10-05-2017 04:50 AM - edited 07-05-2021 07:43 AM
Hi,
We are trying to implement splash page redirect for mobile phones and we can't get it working. On the WLC, we configured the security to use web policy/splash page web redirect. I didn't define ACL for now. On the ACS5.x server, I defined an authorization profile that using cisco-av-pair and the corresponding URL. The user can authenticate successfully and browse the internet but no redirection is happening. I also tried to define an ACL (which is just permit any any) but also the same.
Can someone help me here?
Thanks,
John
10-05-2017 07:43 AM
In the WLAN advanced settings tab for that WLAN make sure AAA Override is checked.
-Derrick
10-05-2017 08:18 AM
Yes. That one is checked but still not working.
10-05-2017 08:27 AM
10-05-2017 11:36 AM
Hi,
Where can I see that? Sorry I am working remotely so I only ask office employees to try it out for me. They are testing it using iPhone and Android phones. Based from the logs of the ACS server, it is sending the URL back to the client as a result of the matched condition in the Access Policy.
I only configured the following under the authorization profile. 1) URL for Redirect 2) URL Redirect ACL. There is no option not to configure #2 as it is a required field if #1 was filled out. The ACL is basically permit any that I configured in WLC under the ACL section in Security tab. I used that same name for #2 as pre-authentication ACL. I don't know what the ACL should look like as I cannot find a good example anywhere else. I tried both using permit any and deny any but same results. However, the ACL counter in WLC increments significantly.
Thanks!
The user can browse the internet after entering his credentials. On the ACS, we mapped the entire domain users group to be allowed to access wireless. I tried using both FQDN and IP as redirect URL but nothing works.
10-05-2017 08:09 PM
10-05-2017 10:53 PM
Hi,
Here's the output. I will try to copy your redirect ACL and test. Let me know if you see anything wrong with my configuration. Thank you so much! Really appreciate all the help.
(Cisco Controller) >show wlan 4
WLAN Identifier.................................. 4
Profile Name..................................... IS_TEST
Network Name (SSID).............................. IS_TEST
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Disabled
AAA Policy Override.............................. Enabled
Network Admission Control
Client Profiling Status
Radius Profiling ............................ Disabled
DHCP ....................................... Disabled
HTTP ....................................... Disabled
Local Profiling ............................. Disabled
DHCP ....................................... Disabled
HTTP ....................................... Disabled
Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum Clients Allowed.......................... Unlimited
Maximum number of Clients per AP Radio........... 200
ATF Policy....................................... 0
Number of Active Clients......................... 0
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 1800 seconds
User Idle Timeout................................ Disabled
Sleep Client..................................... disable
Sleep Client Timeout............................. 720 minutes
User Idle Threshold.............................. 0 Bytes
NAS-identifier................................... none
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ sykes-open-access
Multicast Interface.............................. Not Configured
WLAN IPv4 ACL.................................... unconfigured
WLAN IPv6 ACL.................................... unconfigured
WLAN Layer2 ACL.................................. unconfigured
WLAN URL ACL..................................... unconfigured
mDNS Status...................................... Enabled
mDNS Profile Name................................ default-mdns-profile
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
Tunnel Profile................................... Unconfigured
PMIPv6 Mobility Type............................. none
PMIPv6 MAG Profile........................... Unconfigured
PMIPv6 Default Realm......................... Unconfigured
PMIPv6 NAI Type.............................. Hexadecimal
PMIPv6 MAG location.......................... WLC
Quality of Service............................... Silver
Per-SSID Rate Limits............................. Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Per-Client Rate Limits........................... Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Disabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... 802.1P (Tag=0)
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Drop
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
Authentication................................ 10.199.64.254 1812 *
Accounting.................................... 10.199.64.254 1813 *
Interim Update............................. Enabled
Interim Update Interval.................... 0
Framed IPv6 Acct AVP ...................... Prefix
Dynamic Interface............................. Disabled
Dynamic Interface Priority.................... wlan
Local EAP Authentication......................... Disabled
Radius NAI-Realm................................. Disabled
Mu-Mimo.......................................... Enabled
Security
802.11 Authentication:........................ Open System
FT Support.................................... Adaptive
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Enabled
WPA (SSN IE)............................... Disabled
