I am currently doing a Proof of Concept using Cisco's new ISE product. I am having issues getting the url-redirect raidus attribute working. I have read the troubleshooting document and everything in it points to it should be working. By debuging the radius information on the switch I can see that its passing the url-redirect to the switch which in my case is was https://DEVLABISE01.devlab.local:8443/guestportal/gateway?sessionId=0A00020A0000001604D3F5BE&action=cwa. Now to remove DNS issues etc from the equasion if I copy and paste this URL into the client browser it takes me to the correct place, and I can login and it changes VLAN's accordingly. Now as far as I know the client should automatticaly be redirected to this URL which is not working. Below I have included one of the debugs to show that the epm is in place.
DEVLABSW01#show epm session ip 10.0.1.104
Admission feature: DOT1X
ACS ACL: xACSACLx-IP-PRE-POSTURE-ACL-4de86e6c
URL Redirect ACL: ACL-WEBAUTH-REDIRECT
I have also attached my switch config. Any help would be greatly appreciated.
I looked at the switch config and - at a first glance - it looks ok to me... I hope I didn't miss anything obvious
Apart from manually pointing the browser to the redirect URL, how did you try to trigger the redirection?
Does the redirection work if you point the browser to an IP address rather than a DNS hostname?
I would also suggest to enable the following debugs on the switch when trying this:
debug radius authentication
debug ip http all
debug aaa authentication
I hope this helps.
If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.
I am really new to ISE and have ran the debug commands you have mentioned and nothing sticks out to me. If i replace the DNS hostname with IP address it works also and I can login and the switch will change vlans. In regards to triggering the redirection what are you referring to and do you neeed to have the ISE client installed on the host for url-redirection to work. Our solution needs to work with as many different clients as possible without having the ISE client installed.
Regarding the CWA configuration there are two tricks you have to take care of them
1- you have to type the below command
Aaa server radius dynami-autho
2- if you have to change the vlan through the web login there are a check box you have to select
Guest Management --->. setting --> guest ---> multi portal configuration ---> default
Select vlan dhcp release
Sent from Cisco Technical Support iPad App
So im also doing ISE for the first time and i knew it may have been a bit tough however i didnt forsee my following issue.
everything is working as expected other than every now and then (intermittent) the ISE Central Portal does not display on any device -android, windows, etc..... i checked and checked the configs, had probably about 10 TAC cases open..... this weekend i ripped out the main components, setup in the offfice and tried to replicate the issue....i could...what i noticed is that without Internet the ISE Portal didnt actually display....it sounds weird but thats what im seeing.....As soon as i plug into Internet Link into the equation, the portal page comes up.....im able to replicate it every time... Currently, i placed back into the customer network and im now looking down at the routing/firewall......
my issue is that i cant really explain why the Internet affects the Central Auth Page.... In any event. im working backwards, tomorrow im bringing in a second link and doing NAT on a cisco router to bypass the checkpoint firewall....ill know if its checkpoint or if im barking up the wrong tree....
if anyone can explain why, it would help out a great deal..
My setup BTW is
1. WLC 5760 - Not latest code but latest stable (recommended by the TAC Engineer)
2. ISE 1.2 - Doing simple Wireless only implementation
3. 3650 - Just acting like a switch - no ACLs etc - just a switch
4. Integrated into AD
Ill post back with any findings if i make any headway - BTW, i didnt like this at all as other solutions are so much simpler, BUT, i can now see how powerful this could potentially be for the right type of customer...
thanks again how i can get some feedback
I also would like to know when an answer has been established with this situation, pretty much in the same scenario as above
my issue solved check :
To anyone; you may want to take another look at how your setup is layed out and any access-lists on your managment vlan. I found the problem that I was having was an access-list on my managment vlan not allowing comunication to my layer3 routing core.
I had initially configured the ACL to deny DNS traffic as per Cisco documentation (due to a bug) however on the 3560c I was working on, I needed to remove the DNS rule for the re-direct to work, this was because the host could not resolve any dns entries....i.e google.com for it to be redirected.
ip access-list extended ACL-WEBAUTH-REDIRECT
remark deny DNS traffic from being redirected
remark redirect all applicable traffic to the ISE
permit tcp any any eq www
permit tcp any any eq 443