Issues getting url-redirect working with Cisco ISE

Unanswered Question
Jun 9th, 2011

Hi,

I am currently doing a Proof of Concept using Cisco's new ISE product. I am having issues getting the url-redirect raidus attribute working. I have read the troubleshooting document and everything in it points to it should be working. By debuging the radius information on the switch I can see that its passing the url-redirect to the switch  which in my case is was https://DEVLABISE01.devlab.local:8443/guestportal/gateway?sessionId=0A00020A0000001604D3F5BE&action=cwa. Now to remove DNS issues etc from the equasion if I copy and paste this URL into the client browser it takes me to the correct place, and I can login and it changes VLAN's accordingly. Now as far as I know the client should automatticaly be redirected to this URL which is not working. Below I have included one of the debugs to show that the epm is in place.

DEVLABSW01#show epm session ip 10.0.1.104

    Admission feature:  DOT1X

              ACS ACL:  xACSACLx-IP-PRE-POSTURE-ACL-4de86e6c

     URL Redirect ACL:  ACL-WEBAUTH-REDIRECT

         URL Redirect:  https://DEVLABISE01.devlab.local:8443/guestportal/gateway?sessionId=0A00020A0000001604D3F5BE&action=cwa

I have also attached my switch config. Any help would be greatly appreciated.

Dan

I have this problem too.
1 vote
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
flovison Fri, 06/10/2011 - 04:48

Hi Dan,

I looked at the switch config and - at a first glance - it looks ok to me... I hope I didn't miss anything obvious

Apart from manually pointing the browser to the redirect URL, how did you try to trigger the redirection?

Does the redirection work if you point the browser to an IP address rather than a DNS hostname?

I would also suggest to enable the following debugs on the switch when trying this:

  debug radius authentication

  debug ip http all

  debug aaa authentication

I hope this helps.

Thanks,

Federico

--

If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

danpanzich Sun, 06/12/2011 - 18:35

Hi Frederico,

I am really new to ISE and have ran the debug commands you have mentioned and nothing sticks out to me. If i replace the DNS hostname with IP address it works also and I can login and the switch will change vlans. In  regards to triggering the redirection what are you referring to and do you neeed to have the ISE client installed on the host for url-redirection to work. Our solution needs to work with as many different clients as possible without having the ISE client installed.

Dan

hany.badawy Tue, 12/20/2011 - 13:40

Dear sir,

Regarding the CWA configuration there are two tricks you have to take care of them

1- you have to type the below command

Aaa server radius dynami-autho

Client key cisco123

2- if you have to change the vlan through the web login there are a check box you have to select

Guest Management --->. setting --> guest ---> multi portal configuration ---> default

General tab

Select vlan dhcp release

Sent from Cisco Technical Support iPad App

deger.guneyi Tue, 11/08/2011 - 05:44

Hi,

if its not solved yet please let me know.

Regards.

Sent from Cisco Technical Support iPhone App

xzatech123 Fri, 03/23/2012 - 08:45

Hi,

I also would like to know when an answer has been established with this situation, pretty much in the same scenario as above

xzatech123 Fri, 03/30/2012 - 05:06

my issue solved check :

To anyone; you may want to take another look at how your setup is layed out and any access-lists on your managment vlan. I found the problem that I was having was an access-list on my managment vlan not allowing comunication to my layer3 routing core.

Actions

Login or Register to take actions

This Discussion

Posted June 9, 2011 at 6:36 PM
Stats:
Replies:6 Avg. Rating:
Views:5175 Votes:1
Shares:0
Tags: No tags.

Discussions Leaderboard