Re: ISE Guest redirect portal

emolstad · ‎03-16-2023

I a setting up a Guest network on 9800L WLC. I have it setup to the point where the user can join the network but no redirect page pops when they join. I am able to see in DNAC that they IP learn is successful and L3 Auth starts but on testing no Redirect to ISE portal pops. I have ISE polices setup correct as we have done this on old airos wlc just fine. I am thinking with the IOS based controllers there is something I am missing.

Scott Fella · ‎03-16-2023

The are a lot of moving parts here. Have you tired to open a browser manually? Have you looked at the logs in ISE? I'm also assuming that the configuration on the 9800 and ISE are 100% correct.

-Scott
*** Please rate helpful posts ***

emolstad · ‎03-16-2023

Scott Fella · ‎03-16-2023

So if you manually open a browser, do you not get the portal page or get redirected?

-Scott
*** Please rate helpful posts ***

emolstad · ‎03-16-2023

no portal page when manually open browser

Scott Fella · ‎03-16-2023

If you create a test said that is open, can the device associate and get an ip address? if so, I think you need to review your configuration for the guest portal between the controller and ISE. Seems like something might be missing.

-Scott
*** Please rate helpful posts ***

emolstad · ‎03-17-2023

This is current ACl on WLC. Top 2 lines are our ISE servers. I have modified it a bit over time and maybe I am just leaving something out. The devices get an IP on the appropriate subnet. May be a DNS issue I am investigating still.

Rich R · ‎03-18-2023

You don't say what ACL that is but if that's your pre-auth redirect ACL - you need to read this:
https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213920-central-web-authentication-cwa-on-cata.html#toc-hId-881505252

The ACL should deny traffic which is allowed (DNS & captive portal page) and permit traffic to be redirected (http). Yours is blocking DNS and captive portal.

(By the way permit tcp any any www is totally redundant after a permit ip any any which already includes that)

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

marce1000 · ‎03-16-2023

- You may find these debugging tools useful : https://logadvisor.cisco.com/logadvisor/wireless/9800/9800CWA ,
also review the 9800 configuration with https://cway.cisco.com/wireless-config-analyzer/ , that needs the output of (CLI) show tech wireless

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Rich R · ‎03-17-2023

Have you done a radioactive trace on the client and analysed results with https://cway.cisco.com/wireless-debug-analyzer/ ?

I'd also go through the config guides again step by step and make sure you haven't missed anything - very easy to do.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390