CWA redirect failure

martyn.rees · ‎09-03-2012

I have a situation where DNS cannot be used for redirecting on CWA, so I have had to create a auth profile that has manual entries in it that redirects the guest to the IP address of the guest portal, rather than the DNS name.

The attribute is configured with the following:

cisco-av-pair = url-redirect=https://x.x.x.x:8443/guestportal/Login.action

cisco-av-pair = url-redirect-acl=cwa

The redirection works, and the guest is prompted with a login screen, but as soon as they are authenticated they receive a error page stating that the resource is not found, with the resource being /guestportal.

The URL that it is trying to reach is https://x.x.x.x:8443/guestportal/guest/redir.html

Has anyone managed to configure CWA to use the IP address rather than the DNS name, and go around this issue?

Tarik Admani · ‎09-03-2012

Martyn,

Can you try this av-pair instead (substitue only the x.x.x.x and leave the other variables ISE should populate them with the correct session id). Keep in mind DNS is critical but lets see how if the following changes your luck, usually the redirection afterwards is a page that tells the user to retry their original request.

url-redirect=https://x.x.x.x:8443/guestportal/gateway?sessionId=SessionIdValue&action=cwa

url-redirect-acl=cwa

Thanks,

Tarik Admani
*Please rate helpful posts*

martyn.rees · ‎09-03-2012

Hi Tarik,

Thanks for the suggestion,

I did initially have it set to this, as that was initially logical to me, but when I had that in place you get a session has expired window after the logon has completed, so I thought I would try a couple of other redirects to see if they would work, but thats where I ended up at the initial redirect url that I posted.

Tarik Admani · ‎09-04-2012

I understand, you can try opening a TAC case but DNS is the main issue, also do you see two authenticate requests or just the authenticate request to the portal?

thanks,

Tarik Admani
*Please rate helpful posts*

martyn.rees · ‎09-04-2012

I see the initial success upon connection and can see the redirect being applied, but then once it is authenticated it shows another entry with a failure and you get the session expired page.

Sent from Cisco Technical Support iPad App

martyn.rees · ‎09-04-2012

I can see that if I allow ISE to populate the redirect URL then a session ID is generated. If I manually specify the radius attribute then a session ID is not generated.

Is there a way then to change the URL that the guest is redirected to so that it isn't the host name?

Sent from Cisco Technical Support iPad App

martyn.rees · ‎09-04-2012

I've followed this up with TAC and have confirmation that at the moment you cannot change the DNS name that the user is re-directed to.

Also in ISE 1.1 you could manually specify the radius attrbute with the IP address and as I was doing and it will give you unique session ID, but in 1.1.1 you cannot do this.

Tarik Admani · ‎09-04-2012

Martin,

Is ths a bug on why this won't work in ISE?

Sent from Cisco Technical Support iPad App

martyn.rees · ‎09-04-2012

The bug for not being able to change the DNS name that the guest is redirected to is here:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCub97631

It's not currently viewable, but should be in the next couple of days apparently.

I am trying to find out if the method of manually specifying the radius attribute was deliberatley removed in 1.1.1 or if it is a bug.

jan.nielsen · ‎10-04-2012

Any news on this ?, i am having the same issue, the sessionIdValue field is not getting filled out with a session id, when i attempt to manually define the redirect url in the cwa authz result, so ISE does not know the session id when you then log into the guest portal :-(

Naveen Kumar · ‎09-12-2013

Just to share:

I saw a good document on CWA with ISE:

https://supportforums.cisco.com/docs/DOC-26442

Muhammad Munir · ‎09-12-2013

Hi

You can configure custom portal to perform Client Provisioning and Posture. If you select this option, the guest login flow performs a CWA and the guest portal will be redirected to Client Provisioning after performing AUP and change password checks. In this case, the posture subsystem performs a CoA to the NAD to re-authenticate the client connection once the posture has been assessed.

If Vlan Dhcp Release is selected under Multi-Portal Configurations, posture will perform the client side IP release and renew operation. Check the Vlan Dhcp Release option to refresh Windows clients IP address after VLAN change in both wired or wireless environments for Guest with posture.

This affects the CWA user login flow when the network access during the final authorization switches the guest VLAN to a new VLAN. In this case, the old IP of the guest needs to be released before the VLAN change and a new guest IP needs to be requested through DHCP once the new VLAN access is in place. The Cisco ISE server redirects the guest browser to download an applet to perform the IP release renew operation.