Good morning everyone,
I have some trouble to use my Cisco ISE to do Central Web Authentication. I followed this following configuration example : http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html
But for the moment, clients can't seee the web portal. My WLC and my Cisco ISE are well configured as presented in the document, when clients connect to the AP, they are listed into the Cisco ISE with the good authorization profile but, the URL redirection doesn't work as well as I want, clients have to enter manually the IP address in the web browser to log-in trough the Cisco ISE.
If anyone already had this problem, maybe could tell me more about that.
Thanks in advance!
I saw this option in the ISE configuration(Authorization Profile) and I changed the DNS name by the IP address, so maybe we have to do the same thing in the WLC?
Another information : I use a proxy on my corporate LAN and when I permit the proxy address in my Flex ACL (@Proxy -> ANY , ANY -> @Proxy), my Web authentication is bypassed by the proxy, and users have access without login on web portal.
But without this ACL, I saw with Wireshark that a SYN/ACK is sent from the WLC Virtual-Interface (184.108.40.206) to the client but the client answer with a TCP RST and not with ACK.
Did you solve the issue. I have the same problem. My clients are not redirected they have to enter the url manually. I am using IP address too instead of nqdn.
Still the issue and I really don't understand what happen.
I have tried to broadcast my management interface which is not in the same VLAN that my ISE, and in this case I see that my web redirection works fine (My URL is changing when i open a web browser) but I can't access to my web portal because the two VLAN are not routed betwenn them.
So, I continue my test but if you have any idea of what we missed, do not hesitate to share
Have you set up an ACL to allow DNS pre authentication, as it needs to be able to resolve and request the URL so that the web request can be redirected
Yes I did it.
I have created the same ACLs as shown here : https://supportforums.cisco.com/sites/default/files/legacy/2/7/8/96872-WLC_ACL.png
With another ACL in the last which deny all traffic.
I have resolved my problem 15 minutes ago. For people who have the same problem, I have just changed my static route in my WLC. The issue was that I broadcast the same VLAN used for the management interface and in adding the network allowing admin to reach service-port, all traffic of my broadcasted VLAN was sent to the service-port. A simple netmask modification resolved the problem.
I have still a problem with CoA which doesn't work properly and I have to disconnect/reconnect to the SSID to have a complete access but I'm going to continue my research for that.
Thanks all for your help !!!!