Re: Web-auth redirect not working - Page 2

bgp.ripe901 · ‎08-07-2019

When i connecting in my SSID, no automatic redirect to https://1.1.1.1/

But when i enter url https://1.1.1.1 with my hands everything is ok working !

WLC-5508 - software: 8.0.152.0

My config:

WLAN Identifier.................................. 16
Profile Name..................................... Guest-WEB
Network Name (SSID).............................. Guest-WEB
Status........................................... Enabled

Web Based Authentication...................... Enabled
Web Authentication Timeout.................... 300
IPv4 ACL........................................ web-acl
IPv6 ACL........................................ Unconfigured
Web-Auth Flex ACL............................... Unconfigured
Web Authentication server precedence:
1............................................... ldap
2............................................... local
3............................................... radius
Web-Passthrough............................... Disabled
Mac-auth-server............................... 0.0.0.0
Web-portal-server............................. 0.0.0.0
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled

##

(Cisco Controller) show>custom-web wlan 16

WLAN ID: 16
WLAN Status................................... Enabled
Web Security Policy........................... Web Based Authentication
Global Status................................. Enabled
WebAuth Type.................................. Internal

###

WLC -> Management -> HTTP-HTTPS

HTTP-HTTPS Configuration:

HTTP Access - Disable
HTTPS Access - Enabled
WebAuth SecureWeb - Enabled
HTTPS Redirection - Enabled
Web Session Timeout - 30 Minutes

##

My Preauthentication ACL :

(Cisco Controller) show>acl detailed web-acl

Source Destination Source Port Dest Port
Index Dir IP Address/Netmask IP Address/Netmask Prot Range Range DSCP Action Counter
------ --- ------------------------------- ------------------------------- ---- ----------- ----------- ----- ------- -----------
1 Any 0.0.0.0/0.0.0.0 10.0.253.20/255.255.255.255 17 0-65535 53-53 Any Permit 468
2 Any 10.0.253.20/255.255.255.255 0.0.0.0/0.0.0.0 17 53-53 0-65535 Any Permit 466
3 Any 0.0.0.0/0.0.0.0 10.1.254.20/255.255.255.255 17 0-65535 53-53 Any Permit 2
4 Any 10.1.254.20/255.255.255.255 0.0.0.0/0.0.0.0 17 53-53 0-65535 Any Permit 2
5 Any 0.0.0.0/0.0.0.0 1.1.1.1/255.255.255.255 Any 0-65535 0-65535 Any Permit 0
6 Any 1.1.1.1/255.255.255.255 0.0.0.0/0.0.0.0 Any 0-65535 0-65535 Any Permit 9159

DenyCounter : 12069

Full config in attachment.

Marc0 · ‎04-23-2020

Update:

My laptop is now able to connect to the SSID and a web browser automatically is displayed with the url for the portal, but displayed with an error that is 'site cant be reached'

DNS record is in place stating the url name of the ISE server ip address.

WLC has acl rule in place allowing UDP/DNS and TCP8443 to ISE server

@Marc0 wrote:
Hi

im having similar issues however I’m setting my re-direct to my ISE box.
The issue I’m expecting is where my windows 10 device is connect to the guest SSID but it is not auto loading a web page with the re-direct url.

The WLC is on code 8.3.113 and ISE on 2.3(patch 4)

patoberli · ‎04-23-2020

Can you nslookup the name on the client and check if it can resolve the hostname correctly? Can you then also check if you can manually open the website?

Typically the clients want to use tcp/443 and not 8443, but not sure with the ISE.

Marc0 · ‎04-23-2020

so nslookup is resolving to the correct IP address, of the server and not a virtual address ie 2.2.2.2 for example.

Have looked at ISE to see if I can change the portal to be tcp/443 only and its design to be tcp 8000 - 8999, so have left it on 8443

patoberli · ‎04-23-2020

But you do use a private address, or a public address assigned to your company?

