Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco ISE - Redirect CWA

I'm new to ISE and have run into a snag that I'm not sure how to handle.  I have CWA configured and when I access the ISE SSID I am redirected to the guest login page.  When I login it asks me to accept the AUP, I accept, it tells me authentication is successful but when I try to browse to another site I can't get anywhere and it brings me right back to the guest login page.  Any ideas or suggestions?

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions

Cisco ISE - Redirect CWA

Replace the condition on the left from Guest to Any....the policy you defined below is to redirect all mab requests to the redirection portal where the user can enter then authentication information.

Thanks,

tarik admani

As always please remember to rate any feedback that you find helpful.

Tarik Admani *Please rate helpful posts*
22 REPLIES

Cisco ISE - Redirect CWA

David,

You will have to create another authorization policy above this rule that they will have to hit once their Endpoint profile changes...this is where CoA comes into play and this is what ISE uses over other radius servers.

When the user authenticates and is unknown to ISE then the endpoint gets redirected to the web portal. Once the user authentication, this is where coa takes effect and searches for another matching authorization policy. Have you created an authorization poilcy for guests?

Thanks,

Tarik admani

Tarik Admani *Please rate helpful posts*
New Member

Cisco ISE - Redirect CWA

I've attached a copy of my authorization policy.

Thanks for replying.

Re: Cisco ISE - Redirect CWA

David,

Do you have radius nac enabled on the your WLC also what version of code are you running on the controller?

Also when the authentication event occurs can you post a screenshot of the authentication page (under Monitoring > Authentication)

Along with AAA override, should be under the advance settings on the SSID.

Thanks

tarik Admani

Message was edited by: Tarik Admani

Tarik Admani *Please rate helpful posts*
New Member

Cisco ISE - Redirect CWA

I've attached screenshots

WLC Code

WLAN Settings

Cisco ISE - Redirect CWA

The controller side looks fine, we need to see if you you have CoA enabled globally. Can you check the following and set the COA to reauth (default is set to to No COA).

http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_prof_pol.html#wp1340803

Please post a screenshot of the authentication report..Monitoring>Authentications

thanks,

Tarik Admani

Tarik Admani *Please rate helpful posts*
New Member

Cisco ISE - Redirect CWA

I did not have CoA enabled and set to reauth, set that option disconnected from the WLAN, reassociated, still loops back to the guest page. Attached a screenshot of the authentications - I assumed on ISE and not on the WLC.

Cisco ISE - Redirect CWA

Can you post a screeshot of your Guest policy i only see the Identity group conditoin but the authorization profile that you assigned to this rule.

Thanks

tarik Admani

Tarik Admani *Please rate helpful posts*
New Member

Cisco ISE - Redirect CWA

Guest Policy

Cisco ISE - Redirect CWA

Sorry,

I meant the authorization policy that is above your redirection policy under authorization.

Tarik Admani *Please rate helpful posts*
New Member

Cisco ISE - Redirect CWA

The policy under Policy > Results then Authorization > Authorization Results?

Re: Cisco ISE - Redirect CWA

Expand the screenshot in the 3rd message of this thread.

Tarik Admani *Please rate helpful posts*
New Member

Cisco ISE - Redirect CWA

Nothing under Layer 3, I was sent a powerpoint called

ISE for CUWN Essentials:

Central Web Authentication (CWA)

Configuration Example

and I followed that, I would attach it but I can only attach images/video.  It calls for Layer 2 MAC filtering an nothing for Layer 3.  Maybe that's wrong but just filling you in on where I'm coming from.

Thanks,
David

Cisco ISE - Redirect CWA

Sorry about the previous message, I thought i had deleted that. I would like you to expand the screenshot in the 3rd message of this thread, it only shows the idenity group condition and not the result that you selected.

Tarik Admani *Please rate helpful posts*
New Member

Cisco ISE - Redirect CWA

Got it, attached below.

Cisco ISE - Redirect CWA

Is boos179 the guest account you are trying to authenticate with?

Thanks

Tarik Admani

Tarik Admani *Please rate helpful posts*
New Member

Cisco ISE - Redirect CWA

Yes, I've attached my identity sequence below.  I've allowed anyone with an AD credential to login to the guest portal using their AD credential as a guest. Boos179 is my username.

Cisco ISE - Redirect CWA

That makes sense now, so you are not being dynamically mapped to the Guest as you would assume. You need to create another authorization policy that matches the group that you would like to allow your domain users (i.e. Domain Users).

You need to create this condition first by defining the group in Active directory (Administration > Identities > External Identity sources > Active Directory > Groups > Add > (there is a 100 group limit so you can search Domain* and that will pull anything that matches Domain and the wildcard).

If you have done the already they create another authoriztion policy and use this following:

Policy > Authorization > Insert New Rule [Above | Below] > Conditions (Create New Condition [Advance Option]) > Select Attribute (AD1 > ExternalGroup EQUALS [the group you chose before] > Set your result

Then test that should do the trick.

Thanks

tarik Admani

Tarik Admani *Please rate helpful posts*
New Member

Cisco ISE - Redirect CWA

This is my new authorization policy, I'm a but confused though. What does the last policy (MAC not Known) actually do then? I will have to test in the morning to find out if this works.

Cisco ISE - Redirect CWA

Replace the condition on the left from Guest to Any....the policy you defined below is to redirect all mab requests to the redirection portal where the user can enter then authentication information.

Thanks,

tarik admani

As always please remember to rate any feedback that you find helpful.

Tarik Admani *Please rate helpful posts*
New Member

Cisco ISE - Redirect CWA

So this is what it should be?

Cisco ISE - Redirect CWA

That looks great!

Tarik Admani *Please rate helpful posts*
New Member

Cisco ISE - Redirect CWA

Thanks, works as expected.

2966
Views
5
Helpful
22
Replies