03-04-2022 12:02 AM - edited 03-06-2022 06:24 AM
WLC model is C9800-L-C-K9
AP configuration in local mode with central web authentication can normally pop up the authentication page and login successfully
After changing the AP to flexconnect mode, I found that the authentication page could not pop up. flexconnect is configured according to
https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless- controllers/213920-central-web-authentication-cwa-on-cata.html
the flexconnect group has been configured with The policy acl has been configured.
Console prompt when AP connects to Guest network:
Mar 1 08:17:59.123: %CLIENT_EXCLUSION_SERVER-5-ADD_TO_BLACKLIST_REASON_DYNAMIC: Chassis 1 R0/0: wncmgrd: Client MAC: a21e.d39e.5c59 was added to exclusion list associated with AP Name:CN-WF6-AP29, BSSID:MAC: e44e.2d46.1b61, reason:Redirect ACL failure
Mar 1 08:17:59.123: %SESSION_MGR-5-FAIL: Chassis 1 R0/0: wncd: Authorization failed or unapplied for client (a21e.d39e.5c59) on Interface capwap_90000004 AuditSessionID 1F41A60A0000003F448EA6D5. Failure Reason: Redirect ACL Failure.
The web page shows the user status as: web auth pending
But the ACL flexconnect mode and local mode refer to the same acl, do not understand the local mode can be normal authentication, flexconnect mode can not pop-up authentication interface.
Is there any good troubleshooting ideas?
ip access-list extended REDIRECT
10 deny ip any host 10.0.0.10
20 deny ip host 10.0.0.10 any
30 deny udp any any eq domain
40 deny udp any eq domain any
50 permit tcp any any eq www
wireless profile flex Flexconnect_group
acl-policy REDIRECT
central-webauth
ip http client proxy 0.0.0.0 0
native-vlan-id 20
vlan-name Guest
vlan-id 250
wireless profile policy Guest_flexconnect
aaa-override
accounting-list Guest_ISE_Acct
no central dhcp
no central switching
nac
vlan 250
no shutdown
wireless tag site flexconnect_site
flex-profile Flexconnect_group
no local-site
wireless tag policy APG_flexconnect
wlan Guest policy Guest_flexconnect
wlan Guest 3 Guest
band-select
mac-filtering Guest_Author
peer-blocking drop
no security wpa
no security wpa wpa2
no security wpa wpa2 ciphers aes
no security wpa akm dot1x
security dot1x authentication-list Guest_ISE_Auth
security web-auth parameter-map global
no shutdown
Solved! Go to Solution.
03-06-2022 11:17 AM - edited 03-07-2022 02:14 AM
I would suggest the below changes
ip access-list extended REDIRECT
10 deny ip any host 10.0.0.10
20 deny ip host 10.0.0.10 any
30 deny udp any any eq domain
40 deny udp any eq domain any
50 permit ip any any
!
wireless profile policy Guest_flexconnect
no central association
!
wireless profile flex Flexconnect_group
acl-policy REDIRECT
central-webauth
no arp-caching
!!!!!ACL Name is changed.
!
wlan Guest 3 Guest
no security web-auth parameter-map global
!
Let us know what IOS-XE code you are running and the code in ISE.
03-05-2022 11:49 AM
Can you post your sanitized version of Policy profile & flex profile, redirect ACL?
In summary you need to have below;
1. IP http server or IP http secure-server enabled
2. Redirect ACL, or the redirection ACL, think of denying action as a deny redirection (not deny traffic), and permit action as permit redirection. (https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213920-central-web-authentication-cwa-on-cata.html#:~:text=tag%2Dname%3E%0A%23%20end-,Redirect%20ACL%20Configuration,-Step%201.%20Navigate)
3. Redirect ACL pushed to the AP. Check the ACL name under Authorization profile, the name has to match with the ACL in the WLC.
4. Central Web Auth option is ticked under the Flex profile and ACl name is selected under policy profile
03-06-2022 06:22 AM
Hi Arshad,
thanks for reply
1. IP http server or IP http secure-server enabled
2.
Redirect ACL:
ip access-list extended REDIRECT
10 deny ip any host 10.0.0.10
20 deny ip host 10.0.0.10 any
30 deny udp any any eq domain
40 deny udp any eq domain any
50 permit tcp any any eq www
wireless profile flex Flexconnect_group
acl-policy REDIRECT
central-webauth
ip http client proxy 0.0.0.0 0
native-vlan-id 20
vlan-name Guest
vlan-id 250
wireless profile policy Guest_flexconnect
aaa-override
accounting-list Guest_ISE_Acct
no central dhcp
no central switching
nac
vlan 250
no shutdown
wireless tag site flexconnect_site
flex-profile Flexconnect_group
no local-site
wireless tag policy APG_flexconnect
wlan Guest policy Guest_flexconnect
wlan Guest 3 Guest
band-select
mac-filtering Guest_Author
peer-blocking drop
no security wpa
no security wpa wpa2
no security wpa wpa2 ciphers aes
no security wpa akm dot1x
security dot1x authentication-list Guest_ISE_Auth
security web-auth parameter-map global
no shutdown
03-06-2022 01:16 AM
what type you selected for authentication under webauth? consent/web auth/ webconsent?
it is not very clear which stage you are facing problem.
03-06-2022 11:17 AM - edited 03-07-2022 02:14 AM
I would suggest the below changes
ip access-list extended REDIRECT
10 deny ip any host 10.0.0.10
20 deny ip host 10.0.0.10 any
30 deny udp any any eq domain
40 deny udp any eq domain any
50 permit ip any any
!
wireless profile policy Guest_flexconnect
no central association
!
wireless profile flex Flexconnect_group
acl-policy REDIRECT
central-webauth
no arp-caching
!!!!!ACL Name is changed.
!
wlan Guest 3 Guest
no security web-auth parameter-map global
!
Let us know what IOS-XE code you are running and the code in ISE.
03-07-2022 01:41 AM
Hi Arshadsaf,
Is the entry for acl POSTURE-REDIRECT the same as acl REDIRECT?
10 deny ip any host 10.0.0.10
20 deny ip host 10.0.0.10 any
30 deny udp any any eq domain
40 deny udp any eq domain any
50 permit ip any any
IOS-XE version 17.3.3
ISE version 3.8
03-07-2022 02:15 AM
it was a mistake on ACL name. You can use ACL Name REDIRECT
03-28-2022 06:13 AM
After a detailed review of the official configuration documentation, I found this description:
Finally found that it was indeed a problem with the ACL configuration, according to your configuration finally the problem was solved, thank you very much!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: