cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
165
Views
0
Helpful
9
Replies

Guest Portal Access Cisco ISE work with C9800

huseyin
Level 1
Level 1

ADA LAB Guest Management with ISE

Inventory;

Cisco C3850 PoE+ 24 Port 10G Uplink switch (Last version IOS)

Cisco C9800-CL Wireless Controller ver17.12.4

Cisco 1815iAP (Last Version IOS)

Cisco ISE v3.1

Active Directory Windows 2022 Standart Evaluation (Last Update)

Cisco ISE ESXi Host Configuration

huseyin_0-1738665288683.png

Cisco C9800 ESXi Host Configuration

huseyin_1-1738665288684.png

 

Lab Local Network Table;

VLAN Name

VLAN ID

VLAN Network

Subnet

Gateway ASA

ISE IP

Management

40

192.168.40.1-254

\24

192.168.40.254

192.168.40.236

BYOD

91

10.10.91.1-254

\24

10.10.91.254

10.10.91.236

Guest

10

10.10.10.1-254

\24

10.10.10.254

10.10.10.236

Inside

90

10.10.90.1-254

\24

10.10.90.254

10.10.90.236

Quarantina

3

192.168.3.1-254

\24

192.168.3.254

192.168.3.236

Server

100

192.168.100.1-254

\24

192.168.100.254

192.168.100.236

 

We are configuring all Interfaces on Cisco ISE. Our target is to separate between networks. For this reason; we have more security and just different links to Access for Guest or BYOD. Also, we can use it for Quarantina Operations.

For ISE Guest Portals Settings are;

Guest

IP

Port

Hotspot

10.10.10.236

8999

Self-Register

10.10.10.236

8997

Sponsored

10.10.10.236

8998

Sponsor

10.10.90.236

8945

 

Topology is like below; Radius and the web server are on the same device; Cisco ISE.

huseyin_2-1738665288686.jpeg

 

All ports and links are very successfully working in their VLANs. Suppose, we are using Preshared Key (PSK) to join relevant VLAN everything is fine. We can access all links.

But we tried 802.1x its not working! I guess, this problem is a network problem but I did not resolve it. When The 802.1x Access be active; redirection works but the relevant link does not come. I am waiting for a lot of minutes. After that, I need to reset my laptop network settings.

When I create a  Configuration->Security->Web Auth in C9800 Web GUI; The device automatically creates 2 different group ACL’s.

huseyin_3-1738665288690.png

 

 

And Second ACL Group

huseyin_4-1738665288693.png

 

And unfortunately, They are not doing any updates.

Does anyone have any suggestions?

Regards

9 Replies 9

Aref, thanks a lot for your answer.

I read thousand times that content, but This link is NOT correct for my scenario. 

I need to edit ACL on C9800 and ISE. 

You're welcome. From ISE perspective you need to reference the exact redirect ACL name in the redirection authorization profile. The ACL on the WLC would need to be adjusted, or maybe you can create a new one. The redirect ACL you define on the WLC should deny (not redirect) the traffic destined to ISE on the ports that would be used by the portals. For instance if the port is 8997/tcp then you would have a deny rule with that port as the destination in addition to the DNS and DHCP traffic that also should be denied on the redirect ACL.

Could you please share the link that you get when you get redirected and ISE redirection authorization profile for review?

huseyin
Level 1
Level 1

The shared link from Cisco ISE Guest Self Regsitered Portal link;

https://10.10.10.236:8997/portal/PortalSetup.action?portal=d06bc251-f644-4fc3-b09f-dae9bd8a86d5 

I added this link to Web Auth.

also; ISE authorization detail

huseyin_0-1738674509105.png

 

And ACL4Guest ACL group on C9800

huseyin_1-1738674624545.png

 

The ACL4Guest ACL need to have the deny action for anything that shouldn't be redirected, so rules 1, 3, and 4 should be configured with deny action. Rule 2 you can move it to the very end, and I think you don't need rule 5, so you can remove that one. Also, if your clients get an IP from a DHCP server, then you should add a new rule to allow that traffic, similar to what you have configured for DNS.

huseyin
Level 1
Level 1

I was edit ACL4Guest

huseyin_0-1738683014798.png

But Its not working. 

I added again a rule for 443 because; the link is start with https. but again it was not working.  I remowed rule for 443.

Finally rule set is; 

huseyin_1-1738683252509.png

on Chrome link 

https://10.10.10.236:8997/portal/PortalSetup.action?portal=d06bc251-f644-4fc3-b09f-dae9bd8a86d5?switch_url=http://192.0.2.1/login.html&redirect=http://www.msftconnecttest.com/redirect

But it can not be happen. 

 

huseyin
Level 1
Level 1

I didn't understand your last words; Also, if your clients get an IP from a DHCP server, then you should add a new rule to allow that traffic, similar to what you have configured for DNS.

What is mean? I have DHCP server on VLAN 10 (Guest VLAN) so I don't need any redirect for DHCP request. Cisco ASA is working for DHCP and when I join to Guest VLAN I take IP add for this VLAN 10. 

huseyin_2-1738683471915.png

 

We are talking about a redirect ACL right? anything we define on that ACL would be reflecting what is going to be redirected and what's not. The deny rules you have are correct, however, the last rule the one with the www port needs to have a permit action, which means we want the web traffic on port 80/tcp to be redirected. Try to edit that and see if it works.

My comment around the DHCP would only apply if the clients would need to send their DHCP requests on the LAN. For instance, if you connect a client to your network and the clinet needs to go through the DORA process it means that we need to ensure DHCP traffic will not be redirected. The way how we do this is by creating a new rule on the redirect ACL saying deny udp any any on port 67 which is the DHCP server port. However, because you said the clients are getting their IP addresses from the ASA ahead of being redirected then you don't need that rule.