any host 172.16.3.100 (362 matches)
    20 deny udp any any eq domain (225 matches)
    30 deny icmp any any (22 matches)
    40 permit tcp any any eq www (508 matches)
    50 permit tcp any any eq 443 (1008 matches)
Extended IP access list xACSACLx-IP-CWA-PHASE1-DACL-59e3d98b (per-user) ==>> This is DACL
    10 permit ip any any

 

 

 

 

Can someone please help me understanding what I am doing wrong. Please note that my client pc can resolve dns for ise and www.google.com etc. The error when trying the direct URL is as below:

 

[ 400 ] Bad Request,The request is invalid due to malformed syntax or invalid data.

Following are the outputs for debug epm redirect:

 

 Mar  1 00:47:36.891: epm-redirect:IDB=FastEthernet1/0/4: In epm_host_ingress_traffic_qualify ...
*Mar  1 00:47:36.891: epm-redirect:epm_redirect_cache_gen_hash: IP=136.1.91.10 Hash=238
*Mar  1 00:47:36.891: epm-redirect:IP=136.1.91.10: CacheEntryGet Success
*Mar  1 00:47:36.891: epm-redirect:IP=136.1.91.10: Ingress packet on [idb= FastEthernet1/0/4] matched with [acl=CWA-REDIRECT]
*Mar  1 00:47:36.891: epm-redirect:IDB=FastEthernet1/0/4: Enqueue the packet with if_input=FastEthernet1/0/4
*Mar  1 00:47:36.891: epm-redirect:IDB=FastEthernet1/0/4: In epm_host_ingress_traffic_process ...
*Mar  1 00:47:36.891: epm-redirect:epm_redirect_cache_gen_hash: IP=136.1.91.10 Hash=238
*Mar  1 00:47:36.891: epm-redirect:IP=136.1.91.10: CacheEntryGet Success
*Mar  1 00:47:36.891: epm-redirect:IP=136.1.91.10: ingress traffic on [idb=FastEthernet1/0/4] matches url acl [CWA-REDIRECT]. ip_enqueue the packet
*Mar  1 00:47:37.017: epm-redirect:IDB=FastEthernet1/0/4: In epm_host_ingress_traffic_qualify ...
*Mar  1 00:47:37.017: epm-redirect:epm_redirect_cache_gen_hash: IP=136.1.91.10 Hash=238
*Mar  1 00:47:37.017: epm-redirect:IP=136.1.91.10: CacheEntryGet Success
*Mar  1 00:47:37.017: epm-redirect:IP=136.1.91.10: Ingress packet on [idb= FastEthernet1/0/4] matched with [acl=CWA-REDIRECT]
*Mar  1 00:47:37.017: epm-redirect:IDB=FastEthernet1/0/4: Enqueue the packet with if_input=FastEthernet1/0/4
*Mar  1 00:47:37.017: epm-redirect:IDB=FastEthernet1/0/4: In epm_host_ingress_traffic_process ...
*Mar  1 00:47:37.017: epm-redirect:epm_redirect_cache_gen_hash: IP=136.1.91.10 Hash=238
*Mar  1 00:47:37.017: epm-redirect:IP=136.1.91.10: CacheEntryGet Success
*Mar  1 00:47:37.017: epm-redirect:IP=136.1.91.10: ingress traffic on [idb=FastEthernet1/0/4] matches url acl [CWA-REDIRECT]. ip_enqueue the packet
*Mar  1 00:47:37.025: epm-redirect:IDB=FastEthernet1/0/4: In epm_host_ingress_traffic_qualify ...
*Mar  1 00:47:37.025: epm-redirect:epm_redirect_cache_gen_hash: IP=136.1.91.10 Hash=238
*Mar  1 00:47:37.025: epm-redirect:IP=136.1.91.10: CacheEntryGet Success
*Mar  1 00:47:37.025: epm-redirect:IP=136.1.91.10: Ingress packet on [idb= FastEthernet1/0/4] matched with [acl=CWA-REDIRECT]
*Mar  1 00:47:37.025: epm-redirect:IDB=FastEthernet1/0/4: Enqueue the packet with if_input=FastEthernet1/0/4
*Mar  1 00:47:37.025: epm-redirect:IDB=FastEthernet1/0/4: In epm_host_ingress_traffic_process ...
*Mar  1 00:47:37.025: epm-redirect:epm_redirect_cache_gen_hash: IP=136.1.91.10 Hash=238
*Mar  1 00:47:37.025: epm-redirect:IP=136.1.91.10: CacheEntryGet Success
*Mar  1 00:47:37.025: epm-redirect:IP=136.1.91.10: ingress traffic on [idb=FastEthernet1/0/4] matches url acl [CWA-REDIRECT]. ip_enqueue the packet
*Mar  1 00:47:37.143: epm-redirect:IDB=FastEthernet1/0/4: In epm_host_ingress_traffic_qualify ...
*Mar  1 00:47:37.143: epm-redirect:epm_redirect_cache_gen_hash: IP=136.1.91.10 Hash=238
