02-04-2025 02:42 AM - edited 02-04-2025 02:45 AM
ADA LAB Guest Management with ISE
Inventory;
Cisco C3850 PoE+ 24 Port 10G Uplink switch (Last version IOS)
Cisco C9800-CL Wireless Controller ver17.12.4
Cisco 1815iAP (Last Version IOS)
Cisco ISE v3.1
Active Directory Windows 2022 Standart Evaluation (Last Update)
Cisco ISE ESXi Host Configuration
Cisco C9800 ESXi Host Configuration
Lab Local Network Table;
VLAN Name |
VLAN ID |
VLAN Network |
Subnet |
Gateway ASA |
ISE IP |
Management |
40 |
192.168.40.1-254 |
\24 |
192.168.40.254 |
192.168.40.236 |
BYOD |
91 |
10.10.91.1-254 |
\24 |
10.10.91.254 |
10.10.91.236 |
Guest |
10 |
10.10.10.1-254 |
\24 |
10.10.10.254 |
10.10.10.236 |
Inside |
90 |
10.10.90.1-254 |
\24 |
10.10.90.254 |
10.10.90.236 |
Quarantina |
3 |
192.168.3.1-254 |
\24 |
192.168.3.254 |
192.168.3.236 |
Server |
100 |
192.168.100.1-254 |
\24 |
192.168.100.254 |
192.168.100.236 |
We are configuring all Interfaces on Cisco ISE. Our target is to separate between networks. For this reason; we have more security and just different links to Access for Guest or BYOD. Also, we can use it for Quarantina Operations.
For ISE Guest Portals Settings are;
Guest |
IP |
Port |
Hotspot |
10.10.10.236 |
8999 |
Self-Register |
10.10.10.236 |
8997 |
Sponsored |
10.10.10.236 |
8998 |
Sponsor |
10.10.90.236 |
8945 |
Topology is like below; Radius and the web server are on the same device; Cisco ISE.
All ports and links are very successfully working in their VLANs. Suppose, we are using Preshared Key (PSK) to join relevant VLAN everything is fine. We can access all links.
But we tried 802.1x its not working! I guess, this problem is a network problem but I did not resolve it. When The 802.1x Access be active; redirection works but the relevant link does not come. I am waiting for a lot of minutes. After that, I need to reset my laptop network settings.
When I create a Configuration->Security->Web Auth in C9800 Web GUI; The device automatically creates 2 different group ACL’s.
And Second ACL Group
And unfortunately, They are not doing any updates.
Does anyone have any suggestions?
Regards
02-04-2025 04:18 AM
Have you checked this link?
02-04-2025 04:24 AM
Aref, thanks a lot for your answer.
I read thousand times that content, but This link is NOT correct for my scenario.
I need to edit ACL on C9800 and ISE.
02-04-2025 05:00 AM
You're welcome. From ISE perspective you need to reference the exact redirect ACL name in the redirection authorization profile. The ACL on the WLC would need to be adjusted, or maybe you can create a new one. The redirect ACL you define on the WLC should deny (not redirect) the traffic destined to ISE on the ports that would be used by the portals. For instance if the port is 8997/tcp then you would have a deny rule with that port as the destination in addition to the DNS and DHCP traffic that also should be denied on the redirect ACL.
Could you please share the link that you get when you get redirected and ISE redirection authorization profile for review?
02-04-2025 05:08 AM
The shared link from Cisco ISE Guest Self Regsitered Portal link;
https://10.10.10.236:8997/portal/PortalSetup.action?portal=d06bc251-f644-4fc3-b09f-dae9bd8a86d5
I added this link to Web Auth.
also; ISE authorization detail
02-04-2025 05:10 AM
And ACL4Guest ACL group on C9800
02-04-2025 06:35 AM
The ACL4Guest ACL need to have the deny action for anything that shouldn't be redirected, so rules 1, 3, and 4 should be configured with deny action. Rule 2 you can move it to the very end, and I think you don't need rule 5, so you can remove that one. Also, if your clients get an IP from a DHCP server, then you should add a new rule to allow that traffic, similar to what you have configured for DNS.
02-04-2025 07:35 AM
I was edit ACL4Guest
But Its not working.
I added again a rule for 443 because; the link is start with https. but again it was not working. I remowed rule for 443.
Finally rule set is;
on Chrome link
But it can not be happen.
02-04-2025 07:38 AM
I didn't understand your last words; Also, if your clients get an IP from a DHCP server, then you should add a new rule to allow that traffic, similar to what you have configured for DNS.
What is mean? I have DHCP server on VLAN 10 (Guest VLAN) so I don't need any redirect for DHCP request. Cisco ASA is working for DHCP and when I join to Guest VLAN I take IP add for this VLAN 10.
02-05-2025 10:51 AM
We are talking about a redirect ACL right? anything we define on that ACL would be reflecting what is going to be redirected and what's not. The deny rules you have are correct, however, the last rule the one with the www port needs to have a permit action, which means we want the web traffic on port 80/tcp to be redirected. Try to edit that and see if it works.
My comment around the DHCP would only apply if the clients would need to send their DHCP requests on the LAN. For instance, if you connect a client to your network and the clinet needs to go through the DORA process it means that we need to ensure DHCP traffic will not be redirected. The way how we do this is by creating a new rule on the redirect ACL saying deny udp any any on port 67 which is the DHCP server port. However, because you said the clients are getting their IP addresses from the ASA ahead of being redirected then you don't need that rule.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide