Lab Minutes Forum

Technical Discussion => Security => Topic started by: bposner on September 01, 2017, 07:20:17 AM

Title: ISE 2.3 and Cisco Web Auth not working
Post by: bposner on September 01, 2017, 07:20:17 AM
anyone else here got a 2.3 install running? i cannot get my guest setup working. we updated from 2.2 to 2.3 and i had to recreate the whole policy set but got it all working again in the end with the exception of the guest wifi rules. but the thing is even the DEFAULT captive web auth doesn't seem to be working either.

so i setup a lab with a fresh 2.3 install connecting to a lab WLC. i can get a user to connect to the SSID but they NEVER get redirected to the PSN for login to the guest portal. they just get full access and go right out to the web with no login at all. live logs show the user's system connecting and getting throw into the Wifi_Redirect to Guest Login authZ policy but they never get any prompts! and like i said this is happening on our new 2.3 install and on a FRESH, out of the box 2.3 LAB setup.
Title: Re: ISE 2.3 and Cisco Web Auth not working
Post by: bposner on September 01, 2017, 09:18:46 AM
was asked to check if my ACL name referenced in my AuthZ profile matched the ACL written on the WLC and to be safe i rebuilt them again.

cannot upload screenshots (the tiniest of JPEGs) tho...
Title: Re: ISE 2.3 and Cisco Web Auth not working
Post by: bposner on September 01, 2017, 09:33:23 AM
attempting to upload screenshot of the client's auth details
Title: Re: ISE 2.3 and Cisco Web Auth not working
Post by: bposner on September 01, 2017, 09:34:01 AM
screenshot of the live log from the ISE console
Title: Re: ISE 2.3 and Cisco Web Auth not working
Post by: bposner on September 01, 2017, 09:35:13 AM
screenshot of default policy set i'm using
Title: Re: ISE 2.3 and Cisco Web Auth not working
Post by: bposner on September 01, 2017, 09:35:59 AM
screenshot of the Cisco_WebAuth_TEST AuthZ profile i'm using referencing the ACL on the WLC
Title: Re: ISE 2.3 and Cisco Web Auth not working
Post by: bposner on September 01, 2017, 09:36:30 AM
screenshot of the REDIRECT acl as defined on the WLC
Title: Re: ISE 2.3 and Cisco Web Auth not working
Post by: bposner on September 01, 2017, 01:12:10 PM
i found a few issues with my setup.  :o
 
1) i forgot to enable Radius NAC for the two SSIDs i had been testing with. that was a major break through. With that setting enabled I was finally getting a redirection page opening on my test client.
 
2) because i was using an Anchored WLC setup i also had to have the redirection url applied on the anchor WLC which explains why we weren't seeing any of the hit counters on the main WLC.
 
once i got both of those squared away and setup a guest account to test with it was in business.
Title: Re: ISE 2.3 and Cisco Web Auth not working
Post by: MC on September 14, 2017, 08:34:06 PM
Thanks for sharing your findings. Usually if you see ISE returning redirect URL to WLC but client is not redirected, it's usually WLC config issue. Adding anchor WLC certainly make things a little trickier. SSID config on both WLC and anchor should always be identical.
SimplePortal 2.3.7 © 2008-2024, SimplePortal