For example 1.1.1.1 will often not anymore work.

Can you telnet x.x.x.x 8443 to test if the connection opens?

Here some information about the logging files on the ISE in regards to guest portal (that is, if the telnet works):
https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/212594-debugs-to-troubleshoot-on-ise.html#anc35

If the telnet doesn't work, then the ACL might still be blocking the access, or something similar.

Marc0 · ‎04-23-2020

Hi

We use private addressing.

Ive tried telnet and its failing so im seeing how I go about enabling it on the ISE unit.

FYI

My setup is both WLC and ISE sitting inside my network and not in the DMZ like most models would refer to.

patoberli · ‎04-23-2020

No need to enable telnet on the ISE. Test this on the client to the first portal address.

Marc0 · ‎04-23-2020

Hi

Tried telnet from command line and no connection established.

patoberli · ‎04-23-2020

Ok and I assume you also entered the port 8443?
If yes, can you reach the portal if you put a client into the same network with a cable?
If again yes, then it's probably the ACL, if no, then it's probably something on the ISE blocking you.

Marc0 · ‎04-23-2020

Hi

Yes I did ‘ telnet (ip) 8443 ‘ and no connection was made and then timeout.

I tried this also on the corporate side of the network and no success either. I confirm firewalls are all ok and not blocking.

I logged onto the server and ran ‘show ports’ but the ‘server address:8443’ was not in the list so I suspect something is missing from there?

patoberli · ‎04-23-2020

That means that something (firewall or similar) is blocking the access between your client and the ISE on port 8443.

Can you test the access from the same VLAN as the ISE is running in?

By default, you should receive an error site of the ISE (if no guest portal is configured) with the message:

[ 404 ] Resource Not Found

The resource requested cannot be found.

The site should at least be accessible, even if no guest service is configured on the ISE.

Also check https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html for a quick ISE portal manual.

Marc0 · ‎04-24-2020

Hello

Thank you for that feedback.

I would say the same about possible block however I set the firewall rules to be permit ip source destination to rule out any blocks. But for peace and mind, added some extra rules with tcp/8443 so I can see if any hits on those rules.

Im not able to do the test on the same vlan as ISE but can do form other vlans and the test (404) page I do get.

patoberli · ‎04-24-2020

Ok, if it works from other networks, but not the wireless VLAN (even when wired to that VLAN), then there is an ACL between that VLAN and the ISE. Or any other routing issue (can you ping the ISE (requires an ACL modification probably)?).

Marc0 · ‎04-24-2020

Hi

Ok ive notices that on the SSID Layer 3 settings, there is a Preauth ACL (which I have defined a list) and also a WebAuth FlexACL. Now I have my WAPs in FlexConnect so I created an ACL with permit IP any. Once I enable this ACL to the Layer 3, I can get to the URL manually when on the guest SSID (though I am expecting the web page to open automatically)

Is there any ref docs for WebAuth FlexACL?

Marc0 · ‎04-24-2020

Ok update.

After creating a FlexConnect ACL and defining my list, I had to map the FlexConnect ACL to the SSID under Layer 3/WebAuth FlexACL and also to the WAPs under FlexConnect Tab/External WebAuthenticationACLs

I followed this document for reference:

https://www.cisco.com/c/en/us/support/docs/wireless/flex-7500-series-wireless-controllers/113605-ewa-flex-guide-00.html

Now I need to tackle how to clear the certificate error that the webpage is displaying, so when connecting to the SSID it re-directs to the portal page with no certificate errors

patoberli · ‎04-24-2020

Ah great!

Now you have discovered the main reason for why the guest portals are typically http :(

It depends a little though, how the client opens it. If he enters a URL into the browser which he used before, he might get a certificate error. On the other hand, if the operating system realizes that there is a guest portal blocking your access and then opens a webpage with the guest portal URL, you should not get an error. Your guest portal has a valid, externally signed certificate? Did you install it with the complete certificate path to the ISE?