Solved: Re: WLC PEAP plus web redirect with ISE2.4

zhilimailbox · ‎05-11-2020

Hi, there

We want to use PEAP for user authentication and then web redirect to an internal web page for working instruction. We are using ISE 2.4 and cisco WLC with Flexconnect APs.

I have tried to use cisco AV pair (attached) in the authorization profile.

In the redirect ACL, I have the ACL configured (attached) allowing DHCP, DNS, the web server, etc.

Once the client is connected, in WLC,

- the client gets an IP from the right vlan

- status showing webauth_reqd- brwose http://cisco.com and tried to web redirect, but failed evenutally.

- browse http://cisco.com and tried to web redirect, but failed evenutally.

Could someone help with what would be the right configuration on ISE and WLC?

Thanks,

Could someone help with what would be the right configuration on ISE and WLC?

Thanks,

Arne Bier · ‎05-14-2020

Here's the way it works - for a simple use case involving CWA (Central Web Auth) and two PSN's

Create two AuthZ Result Profiles - one per PSN

The details of each Profile is shown below - notice how we don't manually specify the RADIUS AVPair attribute data ... we just the put a check in the appropriate boxes and fill in the FQDN of each PSN (e.g. guest1.mycompany.com could be a DNS CNAME record that points to the PSN's FQDN like ise01.dc1.mycompany.com - whatever works for you)

And similarly for PSN2

Then apply some logic as shown below - notice how we need to test WHICH PSN is processing the MAB request in order to return the appropriate AuthZ profile ..

View solution in original post

Arne Bier · ‎05-12-2020

I can't say I have done this myself, but it's an interesting use case.

Are you 100% sure that the PSN that processed the 802.1X request is the same PSN that is referred to in the redirect URL ? The point is, that you have to ensure that the client gets redirected to the very same PSN that created the session entry, because only that PSN will accept the session from the client (due to the data in the URL).

In your screenshot you showed the Cisco AVPair - did you enter this manually, or did you use the URL Redirection check box in the Authorization Result? Can you share your settings of the AuthZ Result?

zhilimailbox · ‎05-14-2020

Many thanks for the reply!

I am using PSN-01 as primary and PSN-02 as secondary. There is no load balancer. What is the best way to make sure the same PSN handle the redirect?

I have manaully added the av pair in the result.

Thanks,

Arne Bier · ‎05-14-2020

Here's the way it works - for a simple use case involving CWA (Central Web Auth) and two PSN's

Create two AuthZ Result Profiles - one per PSN

The details of each Profile is shown below - notice how we don't manually specify the RADIUS AVPair attribute data ... we just the put a check in the appropriate boxes and fill in the FQDN of each PSN (e.g. guest1.mycompany.com could be a DNS CNAME record that points to the PSN's FQDN like ise01.dc1.mycompany.com - whatever works for you)

And similarly for PSN2

Then apply some logic as shown below - notice how we need to test WHICH PSN is processing the MAB request in order to return the appropriate AuthZ profile ..