cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3319
Views
0
Helpful
11
Replies

Web Redirection Problem on Cisco ISE 1.2 and WLC 7.5

jay.kishan
Level 1
Level 1

Hello,

We are at initial phase of deploying ISE 1.2 in our environment for Wireless Guest Users.

I have configured ISE and WLC to talk to each other which is working fine. An SSID with MAC-Filtering is also configured on WLC and ACL only allowing ISE and DNS traffice.

I have configured proper authentication and authorization policies on ISE. Now, when I try to connect my device (laptop and android mobile), I see my device gets associated with the SSID (Demo) and gets the right IP Address from DHCP and right VLAN from WLC. The log process on ISE is as follows.ISE.jpg

11001Received RADIUS Access-Request
11017RADIUS created a new session
11027Detected Host Lookup UseCase (Service-Type = Call Check (10))
15049Evaluating Policy Group
15008Evaluating Service Selection Policy
15048Queried PIP
15048Queried PIP
15004Matched rule
15041Evaluating Identity Policy
15006Matched Default Rule
15013Selected Identity Source - Internal Endpoints
24210Looking up User in Internal Users IDStore - B8:B4:2E:A6:7D:75
24216The user is not found in the internal users identity store
24209Looking up Endpoint in Internal Endpoints IDStore - B8:B4:2E:A6:7D:75
24211Found Endpoint in Internal Endpoints IDStore
22037Authentication Passed
15036Evaluating Authorization Policy
15048Queried PIP
15048Queried PIP
15048Queried PIP
15004Matched rule - Guest Redirection
15016Selected Authorization Profile - Test_Profile
11002Returned RADIUS Access-Accept


I also see a redirect url in the detailed authentication logs. But the problem is that when I open my browser on my device, it doesn't get redirected to the guest portal url. Now since I can't get there, I can't continue with the rest of the process of authentication, COA and final ACL for internet access.

Can some one please either guide me the correct steps that I need to follow, if I have mis configured something or advise if this is a bug.

Thanks in advance.

Jay

11 Replies 11

Scott Fella
Hall of Fame
Hall of Fame

Jay,

v7.5 has been deferred. You should test in v7.4.121.0 MR2 or if you really need features, then v7.6. v7.6 has some issues and you would need to open a TAC case to get an engineer release. Start out with a stable WLC code first.... I would use v7.4.121.0.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Hi All,

 

 

I have Virtual WLC with 7.6.110 e ISE 1.2 for onbording BYOD deployment with the same symptom.

The authorization policy is matched, The ISe sent RADIUS attribute to WLC, in WLC log I can see that the client is in "SUPPLICANT_PROVISIONING", the redirection URL and ACL is OK, but them NOT work! the client continue to have access. This is a BUG sure, ma I can not Know  which.

 

 

 

Can you post screenshot from:

1. Your ACL configuration on the WLC

2. The authorization result in ISE

3. Authentication/Authorization policy in ISE

 

In attachment you can find every detail.

Couple of things:

1. Is this for a FlexConnect deployment or standard?

2. Your first ACL is incorrect. There needs to be a "deny any" rule at the end. 

Hi,

 

The virtual WLC support only AP deployment in Flexconnect mode,  I confirm Flexconnect deployment.

The entry "permit any any" in ACL-REDIRECT  is deploy because I don't want to create disservices .I will remove the  entry "permit any any" only after that I sure the correct redirection to supplicant portal. The rediction portal should not work for ACL. The ACL should be only to block traffic into internal network. Correct? can you confirm?

 

The ACL is definitely used to define what traffic is re-directed to ISE and what traffic is not redirected. Having the permit-all statement at the end will break redirection. If you are using flex-connect then you will need to use flex-connect ACLs and apply those to the flex-connect APs. The links below should give you an idea of what needs to be done:

http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-000.html

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html

 

Thank you for rating helpful posts! 

Hi,

 

I changed ACL-REDIRECT in WLC config and everything is working.

thank you for support.

 

Best regards

Glad I was able to help! Please do rate! :-)

 

Thank you for rating helpful posts! 

jay.kishan
Level 1
Level 1

The problem was of DNS. The WLC tries to access the IP Address of the webpage before it re-directs. However, I thought it would just redirect once receives any request. We are using this on the internal network with no access on the internet and when users tries to enter Cisco.com to go to web authentication page, the WLC couldn't find the IP Address of Cisco.com becuase its asking the local DNS and the request would eventually fail.

If we type any IP Address directly on the web page then the redirection works fine.

Thanks for the help.

Jay,

Part of the WLC process when using WebAuth is to hijack the home page or the URL the user is trying to access and determine if DNS can be resolved. If this happens, then the WLC will proceed.

Again... Since your in early testing, you should move away from v7.5.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: