Solved: No Redirect URL received -ISE 1.4-WLC Anchoring

Bernard Lara · ‎01-24-2017

We are configuring Guest Portal in ISE, while Guest SSIDs are both configured in Foreign and Anchor controller.
Both SSIDS in both WLCs are configured with same Security policies - Mac Filtering (L2), ISE servers as AAA servers (L3).
In the advanced tab, Allow AAA override selected and Radius NAC enabled.
Mobility tunnel is up on both SSIDs. Clients are able to get IP address from DHCP server configured in Anchor controller.
We open ports on Firewall to allow communication from Anchor controller to ISE servers in LAN.
We also open ports for DMZ subnet to communicate to LAN DNS servers.
Clients are able to open port 8443 on the ISE servers in LAN and able to resolve FQDN of ISE server.
Both WLCs are configured with "ACL-REDIRECT-UNKNOWN" ACL.
We can see "ACL-REDIRECT-UNKNOWN" ACL is being pushed on the client but the Redirect URL (portal) is not shown that's why the Guest login page is not showing in the browser.

I want to know which WLC should we configured the Redirect ACL?

Francesco Molino · ‎01-25-2017

Hi

If you look into your ISE logs, you shouldn't see any authz requests coming from your anchor WLC. Then you don't need to add this anchor wlc as NAD in ISE.

Yes ACL should be identical, why? do you have 2 differents ACL?

If you bypass ISE, and connect to the anchor SSID with the same ACL, are you able to reach ISE?

Which ISE do you allowed in your fw? (you need to allow ISE PSN from the anchor)

Thanks

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎01-24-2017

Hi

The ACL should be configured on both WLC.

Radius is done only by foreign wlc.

When you say clients are able to access ISE 8443, are these clients on the dmz zone where anchor is connected to or on the normal LAN side?

thanks

PS: Please don't forget to rate and mark add correct answer if this answered your question

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Bernard Lara · ‎01-24-2017

Hi Francesco,

Thanks for the reply.

Yes clients are in DMZ.

If radius auth is done only by Foreign WLC, do I need to add the Anchor WLC as a network device in ISE?

Also, the redirect ACL should be identical in both WLCs?

Francesco Molino · ‎01-25-2017

Hi

If you look into your ISE logs, you shouldn't see any authz requests coming from your anchor WLC. Then you don't need to add this anchor wlc as NAD in ISE.

Yes ACL should be identical, why? do you have 2 differents ACL?

If you bypass ISE, and connect to the anchor SSID with the same ACL, are you able to reach ISE?

Which ISE do you allowed in your fw? (you need to allow ISE PSN from the anchor)

Thanks

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Bernard Lara · ‎01-25-2017

Hi Francesco,

Thanks for the reply.

Yes in our ISE, I could see authentication in our Foreign WLC (LAN).

We have identical ACL.

I did not try the below setup (I think if I bypass ISE, I need to define the ACL in the interface).

"If you bypass ISE, and connect to the anchor SSID with the same ACL, are you able to reach ISE?"

Yes, I allowed ISE PSN on our firewall.

BTW, I have opened a case with Cisco TAC and engineer pointed out that we should upgrade our WLC to AirOS 8.0.120.0 for the Guest to work properly.

I will update you on this.

Francesco Molino · ‎01-26-2017

OK. Thanks

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question