cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3703
Views
36
Helpful
7
Replies

9800 flexconnect witch CWA Unable to pop up authentication page

id404
Spotlight
Spotlight

WLC model is C9800-L-C-K9

AP configuration in local mode with central web authentication  can normally pop up the authentication page and login successfully

 

After changing the AP to flexconnect mode, I found that the authentication page could not pop up. flexconnect is configured according to

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless- controllers/213920-central-web-authentication-cwa-on-cata.html

 the flexconnect group has been configured with The policy acl has been configured.

 

Console prompt when AP connects to Guest network:

Mar  1 08:17:59.123: %CLIENT_EXCLUSION_SERVER-5-ADD_TO_BLACKLIST_REASON_DYNAMIC: Chassis 1 R0/0: wncmgrd: Client MAC: a21e.d39e.5c59 was added to exclusion list associated with AP Name:CN-WF6-AP29, BSSID:MAC: e44e.2d46.1b61, reason:Redirect ACL failure

Mar  1 08:17:59.123: %SESSION_MGR-5-FAIL: Chassis 1 R0/0: wncd: Authorization failed or unapplied for client (a21e.d39e.5c59) on Interface capwap_90000004 AuditSessionID 1F41A60A0000003F448EA6D5. Failure Reason: Redirect ACL Failure.

 

The web page shows the user status as: web auth pending

 

But the ACL flexconnect mode and local mode refer to the same acl, do not understand the local mode can be normal authentication, flexconnect mode can not pop-up authentication interface.

Is there any good troubleshooting ideas?

 

 

ip access-list extended REDIRECT
10 deny ip any host 10.0.0.10
20 deny ip host 10.0.0.10 any
30 deny udp any any eq domain
40 deny udp any eq domain any
50 permit tcp any any eq www

 

wireless profile flex Flexconnect_group
acl-policy REDIRECT
central-webauth
ip http client proxy 0.0.0.0 0
native-vlan-id 20
vlan-name Guest
vlan-id 250

 

wireless profile policy Guest_flexconnect
aaa-override
accounting-list Guest_ISE_Acct
no central dhcp
no central switching
nac
vlan 250
no shutdown

 

wireless tag site flexconnect_site
flex-profile Flexconnect_group
no local-site

 

wireless tag policy APG_flexconnect
wlan Guest policy Guest_flexconnect

 

wlan Guest 3 Guest
band-select
mac-filtering Guest_Author
peer-blocking drop
no security wpa
no security wpa wpa2
no security wpa wpa2 ciphers aes
no security wpa akm dot1x
security dot1x authentication-list Guest_ISE_Auth
security web-auth parameter-map global
no shutdown

 

1 Accepted Solution

Accepted Solutions

Arshad Safrulla
VIP Alumni
VIP Alumni

I would suggest the below changes

ip access-list extended REDIRECT
10 deny ip any host 10.0.0.10
20 deny ip host 10.0.0.10 any
30 deny udp any any eq domain
40 deny udp any eq domain any
50 permit ip any any 

!

 wireless profile policy Guest_flexconnect
no central association

!

wireless profile flex Flexconnect_group
 acl-policy REDIRECT
central-webauth
no arp-caching

!!!!!ACL Name is changed.

!

wlan Guest 3 Guest
 no security web-auth parameter-map global

!

Let us know what IOS-XE code you are running and the code in ISE.

 

 

 

View solution in original post

7 Replies 7

Arshad Safrulla
VIP Alumni
VIP Alumni

Can you post your sanitized version of Policy profile & flex profile, redirect ACL? 

In summary you need to have below;

1. IP http server or IP http secure-server enabled

2. Redirect ACL, or the redirection ACL, think of denying action as a deny redirection (not deny traffic), and permit action as permit redirection. (https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213920-central-web-authentication-cwa-on-cata.html#:~:text=tag%2Dname%3E%0A%23%20end-,Redirect%20ACL%20Configuration,-Step%201.%20Navigate)

3. Redirect ACL pushed to the AP. Check the ACL name under Authorization profile, the name has to match with the ACL in the WLC.

4. Central Web Auth option is ticked under the Flex profile and ACl name is selected under policy profile

Hi Arshad,

thanks for reply

1. IP http server or IP http secure-server enabled

 

2. 

Redirect ACL:

ip access-list extended REDIRECT
10 deny ip any host 10.0.0.10
20 deny ip host 10.0.0.10 any
30 deny udp any any eq domain
40 deny udp any eq domain any
50 permit tcp any any eq www

 

wireless profile flex Flexconnect_group
acl-policy REDIRECT
central-webauth
ip http client proxy 0.0.0.0 0
native-vlan-id 20
vlan-name Guest
vlan-id 250

 

wireless profile policy Guest_flexconnect
aaa-override
accounting-list Guest_ISE_Acct
no central dhcp
no central switching
nac
vlan 250
no shutdown

 

wireless tag site flexconnect_site
flex-profile Flexconnect_group
no local-site

 

wireless tag policy APG_flexconnect
wlan Guest policy Guest_flexconnect

 

wlan Guest 3 Guest
band-select
mac-filtering Guest_Author
peer-blocking drop
no security wpa
no security wpa wpa2
no security wpa wpa2 ciphers aes
no security wpa akm dot1x
security dot1x authentication-list Guest_ISE_Auth
security web-auth parameter-map global
no shutdown

WX20220306-222120@2x.pngWX20220306-222057@2x.pngWX20220306-222026@2x.pngWX20220306-221954@2x.pngWX20220306-221942@2x.pngWX20220306-221922@2x.png

 

jaheshkhan
Level 4
Level 4

what type you selected for authentication under webauth? consent/web auth/ webconsent?

 

it is not very clear which stage you are facing problem. 

Arshad Safrulla
VIP Alumni
VIP Alumni

I would suggest the below changes

ip access-list extended REDIRECT
10 deny ip any host 10.0.0.10
20 deny ip host 10.0.0.10 any
30 deny udp any any eq domain
40 deny udp any eq domain any
50 permit ip any any 

!

 wireless profile policy Guest_flexconnect
no central association

!

wireless profile flex Flexconnect_group
 acl-policy REDIRECT
central-webauth
no arp-caching

!!!!!ACL Name is changed.

!

wlan Guest 3 Guest
 no security web-auth parameter-map global

!

Let us know what IOS-XE code you are running and the code in ISE.

 

 

 

Hi Arshadsaf,

Is the entry for acl POSTURE-REDIRECT the same as acl REDIRECT?

 

10 deny ip any host 10.0.0.10
20 deny ip host 10.0.0.10 any
30 deny udp any any eq domain
40 deny udp any eq domain any
50 permit ip any any 

 

 

IOS-XE version 17.3.3

ISE version 3.8

it was a mistake on ACL name. You can use ACL Name REDIRECT

After a detailed review of the official configuration documentation, I found this description:

Note: In Flexconect local switching scenario, the ACL MUST specifically mention return statements (which is not necessarily required in local mode) so make sure that all your ACL rules are covering both ways of traffic (to and from the ISE for example).


Finally found that it was indeed a problem with the ACL configuration, according to your configuration finally the problem was solved, thank you very much!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: