Solved: Re: WLC 9800 Redirect ACL to ISE v3 Guest Portal

Mike Pennycook · ‎05-25-2021

Hi All,

I'm trying to get the redirect ACL working on the WLC 9800, which should redirect users on the Guest WiFi to a self-registration portal hosted on Cisco ISE v3.

When I use the following ACL, the user signs into the Guest WiFi and automatically a browser window pops up with the Guest portal. However upon registration and sign-in, the page stands at loading and there is no internet access. The client monitoring page on the 9800 WLC also shows the user transitioning from a state of 'Web-auth' to 'Run', but again, no Internet access:

When I use the following ACL, the user signs into the Guest WiFi and there is no automatic redirect to the Guest WiFi portal and it does not load:

I know the redirect ACLs work differently on the WLC compared with traditional ACLs, please help if you know what could be wrong.

Much appreciated!

Hannes_Weber · ‎05-26-2021

Hi,

I'm also struggeling with that the redirects, but I'm a step further.

In the first redirect ACL, the line 6 need to be a "permit any any ip", because you currently only allow http traffic, not https traffic.

Basically the "deny" rules are not triggering a redirect, the permit rule is triggering the redirect and if the redirect was a success, that traffic is allowed.

Note: Like I said, I'm currently struggeling a bit further... those settings work, but the captive portal only pops up for Windows and Android, not for iPhones and I'm currently searching for a resulotion for that...

View solution in original post

Hannes_Weber · ‎05-26-2021

Hi,

I'm also struggeling with that the redirects, but I'm a step further.

In the first redirect ACL, the line 6 need to be a "permit any any ip", because you currently only allow http traffic, not https traffic.

Basically the "deny" rules are not triggering a redirect, the permit rule is triggering the redirect and if the redirect was a success, that traffic is allowed.

Note: Like I said, I'm currently struggeling a bit further... those settings work, but the captive portal only pops up for Windows and Android, not for iPhones and I'm currently searching for a resulotion for that...

rayyaanfayker0006 · ‎05-27-2021

hi to get the portal to work with Iphones you will need to force HTTPS sessions on the wlc controller, this solution worked for me but please understand there is some complications with enabling which doesnt effect my environment.

enable:

WLC>Management>http-https>HTTPS Redirection

Hannes_Weber · ‎05-27-2021

Hi,

that is a setting on the AirOS WLC, right?

Unfortunatly I have the problem on the new C9800 Controllers. (The old environment with the same ISE, but WISMs works fine, but I don't have enough knowledge about the old controllers to figure out why (the mentioned HTTPS redirection is off))

But to explain the problem further:

It's only the popup that is not working. They do get redirected, but since most sites are https sites, the redirect that gets send with the cert from the controller triggers a security warning that the cert doesn't match the requested site.

The initial popup from the Apple CNA which sends a http request to "captive.apple.com" doesn't trigger the popup.

Mike Pennycook · ‎05-28-2021

@Hannes_Weber

Thanks I amended the line as you suggested and there was a Firewall rule that also needed to be changed, once done the client can browse fine after signing in on the guest portal.

In my case the redirect is working on Windows 10 Laptops/iPhones, I also recall seeing captive.apple.com in wireshark captures