07-16-2013 07:53 AM - edited 07-04-2021 12:26 AM
Hello,
We configured the web authentication in wlc 5508with ISE for the guest traffic. When client tries to connect it redirects to the different URL. That means the specified URL (that is default redirection page of ISE) 'https://<ISE IP>:8443/guestportal/portal.jsp' but client is getting redirected to
'https://<ISE>:8443/guestportal/login.action?switch_url=https://<virtual IP>/login.html&wlan...'. And finally page cannot be displayed now error message i am getting.
Why it happens..? Any quick help would be really appreciated
Moreover i have doubts on the below points.
1) Should both the Anchor and the foriegn controllers be configured for web auth security or only anchor ..?
2) When external web redirection, the client has to get the DNS resolved entry for the Specified URL or WLC knows to take it to the external web page..?
3) Any special configuration has to be done on ISE?
Thanks for your time
KVS
Message was edited by: Prasan Venky
07-16-2013 08:16 AM
Hi,
When a user-defined guest portal is implemented, the URL should be in the format below:
https://
The ISE_Server_IP should either be the IP address of the ISE server or the DNS resolvable hostname of the ISE Server.
The external web authentication URL should only be specified in the Anchor Controller.
07-16-2013 08:37 AM
thanks for your reply Osita.
We are using default setting for the guest portal access in ISE . We are not sure about userdefined web page.
We even tried by giving direct ip of ISE as like https:// ip address :8443/guestportal/portal.jsp ,
https:// ip address :8443/guestportal/login.action .
But still web page is not displaying. What needs to be checked?
04-25-2014 12:34 AM
Well prasanesh i would suggest to go through cisco how to guide for step by step configuration of WLC with ISE and you can compare if any thing you have missed
05-29-2014 03:46 PM
How is your pre-auth ACL configured in your WLC? This should be done on the anchor controller if you have one.
Also, if your DNS does not resolve the ISE IP address you can check the checkbox option to use the IP address instead of the FQDN, and the portal port has to be permitted on the firewall as well.
07-16-2013 08:52 AM
Did u specify the URL in the external web auth login on the anchor controller?
Did u check the firewall to see if it may be blocking port 8443?
Are u using pre-authentication ACL? If so, u have to make sure that there is both inbound and outbound ACL to and from the ISE on port 8443.
Sent from Cisco Technical Support Android App
07-16-2013 10:40 AM
Did u specify the URL in the external web auth login on the anchor controller?
Yes , we have given on the anchor controller.
Did u check the firewall to see if it may be blocking port 8443?
We have allowed the port
Are u using pre-authentication ACL? If so, u have to make sure that there is both inbound and outbound ACL to and from the ISE on port 8443.
We have allowed
1.ise to any 2. any to ise 3. any to dns 4. dns to any
In wlan configuration , we specified L3 security as web auth with external server and the URL of ISE (pre auth ACL chosen). In advanced tab we given AAA override .
In ISE we just allowed the permit access auth profile for the guest access.
Do we need to configure anything extra?
07-16-2013 11:18 AM
Hi,
For now could you uncheck AAA override in the WLAN config.
Does your Authentication policy on the ISE similar to below:
IF (WLC_Web_Authentication and Wireless_Guest_WebAuth)
THEN (Allow Default Network Access (or user defined access) and USE Guest_Portal_Sequence)
WLC_Web_Authentication is system generated compound condition that matches Service-Type and NAS port type
Wireless_Guest_WebAuth is user defined simple condition that matched open guest SSID i.e Airespace-Wlan-Id EQUALS (number of the guest SSID on the WLC).
How is the Authorization policy set up?
Are the devices that you have problem with Apple or MAC OSX?
If so, you need to add the command on the anchor controller ---- configure network web-auth captive-bypass enable.
Finally could you confirm that on the Pre-auth ACLs, you specified the port 8443 and not just any?
07-16-2013 11:40 AM
Really thanks for the reply .
Yes , we have configured
IF (WLC_Web_Authentication and Wireless_Guest_WebAuth)
THEN (Allow Default Network Access
For authorization , default permit any access .
We tried with windows 7 clients
Anyway anchor controller is placed after the firewall. we didn't open the port 443 for redirection. We will enable it tomorrow .We will check and let you know tomorrow.
07-16-2013 07:03 PM
Hello,
How to Make an External (Local) Web Authentication Work with an External Page
As already briefly explained, the utilization of an external WebAuth server is just an external repository for the login page. The user credentials are still authenticated by the WLC. The external web server only allows you to use a special or different login page. Here are the steps performed for an external WebAuth:
The client (end user) opens a web browser and enters a URL.
If the client is not authenticated and external web authentication is used, the WLC redirects the user to the external web server URL. In other words, the WLC sends an HTTP redirect to the client with the website's spoofed IP address and points to the external server IP address. The external web authentication login URL is appended with parameters such as the AP_Mac_Address, the client_url (www.website.com), and the action_URL that the customer needs to contact the switch web server.
The external web server URL sends the user to a login page. Then the user can use a pre-authentication access control list (ACL) in order to access the server. The ACL is only needed for the Wireless LAN Controller 2000 series.
The login page takes the user credentials input and sends the request back to the action_URL, such as http://1.1.1.1/login.html, of the WLC web server. This is provided as an input parameter to the customer redirect URL, where 1.1.1.1 is the virtual interface address on the switch.
The WLC web server submits the username and password for authentication.
The WLC initiates the RADIUS server request or uses the local database on the WLC, and then authenticates the user.
If authentication is successful, the WLC web server either forwards the user to the configured redirect URL or to the URL the client entered.
If authentication fails, then the WLC web server redirects the user back to the customer login URL.
Note: If the access points (APs) are in FlexConnect mode, a preauth ACL is irrelevant. Flex ACLs can be used to allow access to the web server for clients that have not been authenticated.
For more details, please refer to the following:
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080bf7d89.shtml#redirect
07-16-2013 07:41 PM
Hi Mantej Mangat ,
All the guest credentials will be genereated in ISE thorugh sponsor portal. But how the WLC comes to know the guest credentials if we follow the above method as mentioned by you.
07-21-2013 07:05 PM
Hello Prasan,
In the above scenario WLC is sending the authentication request to server on behalf of USER and When WLC sent authentication request to external server it keep the track of this request. In this way it comes to know that authentication is successful.
08-14-2013 03:13 AM
Hi
In case you haven't resolved your problem. I would like to ask if you have created a DNS record for the ISE? Also if you're using pre-authentication ACL on the WLC, make sure that the Protocol is TCP and not UDP for port 8443
04-22-2014 03:41 PM
I see this is a bit of an old thread, right now I'm having the exact same problem. The weird thing is, It was working properly for a few weeks, suddenly today it started behaving like this, the redirection to the ISE portal gets done, and when I log in ISE shows the authentication was done right and the users get redirected to https://1.1.1.1/login.html but they can't access that URL so it gets stuck there. Anyone knows what's up with this?
04-22-2014 04:39 PM
Oooook, now I feel dumb for replying at my own post with the answer.... So it turns out I actually did some changes a day before problems started, I disabled the WebAuth SecureWeb option (since I don't have a certificate right now and I was testing to see if stops doing the https redirection prompting for the certificate) and the problem was after the authentication it still redirects to https://1.1.1.1/login.html and it doesn't work because it's disabled. I'm trying to disable it but to keep working, is there any way to configure the redirection to the WLC virtual IP address to be HTTP instead of HTTPS? Disabling he secureweb option doesn't seem to do the trick...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide