10-07-2014 02:53 AM - edited 07-05-2021 01:40 AM
Hi, Experts,
I currently have a customer problem. We use a 5508 WLC as mobility controller and 3850 as Mobile Agents. For AAA we user ISE with profiling an guest portal.
In 3850 Release V3.6 everything is o.k.
In 3850 Release V3.3.4 the use get no redirect Guest Page from ISE. We must use this Software because it solves other Problems and can managed from Prime.
Does anyone have an idea ?
Thanks !
Redirect ACL from ISE :
Deny DHCP, DNS, 192.168.105.10
Allow http,https
URL : (https://192.168 .105.10/........
Config from 3850 Switch:
aaa group server radius ISE
server name xxx-ise-01
server name xxx-ise-02
ip radius source-interface Vlan32
ip access-list extended ACL_PREAUTH
remark Allow DHCP
permit udp any eq bootpc any eq bootps
remark Allow DNS
permit udp any any eq domain
permit icmp any any
remark Allow ISE Portal
permit tcp any host 192.168.105.10eq 8443
permit tcp any host 192.168.105.10eq www
permit tcp any host 192.168.105.10eq 8905
permit tcp any host 192.168.105.10eq 8909
permit udp any host 192.168.105.10eq 8905
permit udp any host 192.168.105.10eq 8909
permit tcp any host 192.168.105.11eq 8443
permit tcp any host 192.168.105.11eq www
permit tcp any host 192.168.105.11eq 8905
permit tcp any host 192.168.105.11eq 8909
permit udp any host 192.168.105.11eq 8905
permit udp any host 192.168.105.11eq 8909
remark Cleanup
deny ip any any
permit tcp any host 192.168.105.10eq 443
permit tcp any host 192.168.105.11eq 443
ip access-list extended ACL_REDIRECT
remark Pass through all non-web traffic including 443 to radius server
deny udp any eq bootpc any eq bootps
deny udp any any eq domain
deny ip any host 192.168.105.10
deny ip any host 192.168.105.11
remark Redirect all other web traffic
permit ip any any
ip access-list extended REDIRECT
deny icmp any any
deny udp any any eq bootps
deny udp any any eq bootpc
deny udp any any eq domain
deny ip any host 192.168.105.10
permit tcp any any eq www
permit tcp any any eq 443
wireless mobility controller ip 192.168.127.8 public-ip 192.168.127.8
wireless management interface Vlan127
wireless rf-network xxxxx
wlan xxxxx-Internet 1 xxxxx-Internet
aaa-override
accounting-list ISE
client vlan 1114
ip flow monitorxxxxx-flowmon-avc input
ip flow monitor xxxxx-flowmon-avc output
mac-filtering default
nac
no security wpa
no security wpa akm dot1x
no security wpa wpa2
no security wpa wpa2 ciphers aes
no shutdown
10-07-2014 04:26 AM
Hi ,
Is it Central web-authentication/BYOD or WLan traffic anchored to some other controller ?
In any case I can only bring out one difference , In 3.6 version , stuff like redirection etc on IOS-XE acts similar to what we have been doing IN CUWN i.e 5508 controller. Before that , it is different.
Coming to 3.3.4 , this will require dedicated Tshoot etc , So better to get handled via a TAC case in my opinion.
But as a first step check the o/p of "#sh wireless client mac-address" after the client gets an ip address to see if redirect URL and ACL are returned by the ISE or not.
Regards
Dhiresh
**** Pls rate all useful responses ****
10-07-2014 04:49 AM
Hi,Dhiresh
Thank you for your answer.
I have no Anchor configuration.
Direct WEB auth from ISE.
What do you meen by "what we have been doing IN CUWN" ?
Is there any different between 3.6 and 3.3.4
at "sh wireless client mac-address" i see the correct redirect URL and ACL.And I wonder why the page is not displayed.
Regards
Juergen
10-07-2014 05:12 AM
Hi,
I mean that the way redirection is done (interaction with the browser) has been improved in 3.6 but as I said for 3.3.4 , you will need to Tshoot properly. Since you are getting Redirect URL and ACL and still you dont get it then you will have to run debugs on the box to see what is happening.
Alternatively , you can also capture the packet on the client for example using wireshark on windows wireless NIC card to see if it is getting that URL etc.
If you are not getting any thing towards client based on the capture , then I think you should open a TAC case to get this investigated.
Regards
Dhiresh
10-16-2014 08:20 AM
Hi Dhiresh,
thanks for your hints.
We figured out that the problem was that the 3850 switch where the Guest User is assigned had no VLAN interface in the same VLAN as the guest client. As we just configured the vlan interface it worked.
Again thanks a lot.
Best Regards
Michael
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide