cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12427
Views
5
Helpful
15
Replies
Prasan Venky
Participant

Web Redirect is not working

Hello,

We configured the web authentication in wlc 5508with ISE for the guest traffic. When client tries to connect it redirects to the different URL. That means the specified URL (that is default redirection page of ISE) 'https://<ISE IP>:8443/guestportal/portal.jsp'  but client is getting redirected to

'https://<ISE>:8443/guestportal/login.action?switch_url=https://<virtual IP>/login.html&wlan...'. And finally page cannot be displayed now error message i am getting.

Why it happens..? Any quick help would be really appreciated

Moreover i have doubts on the below points.

1) Should both the Anchor and the foriegn controllers be configured for web auth security or only anchor ..?

2) When external web redirection, the client has to get the DNS resolved entry for the Specified URL or WLC knows to take it to the external web page..?

3) Any special configuration has to be done on ISE?

Thanks for your time

KVS

Message was edited by: Prasan Venky

15 REPLIES 15
grabonlee
Enthusiast

Hi,

When a user-defined guest portal is implemented, the URL should be in the format below:

https://:8443/guestportal/portals/name_of_user_defined_portal/portal.jsp.

The ISE_Server_IP should either be the IP address of the ISE server or the DNS resolvable hostname of the ISE Server.

The external web authentication URL should only be specified in the Anchor Controller.

thanks for your reply Osita.

We are using default setting for the guest portal access in ISE . We are not sure about userdefined web page.

We even tried by giving direct ip of ISE as like https:// ip address :8443/guestportal/portal.jsp   ,

https:// ip address :8443/guestportal/login.action .

But still web page is not displaying.  What needs to be checked?

Well prasanesh i would suggest to go through cisco how to guide for step by step configuration of WLC with ISE and you can compare if any thing you have missed

How is your pre-auth ACL configured in your WLC? This should be done on the anchor controller if you have one. 

Also, if your DNS does not resolve the ISE IP address you can check the checkbox option to use the IP address instead of the FQDN, and the portal port has to be permitted on the firewall as well.

grabonlee
Enthusiast

Did u specify the URL in the external web auth login on the anchor controller?

Did u check the firewall to see if it may be blocking port 8443?

Are u using pre-authentication ACL? If so, u have to make sure that there is both inbound and outbound ACL to and from the ISE on port 8443.


Sent from Cisco Technical Support Android App

Did u specify the URL in the external web auth login on the anchor controller?

Yes , we have given on the anchor controller.

Did u check the firewall to see if it may be blocking port 8443?

We have allowed the port

Are u using pre-authentication ACL? If so, u have to make sure that  there is both inbound and outbound ACL to and from the ISE on port 8443.

We have allowed

1.ise to any 2. any to ise 3. any to dns 4. dns to any

In wlan configuration , we specified L3 security as web auth with external server and the URL of ISE  (pre auth ACL chosen). In advanced tab we given AAA override .

In ISE we just allowed the permit access auth profile for the guest access.

Do we need to configure anything extra?

Hi,

For now could you uncheck AAA override in the WLAN config.

Does your Authentication policy on the ISE similar to below:

IF (WLC_Web_Authentication and Wireless_Guest_WebAuth)

       THEN (Allow Default Network Access (or user defined access) and USE Guest_Portal_Sequence)

WLC_Web_Authentication is system generated compound condition that matches Service-Type and NAS port type

Wireless_Guest_WebAuth is user defined simple condition that matched open guest SSID i.e Airespace-Wlan-Id EQUALS (number of the guest SSID on the WLC).

How is the Authorization policy set up?

Are the devices that you have problem with Apple or MAC OSX?

If so, you need to add the command on the anchor controller ---- configure network web-auth captive-bypass enable.

Finally could you confirm that on the Pre-auth ACLs, you specified the port 8443 and not just any?

Really thanks for the reply .

Yes , we have configured 

IF (WLC_Web_Authentication and Wireless_Guest_WebAuth)

       THEN (Allow Default Network Access

For authorization , default permit any access .

We tried with windows 7 clients

Anyway anchor controller is placed after the firewall. we didn't open the port 443 for redirection. We will enable it tomorrow .We will check  and let you know tomorrow.

mmangat
Beginner

Hello,

How to Make an External (Local) Web Authentication Work with an External Page

As already briefly explained, the utilization of an external WebAuth       server is just an external repository for the login page. The user credentials       are still authenticated by the WLC. The external web server only allows you to       use a special or different login page. Here are the steps performed for an       external WebAuth:

  1. The client (end user) opens a web browser and enters a           URL.

  2. If the client is not authenticated and external web authentication is           used, the WLC redirects the user to the external web server URL. In other           words, the WLC sends an HTTP redirect to the client with the website's spoofed           IP address and points to the external server IP address. The external web           authentication login URL is appended with parameters such as the           AP_Mac_Address, the client_url (www.website.com), and the action_URL that the customer needs           to contact the switch web server.

  3. The external web server URL sends the user to a login page. Then the           user can use a pre-authentication access control list (ACL) in order to access           the server. The ACL is only needed for the Wireless LAN Controller 2000           series.

  4. The login page takes the user credentials input and sends the request           back to the action_URL, such as http://1.1.1.1/login.html, of           the WLC web server. This is provided as an input parameter to the customer           redirect URL, where 1.1.1.1 is the virtual interface address on the           switch.

  5. The WLC web server submits the username and password for           authentication.

  6. The WLC initiates the RADIUS server request or uses the local           database on the WLC, and then authenticates the user.

  7. If authentication is successful, the WLC web server either forwards           the user to the configured redirect URL or to the URL the client           entered.

  8. If authentication fails, then the WLC web server redirects the user           back to the customer login URL.

Note: If the access points (APs) are in FlexConnect mode, a           preauth ACL is irrelevant. Flex ACLs can be used to allow           access to the web server for clients that have not been authenticated.

For more details, please refer to the following:

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080bf7d89.shtml#redirect

Hi Mantej Mangat  ,

All the guest credentials will be genereated in ISE thorugh sponsor portal. But how the WLC comes to know the guest credentials if we follow the above method as mentioned by you.

Hello Prasan,

In the above scenario WLC is sending the authentication request to server on behalf of USER and When WLC sent authentication request to external server it keep the track of this request. In this way it comes to know that authentication is successful.

Hi

In case you haven't resolved your problem. I would like to ask if you have created a DNS record for the ISE? Also if you're using pre-authentication ACL on the WLC, make sure that the Protocol is TCP and not UDP for port 8443

eric.ahernandez
Beginner

I see this is a bit of an old thread, right now I'm having the exact same problem. The weird thing is, It was working properly for a few weeks, suddenly today it started behaving  like this, the redirection to the ISE portal gets done, and when I log in ISE shows the authentication was done right and the users get redirected to https://1.1.1.1/login.html but they can't access that URL so it gets stuck there. Anyone knows what's up with this?

Oooook, now I feel dumb for replying at my own post with the answer....  So it turns out I actually did some changes a day before problems started, I disabled the WebAuth SecureWeb option (since I don't have a certificate right now and I was testing to see if stops doing the https redirection prompting for the certificate)  and the problem was after the authentication it still redirects to https://1.1.1.1/login.html and it doesn't work because it's disabled. I'm trying to disable it but to keep working, is there any way to configure the redirection to the WLC virtual IP address to be HTTP instead of HTTPS? Disabling he secureweb option doesn't seem to do the trick...

Create
Recognize Your Peers
Content for Community-Ad