Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2730
Views
31
Helpful
9
Replies

9800-CL Guest WiFi Redirect ACL Hit count increases but no redirect

Go to solution
Mike Pennycook
Level 1
Level 1

‎09-09-2021 05:11 AM

Hi All, 

 

We have a particular problem with our Guest WiFi portal (ISE v3) redirect. I'll try to explain the flow of events that I understand:

 

1. The 9800-CL virtual controller is configured to send Radius requests to ISE on Guest WiFi sign in. 

2. ISE responds with a Radius Access accept, specifies the redirect ACL name + Redirect URL. This can be seen on the 9800-CL, in client properties. This can also be verified with the radio active trace, in the debug logs.

3. On the Laptop the Guest WiFi shows 'No Internet, open' and the browser does not load up any guest portal page and there is no internet access.

4. The client state remains in 'Web auth pending' on the 9800-CL

 

A wireshark capture on the client laptop shows there is no DNS query to the guest portal URL, and therefore no request to browse to the guest wifi portal URL. The windows 10 laptop does go to microsoftconnecttest.com, which I believe is the built in method for microsoft to check internet access. If i'm not mistaken as this is on port 80/http this should then trigger the redirect.

 

The ACL for redirection is:

 

CWGWLC9800#show ip access-lists ACL_WEBAUTH_REDIRECT
Extended IP access list ACL_WEBAUTH_REDIRECT
1 deny udp any any eq bootps
2 deny udp any any eq domain (2660 matches)
3 deny udp any eq domain any


4 deny tcp any host x.x.x.x eq 8443 log
5 deny tcp host x.x.x.x eq 8443 any log


7 deny tcp any host x.x.x.x eq 8443
8 deny tcp host x.x.x.x eq 8443 any


9 deny tcp any host x.x.x.x eq 8443
10 deny tcp host x.x.x.x eq 8443 any


11 deny tcp any host x.x.x.x eq 8443
12 deny tcp host x.x.x.x eq 8443 any


13 deny tcp any host x.x.x.x eq 8443
14 deny tcp host x.x.x.x eq 8443 any


19 permit tcp any any eq www (8475 matches)

 

Line 19 on the redirect ACL specifies the permit statement, for which if there is a match, the user will be redirected to the guest portal URL. The interesting thing is this hitcount keeps on increasing, but there is no guest portal web page showing up. The browser does not popup, there is no internet access and no guest portal website showing up.

 

The problem is on android/ios/windows 10, so all clients. 

 

Are there any debugs I can enable for this or anything specific I can check for this?

 

Any help really appreciated!

1 person had this problem
1 Accepted Solution

Accepted Solutions

Go to solution
Mike Pennycook
Level 1
Level 1

‎09-14-2021 06:09 AM

Hi All, 

 

This is now fixed. HTTP server needed to be enabled.

 

'ip http server'

 

Thanks all for your help

View solution in original post

9 Replies 9

Go to solution
Tony Rosolek
Level 1
Level 1

‎09-09-2021 05:38 AM

Hey Mike, 

 

did you add the ACL to your Flex-Profile? If yes, is the Central Webauth Checkbox selected?

 

Flex_ACL.jpg

 

If that does not fix the problem. Can you manually open the guest portal page? You can find it if you select one of the pending clients. 

 

Monitoring -> Wireless -> Clients -> select client in "Webauth Pending State" -> General -> Security Information -> Server Policies -> URL Redirect

||| Please rate helpful posts. Thanks! |||

Go to solution
Mike Pennycook
Level 1
Level 1
In response to Tony Rosolek

‎09-09-2021 05:44 AM

Hi Tony,

 

Yes, if I enter the URL manually, the guest portal web page loads.

 

On this particular AP from which I'm trying to access the guest wifi, there are no flex tags/no flexconnect

 

Thanks!

0 Helpful

Go to solution
Arshad Safrulla
VIP Alumni
VIP Alumni

‎09-09-2021 05:54 AM

I would give a try by changing 19 as below

permit ip any any

 

Also make sure AAA overide and NAC state is enabled.

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

Go to solution
Mike Pennycook
Level 1
Level 1
In response to Arshad Safrulla

‎09-09-2021 06:02 AM

Yes in the Configuration > Tags & Profiles > Policy, the relevant Policy Profile has 'Allow AAA Override' and 'NAC State' ticked.

 

I've now put this at the end of the redirect ACL, so the permit IP any any would take priority:

 


17 permit ip any any (76 matches)
19 permit tcp any any eq www (79434 matches)

 

This still gives the same result

0 Helpful

Go to solution
JPavonM
VIP
VIP

‎09-10-2021 02:15 AM

Have you checked whether the pre-auth-ACL has the same name configured on the CP? (ACL_WEBAUTH_REDIRECT)

Have you check CP to see if the client is been accepted, and it is in "Webauth Pending" state?

Have you performed a packet capture on the controller to check if you are receiving RADIUS response? Check the URL that is been returned from the CP as the redirect URL.

Is it the landing page HTTP or HTTPS?

HTH
-Jesus
*** Please rate helpful responses ***

Go to solution
Mike Pennycook
Level 1
Level 1
In response to JPavonM

‎09-10-2021 03:02 AM

On ISE, the radius live logs show the redirect acl and URL: 

 

 
 

ise-live-logs-result.JPG

 

The results profile also has the correct redirect ACL:

 

redirect-acl-ise.jpg

 

Yes the controller sees the client in Web auth pending:

 

web-auth-pending-state.JPG

 

The client stats also confirm the Controller received the correct URL/ACL:

 

client-state.JPG

 

I've done packet captures/radio active trace, they confirm the above. 

 

What I'm wondering is the redirect ACL hitcount is also going up, which means it's being hit. If I manually go to the URL from the client, it works. So what is the reason behind why it's not redirecting the client automatically? Surely the controller must tell the client to go to the redirect URL. In this case is there a debug I can enable on the CLI for the controller itself? I can't find a relevant debug for this

 

0 Helpful

Go to solution
Mike Pennycook
Level 1
Level 1

‎09-14-2021 06:09 AM

Hi All, 

 

This is now fixed. HTTP server needed to be enabled.

 

'ip http server'

 

Thanks all for your help

Go to solution
117222400
Level 1
Level 1
In response to Mike Pennycook

‎01-28-2024 04:41 PM

Hi Mike,

We have the same issue, but I checked the 'ip http server' already in the running-configuration.

Should I disable and then re-enable it?

Thanks very much.

0 Helpful

Go to solution
harrinda@mctc.mnscu.edu
Level 1
Level 1

‎07-26-2023 08:31 AM

Hello Mike, 

I got the same issue.  Can you post the working Redirect ACL here so I can double check with our configuration? 

Thanks,
Tho

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card