Issues getting url-redirect working with Cisco ISE

Unanswered Question
Jun 9th, 2011

Hi,

I am currently doing a Proof of Concept using Cisco's new ISE product. I am having issues getting the url-redirect raidus attribute working. I have read the troubleshooting document and everything in it points to it should be working. By debuging the radius information on the switch I can see that its passing the url-redirect to the switch  which in my case is was https://DEVLABISE01.devlab.local:8443/guestportal/gateway?sessionId=0A00020A0000001604D3F5BE&action=cwa. Now to remove DNS issues etc from the equasion if I copy and paste this URL into the client browser it takes me to the correct place, and I can login and it changes VLAN's accordingly. Now as far as I know the client should automatticaly be redirected to this URL which is not working. Below I have included one of the debugs to show that the epm is in place.

DEVLABSW01#show epm session ip 10.0.1.104

    Admission feature:  DOT1X

              ACS ACL:  xACSACLx-IP-PRE-POSTURE-ACL-4de86e6c

     URL Redirect ACL:  ACL-WEBAUTH-REDIRECT

         URL Redirect:  https://DEVLABISE01.devlab.local:8443/guestportal/gateway?sessionId=0A00020A0000001604D3F5BE&action=cwa

I have also attached my switch config. Any help would be greatly appreciated.

Dan

I have this problem too.
2 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Federico Lovison Fri, 06/10/2011 - 04:48

Hi Dan,

I looked at the switch config and - at a first glance - it looks ok to me... I hope I didn't miss anything obvious

Apart from manually pointing the browser to the redirect URL, how did you try to trigger the redirection?

Does the redirection work if you point the browser to an IP address rather than a DNS hostname?

I would also suggest to enable the following debugs on the switch when trying this:

  debug radius authentication

  debug ip http all

  debug aaa authentication

I hope this helps.

Thanks,

Federico

--

If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

danpanzich Sun, 06/12/2011 - 18:35

Hi Frederico,

I am really new to ISE and have ran the debug commands you have mentioned and nothing sticks out to me. If i replace the DNS hostname with IP address it works also and I can login and the switch will change vlans. In  regards to triggering the redirection what are you referring to and do you neeed to have the ISE client installed on the host for url-redirection to work. Our solution needs to work with as many different clients as possible without having the ISE client installed.

Dan

Hany Badawy Mohamed Tue, 12/20/2011 - 13:40

Dear sir,

Regarding the CWA configuration there are two tricks you have to take care of them

1- you have to type the below command

Aaa server radius dynami-autho

Client key cisco123

2- if you have to change the vlan through the web login there are a check box you have to select

Guest Management --->. setting --> guest ---> multi portal configuration ---> default

General tab

Select vlan dhcp release

Sent from Cisco Technical Support iPad App

a.gooding Mon, 09/15/2014 - 18:47

So im also doing ISE for the first time and i knew it may have been a bit tough however i didnt forsee my following issue.

everything is working as expected other than every now and then (intermittent) the ISE Central Portal does not display on any device -android, windows, etc..... i checked and checked the configs, had probably about 10 TAC cases open..... this weekend i ripped out the main components, setup in the offfice and tried to replicate the issue....i could...what i noticed is that without Internet the ISE Portal didnt actually display....it sounds weird but thats what im seeing.....As soon as i plug into Internet Link into the equation, the portal page comes up.....im able to replicate it every time... Currently, i placed back into the customer network and im now looking down at the routing/firewall......

my issue is that i cant really explain why the Internet affects the Central Auth Page.... In any event. im working backwards, tomorrow im bringing in a second link and doing NAT on a cisco router to bypass the checkpoint firewall....ill know if its checkpoint or if im barking up the wrong tree....

if anyone can explain why, it would help out a great deal..

 

My setup BTW is

1. WLC 5760 - Not latest code but latest stable (recommended by the TAC Engineer)

2. ISE 1.2 - Doing simple Wireless only implementation

3. 3650 - Just acting like a switch - no ACLs etc - just a switch

4. Integrated into AD

 

Ill post back with any findings if i make any headway - BTW, i didnt like this at all as other solutions are so much simpler, BUT, i can now see how powerful this could potentially be for the right type of customer...

 

thanks again how i can get some feedback

deger.guneyi Tue, 11/08/2011 - 05:44

Hi,

if its not solved yet please let me know.

Regards.

Sent from Cisco Technical Support iPhone App

xzatech123 Fri, 03/23/2012 - 08:45

Hi,

I also would like to know when an answer has been established with this situation, pretty much in the same scenario as above

xzatech123 Fri, 03/30/2012 - 05:06

my issue solved check :

To anyone; you may want to take another look at how your setup is layed out and any access-lists on your managment vlan. I found the problem that I was having was an access-list on my managment vlan not allowing comunication to my layer3 routing core.

tony.sangha Mon, 08/18/2014 - 23:01

I had initially configured the ACL to deny DNS traffic as per Cisco documentation (due to a bug) however on the 3560c I was working on, I needed to remove the DNS rule for the re-direct to work, this was because the host could not resolve any dns entries....i.e google.com for it to be redirected.

 

ip access-list extended ACL-WEBAUTH-REDIRECT
 remark deny DNS traffic from being redirected
 remark redirect all applicable traffic to the ISE
 permit tcp any any eq www
 permit tcp any any eq 443

 

Actions

Login or Register to take actions

This Discussion

Posted June 9, 2011 at 6:36 PM
Stats:
Replies:10 Overall Rating:
Views:6291 Votes:2
Shares:0
Tags: No tags.