Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CWA using Cisco ISE issue

Good morning everyone,

 

I have some trouble to use my Cisco ISE to do Central Web Authentication. I followed this following configuration example : http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html

But for the moment, clients can't seee the web portal. My WLC and my Cisco ISE are well configured as presented in the document, when clients connect to the AP, they are listed into the Cisco ISE with the good authorization profile but, the URL redirection doesn't work as well as I want, clients have to enter manually the IP address in the web browser to log-in trough the Cisco ISE.

If anyone already had this problem, maybe could tell me more about that.

 

Thanks in advance!smiley

10 REPLIES
Silver

wel this issue is mainly due

wel this issue is mainly due to DNS and there is a option in WLC to do the redirect using ip also.

New Member

I saw this option in the ISE

I saw this option in the ISE configuration(Authorization Profile) and I changed the DNS name by the IP address, so maybe we have to do the same thing in the WLC?

New Member

Hi Kevin Which config

Hi Kevin

 

Which config parameter in WLC you are referring to?

 

Tks

G

Cisco Employee

Guest users can resolve the

Guest users can resolve the fqdn but when they open a browser they are not being redirected.

New Member

Another information : I use a

Another information : I use a proxy on my corporate LAN and when I permit the proxy address in my Flex ACL (@Proxy -> ANY , ANY -> @Proxy), my Web authentication is bypassed by the proxy, and users have access without login on web portal.

But without this ACL, I saw with Wireshark that a SYN/ACK is sent from the WLC Virtual-Interface (1.1.1.1) to the client but the client answer with a TCP RST and not with ACK.

Cisco Employee

Did you solve the issue. I

Did you solve the issue. I have the same problem. My clients are not redirected they have to enter the url manually. I am using IP address too instead of nqdn.

New Member

Still the issue and I really

Still the issue and I really don't understand what happen.

I have tried to broadcast my management interface which is not in the same VLAN that my ISE, and in this case I see that my web redirection works fine (My URL is changing when i open a web browser) but I can't access to my web portal because the two VLAN are not routed betwenn them.

So, I continue my test but if you have any idea of what we missed, do not hesitate to share wink

New Member

Have you set up an ACL to

Have you set up an ACL to allow DNS pre authentication, as it needs to be able to resolve and request the URL so that the web request can be redirected

New Member

Yes I did it.I have created

Yes I did it.

I have created the same ACLs as shown here : https://supportforums.cisco.com/sites/default/files/legacy/2/7/8/96872-WLC_ACL.png

With another ACL in the last which deny all traffic.

New Member

Good news!I have resolved my

Good news!

I have resolved my problem 15 minutes ago. For people who have the same problem, I have just changed my static route in my WLC. The issue was that I broadcast the same VLAN used for the management interface and in adding the network allowing admin to reach service-port, all traffic of my broadcasted VLAN was sent to the service-port. A simple netmask modification resolved the problem.

I have still a problem with CoA which doesn't work properly and I have to disconnect/reconnect to the SSID to have a complete access but I'm going to continue my research for that.

Thanks all for your help !!!! smiley

 

217
Views
0
Helpful
10
Replies