Cisco ISE guest portal redirect not working after successful authentiation and URL redirect.

Paul_Westhead · ‎07-10-2012

Hi to all,

I am having difficulties with an ISE deployment which I am scratching my head over and can't fathom out why this isn't working.

I have an ISE 3315 doing a captive webportal for my guest users who are on an SSID. The users are successfully redirected by the WLC to the following URL:https://x.x.x.x:8443/guestportal/Login.action?portalname=XXX_Guest_Portal

Now when the user passes through the user authentication splash screen they get redirected to https://x.x.x.x:8443/guestportal/guest/redir.html and recieve the following error:

Error: Resource not found.

Resource: /guestportal/

Does anyone have any ideas why the portal is doing this?

Thanks

Paul

Paul_Westhead · ‎07-12-2012

Anyone got any ideas on this?

Sent from Cisco Technical Support iPhone App

ryanadzima · ‎07-16-2012

Same issue here, can't find anything that might give me a clue.

Paul_Westhead · ‎08-28-2012

Well, came to the conclusion that external LWA doesn't work with modern browsers due to the use of iframes to complete the redirect and the page containing http & https data.

The only option is to run LWA on the controller or run CWA from the ISE.

Sent from Cisco Technical Support iPhone App

descalante2007 · ‎02-08-2013

I have a similar problem, but in my case the Error message appears before the login splash. I saw the certificate warning and inmediately the error message.

I saw the browser indicates this URL:

https://xxx.xxx.xxx.xxx:8443/guestportal/Login.Action?switch_url=https://1.1.1.1/login.html&ap_mac=yy:yy:yy:yy:yy:yy&client_mac=zz:zz:zz:zz:zz:zz&wlan=ABCDEF

msonnie · ‎04-03-2013

I believe that it might be the default HTTPS port is not used or it might be a Routing issue in the Network and you need to review the Network Packet flow.

Moreover, another reason could be the dACL's might not be properly configured, as improperly configured dACL's would intruppt the traffic flow.

hbroich · ‎04-23-2013

Hello,

i have also these Problem.

I have an ISE 1.1.2 on VmWare with an WLC 5508 Controller. So when i logged in with a configured Guest-User, i will authenticate correctly, but then the following error occured:

https://:8443/guestportal/guest/redir.html

Error Resource not found

Resource: /guestportal/

I think, there is a Problem with the path to the redir.html

Hartmut

Carlos Guardia Prudencio · ‎06-09-2013

If this hasnt been resolved yet, I found this article that pretty much goes step by step for this kind of scenario.. I just tried it out and it worked perfectly..

http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml

Ravi Singh · ‎07-01-2013

Hello,

As you are not able to get the guest portal, then you need to assure the following things:-

1) Ensure that the two Cisco av-pairs that are configured on the authorization profile should exactly match the example below. (Note: Do not replace the "IP" with the actual Cisco ISE IP address.)

–url-redirect=https://ip:8443/guestportal/gateway?...lue&action=cpp

–url-redirect-acl=ACL-WEBAUTH-REDIRECT (ensure that this ACL is also defined on the access switch)

2) Ensure that the URL redirection portion of the ACL have been applied to the session by entering the show epm session ip command on the switch. (Where the session IP is the IP address that is passed to the client machine by the DHCP server.)

Admission feature : DOT1X

AAA Policies : #ACSACL#-IP-Limitedaccess-4cb2976e

URL Redirect ACL : ACL-WEBAUTH-REDIRECT

URL Redirect :

https://node250.cisco.com:8443/guestportal/gateway?sessionId=0A000A72

0000A45A2444BFC2&action=cpp

3) Ensure that the preposture assessment DACL that is enforced from the Cisco ISE authorization profile contains the following command lines:

remark Allow DHCP

permit udp any eq bootpc any eq bootps

remark Allow DNS

permit udp any any eq domain

remark ping

permit icmp any any

permit tcp any host 80.0.80.2 eq 443 --> This is for URL redirect

permit tcp any host 80.0.80.2 eq www --> Provides access to internet

permit tcp any host 80.0.80.2 eq 8443 --> This is for guest portal

port

permit tcp any host 80.0.80.2 eq 8905 --> This is for posture

communication between NAC agent and ISE (Swiss ports)

permit udp any host 80.0.80.2 eq 8905 --> This is for posture

communication between NAC agent and ISE (Swiss ports)

permit udp any host 80.0.80.2 eq 8906 --> This is for posture

communication between NAC agent and ISE (Swiss ports)

deny ip any any

Note:- Ensure that the above URL Redirect has the proper Cisco ISE FQDN.

4) Ensure that the ACL with the name "ACL-WEBAUTH_REDIRECT" exists on the switch as follows:

ip access-list extended ACL-WEBAUTH-REDIRECT

deny ip any host 80.0.80.2

permit ip any any

5) Ensure that the http and https servers are running on the switch:

ip http server

ip http secure-server

6) Ensure that, if the client machine employs any kind of personal firewall, it is disabled.

7) Ensure that the client machine browser is not configured to use any proxies.

8) Verify connectivity between the client machine and the Cisco ISE IP address.

9) If Cisco ISE is deployed in a distributed environment, make sure that the client machines are aware of the Policy Service ISE node FQDN.

10) Ensure that the Cisco ISE FQDN is resolved and reachable from the client machine.

11) Or you need to do re-image again.