09-09-2021 05:11 AM
Hi All,
We have a particular problem with our Guest WiFi portal (ISE v3) redirect. I'll try to explain the flow of events that I understand:
1. The 9800-CL virtual controller is configured to send Radius requests to ISE on Guest WiFi sign in.
2. ISE responds with a Radius Access accept, specifies the redirect ACL name + Redirect URL. This can be seen on the 9800-CL, in client properties. This can also be verified with the radio active trace, in the debug logs.
3. On the Laptop the Guest WiFi shows 'No Internet, open' and the browser does not load up any guest portal page and there is no internet access.
4. The client state remains in 'Web auth pending' on the 9800-CL
A wireshark capture on the client laptop shows there is no DNS query to the guest portal URL, and therefore no request to browse to the guest wifi portal URL. The windows 10 laptop does go to microsoftconnecttest.com, which I believe is the built in method for microsoft to check internet access. If i'm not mistaken as this is on port 80/http this should then trigger the redirect.
The ACL for redirection is:
CWGWLC9800#show ip access-lists ACL_WEBAUTH_REDIRECT
Extended IP access list ACL_WEBAUTH_REDIRECT
1 deny udp any any eq bootps
2 deny udp any any eq domain (2660 matches)
3 deny udp any eq domain any
4 deny tcp any host x.x.x.x eq 8443 log
5 deny tcp host x.x.x.x eq 8443 any log
7 deny tcp any host x.x.x.x eq 8443
8 deny tcp host x.x.x.x eq 8443 any
9 deny tcp any host x.x.x.x eq 8443
10 deny tcp host x.x.x.x eq 8443 any
11 deny tcp any host x.x.x.x eq 8443
12 deny tcp host x.x.x.x eq 8443 any
13 deny tcp any host x.x.x.x eq 8443
14 deny tcp host x.x.x.x eq 8443 any
19 permit tcp any any eq www (8475 matches)
Line 19 on the redirect ACL specifies the permit statement, for which if there is a match, the user will be redirected to the guest portal URL. The interesting thing is this hitcount keeps on increasing, but there is no guest portal web page showing up. The browser does not popup, there is no internet access and no guest portal website showing up.
The problem is on android/ios/windows 10, so all clients.
Are there any debugs I can enable for this or anything specific I can check for this?
Any help really appreciated!
Solved! Go to Solution.
09-14-2021 06:09 AM
Hi All,
This is now fixed. HTTP server needed to be enabled.
'ip http server'
Thanks all for your help
09-09-2021 05:38 AM
Hey Mike,
did you add the ACL to your Flex-Profile? If yes, is the Central Webauth Checkbox selected?
If that does not fix the problem. Can you manually open the guest portal page? You can find it if you select one of the pending clients.
Monitoring -> Wireless -> Clients -> select client in "Webauth Pending State" -> General -> Security Information -> Server Policies -> URL Redirect
09-09-2021 05:44 AM
Hi Tony,
Yes, if I enter the URL manually, the guest portal web page loads.
On this particular AP from which I'm trying to access the guest wifi, there are no flex tags/no flexconnect
Thanks!
09-09-2021 05:54 AM
I would give a try by changing 19 as below
permit ip any any
Also make sure AAA overide and NAC state is enabled.
09-09-2021 06:02 AM
Yes in the Configuration > Tags & Profiles > Policy, the relevant Policy Profile has 'Allow AAA Override' and 'NAC State' ticked.
I've now put this at the end of the redirect ACL, so the permit IP any any would take priority:
17 permit ip any any (76 matches)
19 permit tcp any any eq www (79434 matches)
This still gives the same result
09-10-2021 02:15 AM
Have you checked whether the pre-auth-ACL has the same name configured on the CP? (ACL_WEBAUTH_REDIRECT)
Have you check CP to see if the client is been accepted, and it is in "Webauth Pending" state?
Have you performed a packet capture on the controller to check if you are receiving RADIUS response? Check the URL that is been returned from the CP as the redirect URL.
Is it the landing page HTTP or HTTPS?
HTH
-Jesus
*** Please rate helpful responses ***
09-10-2021 03:02 AM
On ISE, the radius live logs show the redirect acl and URL:
The results profile also has the correct redirect ACL:
Yes the controller sees the client in Web auth pending:
The client stats also confirm the Controller received the correct URL/ACL:
I've done packet captures/radio active trace, they confirm the above.
What I'm wondering is the redirect ACL hitcount is also going up, which means it's being hit. If I manually go to the URL from the client, it works. So what is the reason behind why it's not redirecting the client automatically? Surely the controller must tell the client to go to the redirect URL. In this case is there a debug I can enable on the CLI for the controller itself? I can't find a relevant debug for this
09-14-2021 06:09 AM
Hi All,
This is now fixed. HTTP server needed to be enabled.
'ip http server'
Thanks all for your help
01-28-2024 04:41 PM
Hi Mike,
We have the same issue, but I checked the 'ip http server' already in the running-configuration.
Should I disable and then re-enable it?
Thanks very much.
07-26-2023 08:31 AM
Hello Mike,
I got the same issue. Can you post the working Redirect ACL here so I can double check with our configuration?
Thanks,
Tho
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide