ISE 1.2 original or custom page redirect after successful guest login?

istvan.kelemen1 · ‎08-29-2015

Hello,

How can I do this?

I have tried this one http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116217-configure-ISE-00.html

but I was getting looped redirection with ActivatedGuest authorization rule.

With Mac filering and Radius NAC login is working fine, but I could not find the option for url redirect.

Thx and Regards,

István

ajc · ‎08-30-2015

Hi istvan,

Do not use LWA because it causes many issues and requires 3 redirects instead of just one when you use CWA. LWA does not require any special AUTHZ policy mapped to an AUTHZ Profile like CWA. In fact, Cisco TAC will not provide support on LWA soon based on recent information I got.

Here the link for CWA:

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html

Do not forget CoA (RFC 3576) on the wireless controller for the AAA Authentication Server to be used in the specific SSID, Radius NAC on the advanced option for that SSID and AAA override.

Used the default portal that comes with the AUTHZ Profile in ISE during initial tests on CWA. (on my case I have customized portals for each SSID using CWA and it works).

I more thing extremely important, IF you are using Apple devices like IPAD, Macbook you MUST enable on the WLC the option CAPTIVE PORTAL BYPASS using CLI. When using CWA the login page WILL NOT BE displayed automatically on those Apple devices as soon as you are connected to the specific SSID. You need to open SAFARI browser, type in the URL you want to go and the redirect happens automatically with no issues.

Hoping this helps, please do not forget to rate this answer.

istvan.kelemen1 · ‎08-31-2015

Hi Abraham,

Thank you for your comment.

I have done the config based on the corresponding Labminutes video tutorial, I have done exactly what you have posted, it works fine.

He did the custom webpage redirection after successful login by customising the html code so when he clicked on "OK"on the success login page the browser opened the pre-defined link.

However, I do not want to customise the webpage but I want to let the clients to be redirected to the original page what they had requested before the CWA redirection or just force them to open my webpage. For example on a win 7 client.

Also, Is it possible to log in via CWA without using username and password just by accepting the terms?

Thanks,

István

ajc · ‎08-31-2015

Hi istvan,

Could you please send me the link on which the customized html file is modified so it sends the enduser connection back to the original URL he typed in after successful CWA AUTHC?

Let me think about your requirement regarding not using customized portal. I am not sure if that is feasible.

Regarding your second question there is something called DRW. Here is the link:

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_guest_pol.html#pgfId-1449288

The above procedure will allow guest to register devices without requiring a guest credential. An entry is added to the ISE Endpoint Group called GuestEndpoints automatically, this is like a HotSpot kind of service so you would have to purge periodically the group entries (I have not checked if there is an automatic option on ISE). Unfortunately the security is weak unless you have an specific VLAN/FW rules so the Guest Users are assigned based on your WLC interface/VLAN to an isolated area that cannot affect your critical network/services. I mean, is a "just internet access" VLAN.

I am doing testing on 1.4 patch 3 using PEAP + HotSpot Feature in a similar way as you want but looks like I am facing a bug so once is solved I would share my solution. However this option I am testing requires credentials for AUTHC because security is mandatory and DRW is basically MAB = Cleartext credentials no security at all.

regards

ajc · ‎09-01-2015

Hi istvan

Regarding your question and after doing multiple testing on 1.4 patch 3, you need an AUTHC mechanism no matter if you are using 802.1x, MAB or CWA/LWA so once the device is automatically registered into the corresponding Internal Endpoint Group defined by yourself in the ISE configuration then you could apply an AUTHC policy that checks the Endpoint DB and based on the result (user not found option = continue) sends you to the AUTHZ which points to the HotSpot Portal that only requires AUP acceptance with no credentials at all.

Next time the enduser MAC is already in the database so you would hit the AUTHC MAB Policy and depending how you configure the AUTHZ Policy (basically an endpoint group check policy) you will be redirected to the AUP page and get access to internet. You can customize how frequent you can purge the endpoint group entries you created so that user would have to reauthenticate once again.

Hoping this helps