Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ISE - Central Webauthentication // Guest accouts

Hi, I'm working with the Cisco ISE as a school project, but I have some problems with the central web authentication. I have followed this guide, and at the moment I have the following two problems:

The redirection does not work, but it seems like the ISE tells the switch to redirect, but nothing happens at the client. (See buttom of the post)

I can access the guest webportal by entering the direct url-address.

I have tried to trigger the redirect both by a DNS name and by an ip-address.

My second problem is my guest users.

When I create a guest account from the sponsorportal, I can't see the password only stars (****), and I can't figure out if this is a security feature or a bug. Right now I'm working in an offline environment so I don't have access to a SMTP server, so I can't try the email function to get the guest account information.

I have tried to create a guest account in the adminportal, but I can't login with it. If I go the authentication logs, I just get an "86020 unknown error".

I run everything in VMware, and I have to go through two switches with a trunk connection, before I can reach the switch I'm working on, therefore I have a bit unusually configuration.

I have attached the switch configuration, and a screenshot to show my setup.


sw03#sh auth sess int fa0/5

            Interface:  FastEthernet0/5

          MAC Address:  000c.29ff.28f7

          IP Address:  Unknown

            User-Name:  00-0C-29-FF-28-F7

              Status:  Authz Success

              Domain:  DATA

      Security Policy:  Should Secure

      Security Status:  Unsecure

      Oper host mode:  single-host

    Oper control dir:  both

        Authorized By:  Authentication Server

          Vlan Group:  N/A

    URL Redirect ACL:  redirect

        URL Redirect:

      Session timeout:  N/A

        Idle timeout:  N/A

    Common Session ID:  C0A80A020000000C047D8E21

      Acct Session ID:  0x00000014

              Handle:  0x7F00000C

Runnable methods list:

      Method  State

      mab      Authc Success

Everyone's tags (4)
New Member

Re: ISE - Central Webauthentication // Guest accouts

An ACL could be blocking the redirect if the management interface of the switch and the device are on two separate VLANs. If the switch is layer three, temporarily create routing on it between the two and see of it works.

Second, a proxy will also mess with URL redirection if it is on a different port than port 80. on a WLAN controller a proxy should work fine with URL redirection.



Hope this helps

Sent from Cisco Technical Support iPhone App

New Member

Re: ISE - Central Webauthentication // Guest accouts

Also redirect ACLs are the opposite of regular ACLs so can you post the redirect ACL



Sent from Cisco Technical Support iPhone App

New Member

Re: ISE - Central Webauthentication // Guest accouts

Regarding the guest password/login problem, the problem is solved.
I updated to ISE v1.1, and now that part is working, but I still have the problem with redirect.

Here is my redirect ACL:

ip access-list extended redirect

deny   ip any host (my ISE ip)

permit tcp any any eq www

permit tcp any any eq 443

New Member

Re: ISE - Central Webauthentication // Guest accouts

Okay, I just tried some different things, and after adding these two commands, the redirection works!

ip dhcp snooping

ip device tracking

CreatePlease login to create content