Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

CWA NOT REDIRECT AUTOMATIC IN CLIENT WEBBROWSER

 

Guys, i have problem, the the portal cwa not open automatic in clients, if the client copy and paste the url of session, this open!! but automatic is the problem, the acl is ok, dns is ok.

 

switch version 15.2

 

 

 

9 REPLIES
New Member

switch#SH EPm SESSion ip 172

switch#SH EPm SESSion ip 172.16.1.3
    Admission feature:  DOT1X
              ACS ACL:  xACSACLx-IP-POSTURE_REMEDIATION-53a84454
     URL Redirect ACL:  ACL-POSTURE-REDIRECT
         URL Redirect:  https://xxx:8443/guestportal/gateway?sessionId=AC101E640000005F032D6B3B&action=cwa

New Member

Did anyone get this working??

Did anyone get this working??

Cisco Employee

Could you share what you are

Could you share what you are using as a redirect ACL please?

New Member

acl-redirectdeny ip any host

acl-redirect

deny ip any host ISE

permit tcp any any eq 443

permit tcp any any eq 80

IF I copy and paste url in webrowser work, but automatic redirection not working

Cisco Employee

You also need to deny DNS

You also need to deny DNS traffic for this to work. The way it is now, you can try to go to any IP address (like 1.1.1.1) and you should see the redirect pop-up in the URL bar.

It seems like currently we're trying to 'redirect' DNS traffic, which causes the end-clients to time out.

New Member

then you say that i should

then you say that i should add 

deny udp any any eq domain in the acl-redirect in the switch?

Cisco Employee

Right!

Right!

New Member

not work witch#show ip access

not work

 

witch#show ip access-lists 
Extended IP access list ACL-POSTURE-REDIRECT
    10 deny ip any host 172.16.30.20 (1927 matches)
    15 deny udp any any eq domain (42 matches)
    20 permit tcp any any eq 443
    30 permit tcp any any eq www
Extended IP access list Auth-Default-ACL
    10 permit udp any range bootps 65347 any range bootpc 65348 (8 matches)
    20 permit udp any any range bootps 65347
    30 deny ip any any (11 matches)
Extended IP access list xACSACLx-IP-POSTURE_REMEDIATION-53a84454 (per-user)
    10 permit tcp any host 172.16.30.20 eq 8443
    20 permit tcp any any eq www
    30 permit tcp any any eq 443
    40 permit udp any any eq domain
    50 permit icmp any any

New Member

not work!!! :( switch#show

not work!!! :( 

switch#show authentication sessions interface fastEthernet 0/1

            Interface:  FastEthernet0/1

          MAC Address:  6431.5077.5aa2

           IP Address:  172.16.1.2

            User-Name:  64-31-50-77-5A-A2

               Status:  Authz Success

               Domain:  DATA

       Oper host mode:  multi-auth

     Oper control dir:  both

        Authorized By:  Authentication Server

          Vlan Policy:  N/A

              ACS ACL:  xACSACLx-IP-POSTURE_REMEDIATION-53a84454

     URL Redirect ACL:  ACL-POSTURE-REDIRECT

         URL Redirect:  https://ise.xxxx:8443/guestportal/gateway?sessionId=AC101E64000000000000A676&action=cwa

      Session timeout:  N/A

         Idle timeout:  N/A

    Common Session ID:  AC101E64000000000000A676

      Acct Session ID:  0x00000001

               Handle:  0x90000001

 

Runnable methods list:

       Method   State

       mab      Authc Success

          

       dot1x    Not run

75
Views
0
Helpful
9
Replies