Solved: Splash Page Web Redirect

Pete Bauer · ‎06-20-2012

Hello,

I’m not entirely sure if this should be posted in this forum or in the wireless forum, if it’s in the wrong place please let me know.

We’re currently using 5508 WLC’s and leveraging Cisco ISE for radius/authentication rule sets.

I’m trying to get a splash page to flash and then redirect to a website after a successful authentication to an SSID. Everything on the wireless side works with no splash page (users connect to SSID, authenticate with AD credentials using 802.1X PEAP to our Cisco ISE box, and gain access to the network).

When I enable ‘Splash Page Web Redirect’ on the WLC (under L3 security), I’m unclear on the ISE box where I set this up. When I look in the Cisco documention it says:

Splash Page Web Redirect—If you select this option, the user is redirected to a particular web page after 802.1X authentication successfully completes. After the redirect, the user has full access to the network. You can specify the splash web page on your RADIUS server.

Does anyone know how I specify this on the ISE box? Or am I totally off base?

Any help would be great.

Thanks,

Pete

Tarik Admani · ‎06-25-2012

Pete,

Did you allow AAA override in the SSID settings? Here is a config example of using ACS 4.2 but you can rule out the radius sever configuration since the screenshots posted above look correct. Lets see if that setting is enalbed and then try again.

Edit - forgot to post the link for reference -

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080956185.shtml#step3

Thanks

Tarik Admani

Message was edited by: Tarik Admani

View solution in original post

Tarik Admani · ‎06-24-2012

Pete,

You can send the url-redirect av pair from the ISE authorization profile, you can create this in the ISE under the results for policy elements, do not use the checkbox for web auth but instead manually create the cisco-av-pair and select the "url-redirect" attribute and enter the url of the page you want users to be redirected to, then you an tie that in to your authorization policy in the access-accept that you used to authorize the user via AD.

Here is the reference guide on how to configure this -

http://www.cisco.com/en/US/docs/wireless/controller/5.1/configuration/guide/c51wlan.html

Thanks

Tarik Admani

Pete Bauer · ‎06-25-2012

Hi Tarik,

Thanks for the reply!

I setup the result under policy elements and applied it to the Permission for that specific authorization policy. I then re-enabled splash page web redirect on the WLC (anchor in the DMZ). Now when I connect to the SSID I get an IP address however it doesn’t redirect me and I cannot access anything.

Any thoughts?

Thanks,

Pete

Tarik Admani · ‎06-25-2012

When you look at the client entry on the WLC do you see the url redirect/does the client show authenticated?

Can you ping or does nslookup work on the client end?

Pete Bauer · ‎06-25-2012

It doesn't show up on the client entry on the Anchor WLC, no. Please correct me if I'm wrong, but I'm assuming I'm supposed to be doing all of this on the anchor controller, correct?

Ping/nslookup does not work.

Do I need to apply an ACL on the controller to the SSID?

Tarik Admani · ‎06-25-2012

Pete,

Can you post the screenshot of the authorization policy that you created? I am interested in the dark gray box that you used to create the authorization profile...

Thanks,

Tarik Admani

Pete Bauer · ‎06-25-2012

When I uncheck the 'Web Policy' under L3 security on the WLAN, it connects and works just fine, except for the URL redirection. When I check 'Web Policy' and select Splash Page Web Redirect I can see on ISE it successfully authenticates the client, but then the client doesn’t get redirected when opening a browser and cannot access anything on the network.

Tarik Admani · ‎06-25-2012

Pete,

Did you allow AAA override in the SSID settings? Here is a config example of using ACS 4.2 but you can rule out the radius sever configuration since the screenshots posted above look correct. Lets see if that setting is enalbed and then try again.

Edit - forgot to post the link for reference -

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080956185.shtml#step3

Thanks

Tarik Admani

Message was edited by: Tarik Admani

Pete Bauer · ‎06-25-2012

AAA override was NOT check - I checked it now but still have the same issue.

One correction I must make - after I enable 'Splash Page Web Redirect' on the WLC, they cannot get an IP address. I previously thought the machine did however the address was cached. After a release, it wasn't able to renew.

Pete Bauer · ‎06-25-2012

It worked! I took a fresh computer after enabling the AAA override and it redirected me properly. I'm pretty sure I had that check when I initially set it up, however unchecked it at some point during troubleshooting.

Thank you so much.

Pete

Tarik Admani · ‎06-25-2012

No problem, I am glad it worked!