Solved: Cisco ISE - Redirect CWA

David Boos · ‎07-02-2012

I'm new to ISE and have run into a snag that I'm not sure how to handle. I have CWA configured and when I access the ISE SSID I am redirected to the guest login page. When I login it asks me to accept the AUP, I accept, it tells me authentication is successful but when I try to browse to another site I can't get anywhere and it brings me right back to the guest login page. Any ideas or suggestions?

Tarik Admani · ‎07-02-2012

Replace the condition on the left from Guest to Any....the policy you defined below is to redirect all mab requests to the redirection portal where the user can enter then authentication information.

Thanks,

tarik admani

As always please remember to rate any feedback that you find helpful.

View solution in original post

Tarik Admani · ‎07-02-2012

David,

You will have to create another authorization policy above this rule that they will have to hit once their Endpoint profile changes...this is where CoA comes into play and this is what ISE uses over other radius servers.

When the user authenticates and is unknown to ISE then the endpoint gets redirected to the web portal. Once the user authentication, this is where coa takes effect and searches for another matching authorization policy. Have you created an authorization poilcy for guests?

Thanks,

Tarik admani

David Boos · ‎07-02-2012

I've attached a copy of my authorization policy.

Thanks for replying.

Tarik Admani · ‎07-02-2012

David,

Do you have radius nac enabled on the your WLC also what version of code are you running on the controller?

Also when the authentication event occurs can you post a screenshot of the authentication page (under Monitoring > Authentication)

Along with AAA override, should be under the advance settings on the SSID.

Thanks

tarik Admani

Message was edited by: Tarik Admani

David Boos · ‎07-02-2012

I've attached screenshots

WLC Code

WLAN Settings

Tarik Admani · ‎07-02-2012

The controller side looks fine, we need to see if you you have CoA enabled globally. Can you check the following and set the COA to reauth (default is set to to No COA).

http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_prof_pol.html#wp1340803

Please post a screenshot of the authentication report..Monitoring>Authentications

thanks,

Tarik Admani

David Boos · ‎07-02-2012

I did not have CoA enabled and set to reauth, set that option disconnected from the WLAN, reassociated, still loops back to the guest page. Attached a screenshot of the authentications - I assumed on ISE and not on the WLC.

Tarik Admani · ‎07-02-2012

Can you post a screeshot of your Guest policy i only see the Identity group conditoin but the authorization profile that you assigned to this rule.

Thanks

tarik Admani

David Boos · ‎07-02-2012

Guest Policy

Tarik Admani · ‎07-02-2012

Sorry,

I meant the authorization policy that is above your redirection policy under authorization.

David Boos · ‎07-02-2012

The policy under Policy > Results then Authorization > Authorization Results?

Tarik Admani · ‎07-02-2012

Expand the screenshot in the 3rd message of this thread.

David Boos · ‎07-02-2012

Nothing under Layer 3, I was sent a powerpoint called

ISE for CUWN Essentials:

Central Web Authentication (CWA)

Configuration Example

and I followed that, I would attach it but I can only attach images/video. It calls for Layer 2 MAC filtering an nothing for Layer 3. Maybe that's wrong but just filling you in on where I'm coming from.

Thanks,
David

Tarik Admani · ‎07-02-2012

Sorry about the previous message, I thought i had deleted that. I would like you to expand the screenshot in the 3rd message of this thread, it only shows the idenity group condition and not the result that you selected.

David Boos · ‎07-02-2012

Got it, attached below.