*Mar  1 00:47:37.143: epm-redirect:IP=136.1.91.10: CacheEntryGet Success
*Mar  1 00:47:37.143: epm-redirect:IP=136.1.91.10: Ingress packet on [idb= FastEthernet1/0/4] matched with [acl=CWA-REDIRECT]
*Mar  1 00:47:37.143: epm-redirect:IDB=FastEthernet1/0/4: Enqueue the packet with if_input=FastEthernet1/0/4
*Mar  1 00:47:37.143: epm-redirect:IDB=FastEthernet1/0/4: In epm_host_ingress_traffic_process ...
*Mar  1 00:47:37.143: epm-redirect:epm_redirect_cache_gen_hash: IP=136.1.91.10 Hash=238
*Mar  1 00:47:37.143: epm-redirect:IP=136.1.91.10: CacheEntryGet Success
*Mar  1 00:47:37.143: epm-redirect:IP=136.1.91.10: ingress traffic on [idb=FastEthernet1/0/4] matches url acl [CWA-REDIRECT]. ip_enqueue the packet
*Mar  1 00:47:37.352: epm-redirect:IDB=FastEthernet1/0/4: In epm_host_ingress_traffic_qualify ...
*Mar  1 00:47:37.352: epm-redirect:epm_redirect_cache_gen_hash: IP=136.1.91.10 Hash=238
*Mar  1 00:47:37.352: epm-redirect:IP=136.1.91.10: CacheEntryGet Success
*Mar  1 00:47:37.352: epm-redirect:IP=136.1.91.10: Ingress packet on [idb= FastEthernet1/0/4] matched with [acl=CWA-REDIRECT]
*Mar  1 00:47:37.352: epm-redirect:IDB=FastEthernet1/0/4: Enqueue the packet with if_input=FastEthernet1/0/4
*Mar  1 00:47:37.352: epm-redirect:IDB=FastEthernet1/0/4: In epm_host_ingress_traffic_process ...
*Mar  1 00:47:37.361: epm-redirect:epm_redirect_cache_gen_hash: IP=136.1.91.10 Hash=238
*Mar  1 00:47:37.361: epm-redirect:IP=136.1.91.10: CacheEntryGet Success
*Mar  1 00:47:37.361: epm-redirect:IP=136.1.91.10: ingress traffic on [idb=FastEthernet1/0/4] matches url acl [CWA-REDIRECT]. ip_enqueue the packet
*Mar  1 00:47:38.678: epm-redirect:IDB=FastEthernet1/0/4: In epm_host_ingress_traffic_qualify ...
*Mar  1 00:47:38.678: epm-redirect:epm_redirect_cache_gen_hash: IP=136.1.91.10 Hash=238
*Mar  1 00:47:38.678: epm-redirect:IP=136.1.91.10: CacheEntryGet Success
*Mar  1 00:47:38.678: epm-redirect:IP=136.1.91.10: Ingress packet on [idb= FastEthernet1/0/4] matched with [acl=CWA-REDIRECT]
*Mar  1 00:47:38.678: epm-redirect:IDB=FastEthernet1/0/4: Enqueue the packet with if_input=FastEthernet1/0/4
*Mar  1 00:47:38.678: epm-redirect:IDB=FastEthernet1/0/4: In epm_host_ingress_traffic_process ...
*Mar  1 00:47:38.678: epm-redirect:epm_redirect_cache_gen_hash: IP=136.1.91.10 Hash=238
*Mar  1 00:47:38.678: epm-redirect:IP=136.1.91.10: CacheEntryGet Success
*Mar  1 00:47:38.678: epm-redirect:IP=136.1.91.10: ingress traffic on [idb=FastEthernet1/0/4] matches url acl [CWA-REDIRECT]. ip_enqueue the packet
*Mar  1 00:47:38.803: epm-redirect:IDB=FastEthernet1/0/4: In epm_host_ingress_traffic_qualify ...
*Mar  1 00:47:38.803: epm-redirect:epm_redirect_cache_gen_hash: IP=136.1.91.10 Hash=238
*Mar  1 00:47:38.803: epm-redirect:IP=136.1.91.10: CacheEntryGet Success
*Mar  1 00:47:38.803: epm-redirect:IP=136.1.91.10: Ingress packet on [idb= FastEthernet1/0/4] matched with [acl=CWA-REDIRECT]
*Mar  1 00:47:38.803: epm-redirect:IDB=FastEthernet1/0/4: Enqueue the packet with if_input=FastEthernet1/0/4
*Mar  1 00:47:38.812: epm-redirect:IDB=FastEthernet1/0/4: In epm_host_ingress_traffic_process ...
*Mar  1 00:47:38.812: epm-redirect:epm_redirect_cache_gen_hash: IP=136.1.91.10 Hash=238
*Mar  1 00:47:38.812: epm-redirect:IP=136.1.91.10: CacheEntryGet Success
*Mar  1 00:47:38.812: epm-redirect:IP=136.1.91.10: ingress traffic on [idb=FastEthernet1/0/4] matches url acl [CWA-REDIRECT]. ip_enqueue the packet
*Mar  1 00:47:39.760: epm-redirect:IDB=FastEthernet1/0/4: In epm_host_ingress_traffic_qualify 