WPA2 (RSN IE).............................. Enabled
TKIP Cipher............................. Disabled
AES Cipher.............................. Enabled
OSEN IE.................................... Disabled
Auth Key Management
802.1x.................................. Enabled
PSK..................................... Disabled
CCKM.................................... Disabled
FT-1X(802.11r).......................... Disabled
FT-PSK(802.11r)......................... Disabled
PMF-1X(802.11w)......................... Disabled
PMF-PSK(802.11w)........................ Disabled
OSEN-1X................................. Disabled
FT Reassociation Timeout................... 20
FT Over-The-DS mode........................ Enabled
GTK Randomization.......................... Disabled
SKC Cache Support.......................... Disabled
CCKM TSF Tolerance......................... 1000
Wi-Fi Direct policy configured................ Disabled
EAP-Passthrough............................... Disabled
CKIP ......................................... Disabled
Web Based Authentication...................... Disabled
Web Authentication Timeout.................... 300
Web-Passthrough............................... Disabled
Mac-auth-server............................... 0.0.0.0
Web-portal-server............................. 0.0.0.0
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Enabled
IPv4 ACL........................................ acl-redirect
IPv6 ACL........................................ Unconfigured
Web-Auth Flex ACL............................... Unconfigured
Web Authentication server precedence:
1............................................... local
2............................................... radius
3............................................... ldap
Auto Anchor................................... Disabled
FlexConnect Local Switching................... Disabled
FlexConnect Central Association............... Disabled
flexconnect Central Dhcp Flag................. Disabled
flexconnect nat-pat Flag...................... Disabled
flexconnect Dns Override Flag................. Disabled
flexconnect PPPoE pass-through................ Disabled
flexconnect local-switching IP-source-guar.... Disabled
FlexConnect Vlan based Central Switching ..... Disabled
FlexConnect Local Authentication.............. Disabled
FlexConnect Learn IP Address.................. Enabled
Client MFP.................................... Optional
PMF........................................... Disabled
PMF Association Comeback Time................. 1
PMF SA Query RetryTimeout..................... 200
Tkip MIC Countermeasure Hold-down Timer....... 60
Eap-params.................................... Disabled
AVC Visibilty.................................... Disabled
AVC Profile Name................................. None
Flow Monitor Name................................ None
Split Tunnel Configuration
Split Tunnel................................. Disabled
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
KTS based CAC Policy............................. Disabled
Assisted Roaming Prediction Optimization......... Disabled
802.11k Neighbor List............................ Enabled
802.11k Neighbor List Dual Band.................. Disabled
802.11v Directed Multicast Service............... Enabled
802.11v BSS Max Idle Service..................... Enabled
802.11v BSS Transition Service................... Disabled
802.11v BSS Transition Disassoc Imminent......... Disabled
802.11v BSS Transition Disassoc Timer............ 200
802.11v BSS Transition OpRoam Disassoc Timer..... 40
DMS DB is empty
Band Select...................................... Disabled
Load Balancing................................... Disabled
Multicast Buffer................................. Disabled
Universal Ap Admin............................... Disabled
Broadcast Tagging................................ Disabled
Mobility Anchor List
WLAN ID IP Address Status Priority
------- --------------- ------ --------
802.11u........................................ Disabled
MSAP Services.................................. Disabled
Local Policy
----------------
Priority Policy Name
-------- ---------------
Lync State ...................................... Disabled
Audio QoS Policy................................. Silver
Video QoS Policy................................. Silver
App-Share QoS Policy............................. Silver
File Transfer QoS Policy......................... Silver
QoS Fastlane Status.............................. Disable
Thanks,
John
10-06-2017 12:53 AM
Hi,
Thanks for sharing the WLAN details. Please share the client detail o/p.
Regards,
Divya
10-06-2017 01:08 AM
10-06-2017 01:11 AM
10-06-2017 01:53 AM
10-06-2017 09:13 AM
Hi John,
Yes, o/p means output :)
Though the client behaviour is different, I would like to see the client state on the Controller. Share the "show client detail <macaddr>" for both Android & iPhone clients.
Regards,
Divya
10-06-2017 09:35 AM
10-06-2017 10:28 PM
Hi,
Looks like the client is getting the redirect URL and moving to RUN state. Do you see this redirect URL in the client while testing?
Policy Manager State............................. RUN
AAA Override ACL Name............................ acl-redirect
AAA Override ACL Applied Status.................. Yes
AAA Override Flex ACL Name....................... none
AAA Override Flex ACL Applied Status............. Unavailable
AAA URL redirect................................. http://10.199.66.200
Regards,
Divya
10-06-2017 10:37 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide