Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

CWA page does not redirect

Hi there,

I am having strange issue.

I have configured a wlan with Mac Filtering that is pointing to ISE. Followed this guide https://supportforums.cisco.com/docs/DOC-26442

Now, when user tries to connect to the wlan, it gets stuck in DHCP_REQD state. On troubleshooting I found that the ISE authenticates with Wireless MAB policy and points to the authorization profile where CWA redirect is configured. The WLC receives the redirect acl with redirect url but does not apply it on the client.

On ISE:

    2.JPG

On WLC:

1.JPG

the ACL "tempcwa" allows traffic to and from ISE, DNS, DHCP, but I am not able to get IP. Even when I try manual IP address, I am not able to ping ISE. I am sure ACL is all ok! My DHCP works perfect for other WLANs with WLC webauth settings in the same subnet as CWA.

I am using AIR-CT5760, 03.02.02.SE, ct5760-ipservicesk9 and ISE 1.2 VM

Please help me!!

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions

Re: CWA page does not redirect

If the device is not able to get dhcp the. It can't use the redirect page.

I would remove the ACL and see if it allows the client to get an address.

Steve

Sent from Cisco Technical Support iPhone App

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
6 REPLIES

Re: CWA page does not redirect

If the device is not able to get dhcp the. It can't use the redirect page.

I would remove the ACL and see if it allows the client to get an address.

Steve

Sent from Cisco Technical Support iPhone App

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
New Member

Re: CWA page does not redirect

Thanks for your response..

If I remove the ACL then how the traffic destined to ISE will be allowed? The interesting part is, I am getting hits on the redirect ACL but client can not receive IP address.

DHCP is working fine and if I assign manual IP then DHCP is not the matter.

If Redirect ACL and ISE page is forwarded to WLC from ISE then why this is not working for clients??

Moreover, I noticed that even DACL is not being pushed to wireless clients from other authorization profiles. The traffic gets Permit_access but DACL does not restrict..

I think these two issues are interlinked..

Please suggest..

New Member

CWA page does not redirect

Any suggestion???

Hall of Fame Super Silver

Re: CWA page does not redirect

Like Steve mentioned, you need to fix the dhcp first. If you remove the preauth acl and then just use the WLC internal webauth, does it work? If so, then you need to look at your preauth acl.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

Re: CWA page does not redirect

I have checked by manually assigning the IP address. Still no luck..

New Member

Re: CWA page does not redirect

I finally got it working, my ACL was wrong.

The redirect ACL should look like as follows:

Deny UDP any any

Deny ip any host

Deny ip host any

Permit TCP any any HTTTP

Permit TCP any any HTTTPS

After changing the ACL, CWA redirect page started to show up!!

Thanks to Stephen.

753
Views
0
Helpful
6
Replies