Unable to redirect Cisco ISE guest clients to Microsoft login page - Cisco Community

422

Views

4

Helpful

5

Replies

I am setting up Cisco WLC and ISE guest portal to use Azure AD account for web authentication prior to internet access
The Azure part is setup correctly and working as it should.

Clients redirection to Microsoft login page works perfectly and users were able to authenticate using their Microsoft account to access the internet through cisco ISE guest portal.
This flow works if I deny all TCP 443 traffic on the redirect ACL...see screenshot line 62.
Once I remove the ACL line, redirection to Microsoft login page stops working.

I have used URL Filters (both URL filters and Enhanced URL filters with permit and deny actions) on the WLC but seems not to be working.
Kindly assist, may be I'm missing out something on ISE or WLC.

5 Replies 5

See https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213920-central-web-authentication-cwa-on-cata.html#toc-hId-881505252

The key part of the ACL is to permit www not ip any any.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

In General the ACL should be top down model.

so you allow intresting traffic what you looking to allow, in the end you deny any any.

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/217457-configure-and-troubleshoot-external-web.html

There is external web auth and there is CWA with ISE

I dont see before CWA with ISE and use external web for auth?

I think what you need is use external web auth' check link

MHM

The issue has been resolved.

The ACL used

The URL ACL used

I added the URL ACL to the profile attached the the WLAN-SSID

This link was also helpful
https://community.cisco.com/t5/security-knowledge-base/ise-byod-flow-using-entra-id/ta-p/4400675

This for SAML, but anyway glad issue is solve.

MHM

Learn, share, save

Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.

New here? Get started with these tips. How to use Community New member guide

Log in to Community

Review Cisco Networking for a $25 gift card