Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1761
Views
0
Helpful
3
Replies

ISE 2.3 and Cisco WebAuth not working

Go to solution
ben.posner
Level 1
Level 1

‎09-01-2017 07:24 AM - edited ‎02-21-2020 10:33 AM

anyone else here got a 2.3 install running? i cannot get my guest setup working. we updated from 2.2 to 2.3 and i had to recreate the whole policy set but got it all working again in the end with the exception of the guest wifi rules. but the thing is even the DEFAULT captive web auth doesn't seem to be working either.

so i setup a lab with a fresh 2.3 install connecting to a lab WLC. i can get a user to connect to the SSID but they NEVER get redirected to the PSN for login to the guest portal. they just get full access and go right out to the web with no login at all. live logs show the user's system connecting and getting throw into the Wifi_Redirect to Guest Login authZ policy but they never get any prompts! and like i said this is happening on our new 2.3 install and on a FRESH, out of the box 2.3 LAB setup.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ben.posner
Level 1
Level 1
In response to zalkurdi

‎09-01-2017 01:08 PM

So i found a few issues with my setup.

 

1) i forgot to enable Radius NAC for the two SSIDs i had been testing with. that was a major break through.

 

2) because i was using an Anchored WLC setup i also had to have the redirection url applied on the anchor WLC which explains why we weren't seeing any of the hit counters on the main WLC.

 

once i got both of those squared away and setup a guest account to test with it was in business.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
zalkurdi
Cisco Employee
Cisco Employee

‎09-01-2017 12:55 PM

Hello Ben,

 

So from what you are saying, if you open a browser and go to http://8.8.8.8, you are not redirected to the portal, correct?

 

Once you authenticate the user, what do you see in the authentication report on the ISE? Are you sure that ISE is pushing the redirect ACL and URL?

 

If so, you can go to the WLC client page, open the MAC address of the client and check whether the URL and ACL are visibile there. The state of the client should be  You need to make sure that the ACL is permitting traffic to the ISE nodes, DNS and DHCP but denying all HTTP traffic. This lets the WLC know that HTTP traffic should be redirected.

 

If all this is confirmed, try to run a packet capture on the PC to see if it is receiving the redirect URL from the WLC.

 

Hope this helps.

 

Regards,

Zaid Kurdi

0 Helpful

Go to solution
ben.posner
Level 1
Level 1
In response to zalkurdi

‎09-01-2017 01:08 PM

So i found a few issues with my setup.

 

1) i forgot to enable Radius NAC for the two SSIDs i had been testing with. that was a major break through.

 

2) because i was using an Anchored WLC setup i also had to have the redirection url applied on the anchor WLC which explains why we weren't seeing any of the hit counters on the main WLC.

 

once i got both of those squared away and setup a guest account to test with it was in business.

0 Helpful

Go to solution
zalkurdi
Cisco Employee
Cisco Employee
In response to ben.posner

‎09-01-2017 01:12 PM

Glad to hear it. Enjoy.
0 Helpful
Customers Also Viewed These Support Documents