 

 

 

 

 

4 Replies 4

khizerkhan
Level 1
Level 1

Following is the topology diagramTopology.png

To update this thread I changed the CWA PHASE 1 ACL as below and now I can access the GUEST PORTAL only via direct link copying from the switch. The redirection is not happening when I type something like www.yahoo.com. My Client PC when on CWA Phase 1 is able to resolve dns to ip mapping for lets say www.yahoo.com. Following are the ACLs I am using

REDIRECT ACL:

=============

ip access-list extended CWA-REDIRECT
 deny   ip any host 172.16.3.100 (ISE IP also where Portal is enabled)
 deny   udp any any eq domain
 deny   icmp any any
 permit tcp any any eq www
 permit tcp any any eq 443

 

CWA-PHASE1 ACL:

===============

permit udp any eq bootpc any eq bootps
permit udp any any eq domain
permit ip any host 172.16.3.100
permit ip any host 150.1.100.10 (this is only to ssh access SW to copy URL not required )
deny ip any any log

 

Is there any reason why redirection not working without direct URL because this is not practical in a production network.

 

Thanks

Khiz

 

 

 

Peter Koltl
Level 7
Level 7

Please check a plain numeric HTTP site in your browser, e. g.

http://10.1.1.1/

 

Peter Koltl
Level 7
Level 7

Please check a plain numeric HTTP site in your browser, e. g.

http://10.1.1.1/

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: