Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ISE CWA FLEXCONNECT - No url redirect

Hi,

 

I'm setting up a LAB environment for CWA with ISE(1.2.1), vWLC(8.0.100), ASA5505(9.1.X) and a 2602 AP in flexconnect mode.

Unfortunately I'm running into problems.

The AP, WLC and ISE is all running in vlan 1 which terminates in the 5505 as a inside interface. 

Vlan 2 is a guest network terminating on a separate interface in the ASA.

 

The problem that I'm facing is that the url-redirect from the ISE dosent' work. If i check the client summery on the vWLC I can see that the client get applyes the redirect flexconnect ACL and that the URL is present. I've verified that it's not a DNS issue and I'm able to manually connect to ISE so there is no ACL blocking me. The client just dosen't get the redirect. I've tired with multiple devices (windows,ios,android) and it's all the same.

 

I've followed the following guides:

http://www.drchaos.com/flexconnect-local-switching-guestbyod/

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html#anc11

 

Currently I'm at work but I can provide some debug output later. 

 

Have anyone seen this behavior before?

 

 

Everyone's tags (1)
11 REPLIES
Cisco Employee

It is possible that you are

It is possible that you are hitting the following bug:

https://tools.cisco.com/bugsearch/bug/CSCue68065

One thing this bug does not mention is that there is another resolution outside of disabling local switching. The alternative is:

1. Create a standar ACL on the controller that is named exactly as the FlexConnect ACLs

2. The standard ACL does not have to have any ACE in it

I have ran into this issue before and the above workaround has worked for me. The issue was supposed be addressed in version 8.x of the WLC but I think it is still worth giving it a try. 

 

Thank you for rating helpful posts!

Thank you for rating helpful posts!
New Member

Hi Simon, As long as the

Hi Simon,

 

As long as the client can resolve the address and the client is attempting to access an HTTP site not HTTPS, the redirect should work.

 

Maybe try a debug dot11 profile detail on the AP and see what the logs show.

 

Brett

New Member

Is there a solution for

Is there a solution for redirecting https-sites to the ISE?

New Member

A small update. If I manually

A small update.

 

If I manually paste the redirect in my browser then I'm able to login successfully and connect to the network and everything works.

I feel a bit uncertain of how the Flexconnect ACL should look like. Does flexconnect ACL only work on inbound traffic. 

 

I've included the ACL that I'm currently using and below are some pointers to help understand it:

10.0.0.21 - WLC

10.0.0.22 - ISE

10.0.20 - DNS/DHCP

 

I will try adding a standard ACL.

New Member

Hi Simon, ACL looks good.The

Hi Simon,

 

ACL looks good.

The only other thing I can think of is that with Flexconnect you need to add the ACL to the Policies on the AP.

This can be done directly on the AP under Flexconnect -->  External WebAuthentication ACLs or in the Flexconnect group under ACL Mappings --> Policies

Hope this helps!

 

New Member

Hi, I have already added the

Hi,

 

I have already added the ACLs to the flexconnect group, is that sufficent?

Wireless->Flexconnect Groups->ACL Mapping->Policies

But do I need to add only the GUEST-CWA redirect ACL or both, in my case PERMIT_ACCESS?

Cisco Employee

You only need to map the

You only need to map the redirect ACL under the "Policies" The redirect ACL should only allow access to your ISE and your DNS servers while denying everything else. 

Also:

- Did you create a standard (non-flexconnect) ACL that matches the name of the Flex-connect one?

- Are you returning the redirect ACL in your CWA authorization profile

 

Thank you for rating helpful posts!

Thank you for rating helpful posts!
New Member

Hi, I forgot to mention that

Hi,

 

I forgot to mention that I already had a standard ACL with the same name. I saw that bug before I stated this disscussion and I did give that a test however without success.

 

I've included two new pictures one with my authorization rules and one with the AutZ Result for CWA.

 

I did a debug dot11 policys detail on the AP but I'm not getting any results when connecting with a device and trying the guest-access.

 

New Member

Hi!Did you ever get around

Hi!

Did you ever get around this?, I'm facing the same issues.

Thank you!

New Member

 Same thing here, everything

 

Same thing here, everything looks like it is working but no redirect on the client.

Did you find a solution to the problem?

 

Cheers

New Member

Hi,

Hi,

   Points to Check for FlexConnect CWA (ISE):

1) Redirect ACL should be created in Flexconnect ACL which will permit http & https to ISE and DNS, DNCP to respective severs

2) The same Flexconnect ACL need to added in FlexConnect Group ACL Mapping->polices

3) A normal ACL with same name of Flexconnect ACL need to be created in security->access control list without any rules in it.

4) The ACL name should be called in CWA in ISE authorization policy.

The same worked for me. Hope this helps.

   Regards

1195
Views
0
Helpful
11
Replies
CreatePlease login to create content