There's a mobile version of our website.
I am currently doing a Proof of Concept using Cisco's new ISE product. I am having issues getting the url-redirect raidus attribute working. I have read the troubleshooting document and everything in it points to it should be working. By debuging the radius information on the switch I can see that its passing the url-redirect to the switch which in my case is was https://DEVLABISE01.devlab.local:8443/guestportal/gateway?sessionId=0A00020A0000001604D3F5BE&action=cwa. Now to remove DNS issues etc from the equasion if I copy and paste this URL into the client browser it takes me to the correct place, and I can login and it changes VLAN's accordingly. Now as far as I know the client should automatticaly be redirected to this URL which is not working. Below I have included one of the debugs to show that the epm is in place.
DEVLABSW01#show epm session ip 10.0.1.104
Admission feature: DOT1X
ACS ACL: xACSACLx-IP-PRE-POSTURE-ACL-4de86e6c
URL Redirect ACL: ACL-WEBAUTH-REDIRECT
I have also attached my switch config. Any help would be greatly appreciated.
I looked at the switch config and - at a first glance - it looks ok to me... I hope I didn't miss anything obvious
Apart from manually pointing the browser to the redirect URL, how did you try to trigger the redirection?
Does the redirection work if you point the browser to an IP address rather than a DNS hostname?
I would also suggest to enable the following debugs on the switch when trying this:
debug radius authentication
debug ip http all
debug aaa authentication
I hope this helps.
If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.
I am really new to ISE and have ran the debug commands you have mentioned and nothing sticks out to me. If i replace the DNS hostname with IP address it works also and I can login and the switch will change vlans. In regards to triggering the redirection what are you referring to and do you neeed to have the ISE client installed on the host for url-redirection to work. Our solution needs to work with as many different clients as possible without having the ISE client installed.
Regarding the CWA configuration there are two tricks you have to take care of them
1- you have to type the below command
Aaa server radius dynami-autho
Client <ISE-ip.add> key cisco123
2- if you have to change the vlan through the web login there are a check box you have to select
Guest Management --->. setting --> guest ---> multi portal configuration ---> default
Select vlan dhcp release
Sent from Cisco Technical Support iPad App
my issue solved check :
To anyone; you may want to take another look at how your setup is layed out and any access-lists on your managment vlan. I found the problem that I was having was an access-list on my managment vlan not allowing comunication to my layer3 routing core.
Login to share your discussion activity with your friends on Facebook. You can control what you share and turn off sharing anytime.
Your Facebook friends can now see that you have started this discussion
Your Facebook friends can now see that you have commented on this discussion
Your Facebook friends can now see that you have read this discussion