05-11-2020 12:49 AM - edited 07-05-2021 12:02 PM
Hi, there
We want to use PEAP for user authentication and then web redirect to an internal web page for working instruction. We are using ISE 2.4 and cisco WLC with Flexconnect APs.
I have tried to use cisco AV pair (attached) in the authorization profile.
In the redirect ACL, I have the ACL configured (attached) allowing DHCP, DNS, the web server, etc.
Once the client is connected, in WLC,
- the client gets an IP from the right vlan
- status showing webauth_reqd- brwose http://cisco.com and tried to web redirect, but failed evenutally.
- browse http://cisco.com and tried to web redirect, but failed evenutally.
Could someone help with what would be the right configuration on ISE and WLC?
Thanks,
Could someone help with what would be the right configuration on ISE and WLC?
Thanks,
Solved! Go to Solution.
05-14-2020 05:01 PM
Here's the way it works - for a simple use case involving CWA (Central Web Auth) and two PSN's
Create two AuthZ Result Profiles - one per PSN
The details of each Profile is shown below - notice how we don't manually specify the RADIUS AVPair attribute data ... we just the put a check in the appropriate boxes and fill in the FQDN of each PSN (e.g. guest1.mycompany.com could be a DNS CNAME record that points to the PSN's FQDN like ise01.dc1.mycompany.com - whatever works for you)
And similarly for PSN2
Then apply some logic as shown below - notice how we need to test WHICH PSN is processing the MAB request in order to return the appropriate AuthZ profile ..
05-12-2020 03:15 PM
I can't say I have done this myself, but it's an interesting use case.
Are you 100% sure that the PSN that processed the 802.1X request is the same PSN that is referred to in the redirect URL ? The point is, that you have to ensure that the client gets redirected to the very same PSN that created the session entry, because only that PSN will accept the session from the client (due to the data in the URL).
In your screenshot you showed the Cisco AVPair - did you enter this manually, or did you use the URL Redirection check box in the Authorization Result? Can you share your settings of the AuthZ Result?
05-14-2020 03:28 PM
Many thanks for the reply!
I am using PSN-01 as primary and PSN-02 as secondary. There is no load balancer. What is the best way to make sure the same PSN handle the redirect?
I have manaully added the av pair in the result.
Thanks,
05-14-2020 05:01 PM
Here's the way it works - for a simple use case involving CWA (Central Web Auth) and two PSN's
Create two AuthZ Result Profiles - one per PSN
The details of each Profile is shown below - notice how we don't manually specify the RADIUS AVPair attribute data ... we just the put a check in the appropriate boxes and fill in the FQDN of each PSN (e.g. guest1.mycompany.com could be a DNS CNAME record that points to the PSN's FQDN like ise01.dc1.mycompany.com - whatever works for you)
And similarly for PSN2
Then apply some logic as shown below - notice how we need to test WHICH PSN is processing the MAB request in order to return the appropriate AuthZ profile ..
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide