Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
709
Views
0
Helpful
4
Replies

3850 with ISE Guestportal no redirect in V 3.3.4

j.greza
Level 1
Level 1

‎10-07-2014 02:53 AM - edited ‎07-05-2021 01:40 AM

 Hi, Experts,

I currently have a customer problem. We use  a 5508 WLC as mobility controller and 3850 as Mobile Agents.  For AAA we user ISE with profiling an guest portal.

In 3850 Release V3.6 everything is o.k.

In 3850 Release V3.3.4 the use get no redirect Guest Page from ISE. We must use this Software because it solves other Problems and can managed from Prime.

Does anyone have an idea ?

Thanks !

 

 Redirect ACL from ISE :

Deny DHCP, DNS, 192.168.105.10

Allow http,https

URL : (https://192.168 .105.10/........

Config from 3850 Switch:

aaa group server radius ISE

server name xxx-ise-01

server name xxx-ise-02

ip radius source-interface Vlan32

ip access-list extended ACL_PREAUTH

remark Allow DHCP

permit udp any eq bootpc any eq bootps

remark Allow DNS

permit udp any any eq domain

permit icmp any any

remark Allow ISE Portal

permit tcp any host 192.168.105.10eq 8443

permit tcp any host 192.168.105.10eq www

permit tcp any host 192.168.105.10eq 8905

permit tcp any host 192.168.105.10eq 8909

permit udp any host 192.168.105.10eq 8905

permit udp any host 192.168.105.10eq 8909

permit tcp any host 192.168.105.11eq 8443

permit tcp any host 192.168.105.11eq www

permit tcp any host 192.168.105.11eq 8905

permit tcp any host 192.168.105.11eq 8909

permit udp any host 192.168.105.11eq 8905

permit udp any host 192.168.105.11eq 8909

remark Cleanup

deny ip any any

permit tcp any host 192.168.105.10eq 443

permit tcp any host 192.168.105.11eq 443

ip access-list extended ACL_REDIRECT

remark Pass through all non-web traffic including 443 to radius server

deny udp any eq bootpc any eq bootps

deny udp any any eq domain

deny ip any host 192.168.105.10

deny ip any host 192.168.105.11

remark Redirect all other web traffic

permit ip any any

ip access-list extended REDIRECT

deny icmp any any

deny udp any any eq bootps

deny udp any any eq bootpc

deny udp any any eq domain

deny ip any host 192.168.105.10

permit tcp any any eq www

permit tcp any any eq 443

wireless mobility controller ip 192.168.127.8 public-ip 192.168.127.8

wireless management interface Vlan127

wireless rf-network xxxxx

wlan xxxxx-Internet 1 xxxxx-Internet

aaa-override

accounting-list ISE

client vlan 1114

ip flow monitorxxxxx-flowmon-avc input

ip flow monitor xxxxx-flowmon-avc output

mac-filtering default

nac

no security wpa

no security wpa akm dot1x

no security wpa wpa2

no security wpa wpa2 ciphers aes

no shutdown

 

 

 

 

 

 

 

 

Labels:
0 Helpful
4 Replies 4

Dhiresh Yadav
Cisco Employee
Cisco Employee

‎10-07-2014 04:26 AM

Hi ,

Is it Central web-authentication/BYOD  or WLan traffic anchored to some other controller ?

In any case I can only bring out one difference , In 3.6 version , stuff like redirection etc on IOS-XE acts similar to what we have been doing IN CUWN i.e 5508 controller. Before that , it is different.

Coming to 3.3.4 , this will require dedicated Tshoot etc , So better to get handled via a TAC case in my opinion.

But as a first step check the o/p of "#sh wireless client mac-address" after the client gets an ip address to see if redirect URL and ACL are returned by the ISE or not.

 

Regards

Dhiresh

**** Pls rate all useful responses ****

0 Helpful

j.greza
Level 1
Level 1

‎10-07-2014 04:49 AM

Hi,Dhiresh

Thank you for your answer.

I have no Anchor configuration.

Direct WEB auth from ISE.

What do you meen by  "what we have been doing IN CUWN" ?

Is there any different between 3.6 and 3.3.4

at "sh wireless client mac-address" i see the correct redirect URL and ACL.And I wonder why the page is not displayed.

 

Regards

Juergen

0 Helpful

Dhiresh Yadav
Cisco Employee
Cisco Employee
In response to j.greza

‎10-07-2014 05:12 AM

Hi,

 

I mean that the way redirection is done (interaction with the browser) has been improved in 3.6 but as I said for 3.3.4 , you will need to Tshoot properly. Since you are getting Redirect URL and ACL and still you dont get it then you will have to run debugs on the box to see what is happening.

 

Alternatively , you can also capture the packet on the client for example using wireshark on windows wireless NIC card to see if it is getting that URL etc.

If you are not getting any thing towards client based on the capture , then I think you should open a TAC case to get this investigated.

 

Regards

Dhiresh

0 Helpful

Michael Kirchner
Level 1
Level 1

‎10-16-2014 08:20 AM

Hi Dhiresh,

thanks for your hints.

We figured out that the problem was that the 3850 switch where the Guest User is assigned had no VLAN interface in the same VLAN as the guest client. As we just configured the vlan interface it worked.

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/117278-troubleshoot-ise-00.html#anc8

Again thanks a lot.

 

Best Regards

Michael

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card