Web-auth redirect not working
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-07-2019 06:31 AM - edited 07-05-2021 10:49 AM
When i connecting in my SSID, no automatic redirect to https://1.1.1.1/
But when i enter url https://1.1.1.1 with my hands everything is ok working !
My config:
WLAN Identifier.................................. 16
Profile Name..................................... Guest-WEB
Network Name (SSID).............................. Guest-WEB
Status........................................... Enabled
Web Based Authentication...................... Enabled
Web Authentication Timeout.................... 300
IPv4 ACL........................................ web-acl
IPv6 ACL........................................ Unconfigured
Web-Auth Flex ACL............................... Unconfigured
Web Authentication server precedence:
1............................................... ldap
2............................................... local
3............................................... radius
Web-Passthrough............................... Disabled
Mac-auth-server............................... 0.0.0.0
Web-portal-server............................. 0.0.0.0
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
##
(Cisco Controller) show>custom-web wlan 16
WLAN ID: 16
WLAN Status................................... Enabled
Web Security Policy........................... Web Based Authentication
Global Status................................. Enabled
WebAuth Type.................................. Internal
###
WLC -> Management -> HTTP-HTTPS
HTTP-HTTPS Configuration:
HTTP Access - Disable
HTTPS Access - Enabled
WebAuth SecureWeb - Enabled
HTTPS Redirection - Enabled
Web Session Timeout - 30 Minutes
##
My Preauthentication ACL :
(Cisco Controller) show>acl detailed web-acl
Source Destination Source Port Dest Port
Index Dir IP Address/Netmask IP Address/Netmask Prot Range Range DSCP Action Counter
------ --- ------------------------------- ------------------------------- ---- ----------- ----------- ----- ------- -----------
1 Any 0.0.0.0/0.0.0.0 10.0.253.20/255.255.255.255 17 0-65535 53-53 Any Permit 468
2 Any 10.0.253.20/255.255.255.255 0.0.0.0/0.0.0.0 17 53-53 0-65535 Any Permit 466
3 Any 0.0.0.0/0.0.0.0 10.1.254.20/255.255.255.255 17 0-65535 53-53 Any Permit 2
4 Any 10.1.254.20/255.255.255.255 0.0.0.0/0.0.0.0 17 53-53 0-65535 Any Permit 2
5 Any 0.0.0.0/0.0.0.0 1.1.1.1/255.255.255.255 Any 0-65535 0-65535 Any Permit 0
6 Any 1.1.1.1/255.255.255.255 0.0.0.0/0.0.0.0 Any 0-65535 0-65535 Any Permit 9159
DenyCounter : 12069
Full config in attachment.
- Labels:
-
Wireless LAN Controller
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-23-2020 05:36 AM
Update:
My laptop is now able to connect to the SSID and a web browser automatically is displayed with the url for the portal, but displayed with an error that is 'site cant be reached'
DNS record is in place stating the url name of the ISE server ip address.
WLC has acl rule in place allowing UDP/DNS and TCP8443 to ISE server
@Marc0 wrote:Hi
im having similar issues however I’m setting my re-direct to my ISE box.
The issue I’m expecting is where my windows 10 device is connect to the guest SSID but it is not auto loading a web page with the re-direct url.
The WLC is on code 8.3.113 and ISE on 2.3(patch 4)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-23-2020 05:55 AM
Typically the clients want to use tcp/443 and not 8443, but not sure with the ISE.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-23-2020 06:50 AM
so nslookup is resolving to the correct IP address, of the server and not a virtual address ie 2.2.2.2 for example.
Have looked at ISE to see if I can change the portal to be tcp/443 only and its design to be tcp 8000 - 8999, so have left it on 8443
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-23-2020 07:26 AM
For example 1.1.1.1 will often not anymore work.
Can you telnet x.x.x.x 8443 to test if the connection opens?
Here some information about the logging files on the ISE in regards to guest portal (that is, if the telnet works):
https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/212594-debugs-to-troubleshoot-on-ise.html#anc35
If the telnet doesn't work, then the ACL might still be blocking the access, or something similar.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-23-2020 08:11 AM
Hi
We use private addressing.
Ive tried telnet and its failing so im seeing how I go about enabling it on the ISE unit.
FYI
My setup is both WLC and ISE sitting inside my network and not in the DMZ like most models would refer to.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-23-2020 08:45 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-23-2020 10:42 AM
Tried telnet from command line and no connection established.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-23-2020 11:26 AM
If yes, can you reach the portal if you put a client into the same network with a cable?
If again yes, then it's probably the ACL, if no, then it's probably something on the ISE blocking you.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-23-2020 12:19 PM
Yes I did ‘ telnet (ip) 8443 ‘ and no connection was made and then timeout.
I tried this also on the corporate side of the network and no success either. I confirm firewalls are all ok and not blocking.
I logged onto the server and ran ‘show ports’ but the ‘server address:8443’ was not in the list so I suspect something is missing from there?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-23-2020 11:02 PM
Can you test the access from the same VLAN as the ISE is running in?
By default, you should receive an error site of the ISE (if no guest portal is configured) with the message:
[ 404 ] Resource Not Found
The resource requested cannot be found.
The site should at least be accessible, even if no guest service is configured on the ISE.
Also check https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html for a quick ISE portal manual.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-24-2020 12:45 AM
Thank you for that feedback.
I would say the same about possible block however I set the firewall rules to be permit ip source destination to rule out any blocks. But for peace and mind, added some extra rules with tcp/8443 so I can see if any hits on those rules.
Im not able to do the test on the same vlan as ISE but can do form other vlans and the test (404) page I do get.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-24-2020 01:19 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-24-2020 01:56 AM
Ok ive notices that on the SSID Layer 3 settings, there is a Preauth ACL (which I have defined a list) and also a WebAuth FlexACL. Now I have my WAPs in FlexConnect so I created an ACL with permit IP any. Once I enable this ACL to the Layer 3, I can get to the URL manually when on the guest SSID (though I am expecting the web page to open automatically)
Is there any ref docs for WebAuth FlexACL?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-24-2020 03:46 AM
After creating a FlexConnect ACL and defining my list, I had to map the FlexConnect ACL to the SSID under Layer 3/WebAuth FlexACL and also to the WAPs under FlexConnect Tab/External WebAuthenticationACLs
I followed this document for reference:
https://www.cisco.com/c/en/us/support/docs/wireless/flex-7500-series-wireless-controllers/113605-ewa-flex-guide-00.html
Now I need to tackle how to clear the certificate error that the webpage is displaying, so when connecting to the SSID it re-directs to the portal page with no certificate errors
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-24-2020 04:46 AM
Now you have discovered the main reason for why the guest portals are typically http :(
It depends a little though, how the client opens it. If he enters a URL into the browser which he used before, he might get a certificate error. On the other hand, if the operating system realizes that there is a guest portal blocking your access and then opens a webpage with the guest portal URL, you should not get an error. Your guest portal has a valid, externally signed certificate? Did you install it with the complete certificate path to the ISE?
