collapse

Promotion

Search


User Info

 
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Author Topic: ISE 2.3 and Cisco Web Auth not working  (Read 367 times)

Offline bposner

  • Cisco Newbie
  • *
  • Posts: 8
  • Reputation: 0
    • View Profile
  • Certification: N/A
ISE 2.3 and Cisco Web Auth not working
« on: September 01, 2017, 07:20:17 AM »
anyone else here got a 2.3 install running? i cannot get my guest setup working. we updated from 2.2 to 2.3 and i had to recreate the whole policy set but got it all working again in the end with the exception of the guest wifi rules. but the thing is even the DEFAULT captive web auth doesn't seem to be working either.

so i setup a lab with a fresh 2.3 install connecting to a lab WLC. i can get a user to connect to the SSID but they NEVER get redirected to the PSN for login to the guest portal. they just get full access and go right out to the web with no login at all. live logs show the user's system connecting and getting throw into the Wifi_Redirect to Guest Login authZ policy but they never get any prompts! and like i said this is happening on our new 2.3 install and on a FRESH, out of the box 2.3 LAB setup.

Offline bposner

  • Cisco Newbie
  • *
  • Posts: 8
  • Reputation: 0
    • View Profile
  • Certification: N/A
Re: ISE 2.3 and Cisco Web Auth not working
« Reply #1 on: September 01, 2017, 09:18:46 AM »
was asked to check if my ACL name referenced in my AuthZ profile matched the ACL written on the WLC and to be safe i rebuilt them again.

cannot upload screenshots (the tiniest of JPEGs) tho...

Offline bposner

  • Cisco Newbie
  • *
  • Posts: 8
  • Reputation: 0
    • View Profile
  • Certification: N/A
Re: ISE 2.3 and Cisco Web Auth not working
« Reply #2 on: September 01, 2017, 09:33:23 AM »
attempting to upload screenshot of the client's auth details

Offline bposner

  • Cisco Newbie
  • *
  • Posts: 8
  • Reputation: 0
    • View Profile
  • Certification: N/A
Re: ISE 2.3 and Cisco Web Auth not working
« Reply #3 on: September 01, 2017, 09:34:01 AM »
screenshot of the live log from the ISE console

Offline bposner

  • Cisco Newbie
  • *
  • Posts: 8
  • Reputation: 0
    • View Profile
  • Certification: N/A
Re: ISE 2.3 and Cisco Web Auth not working
« Reply #4 on: September 01, 2017, 09:35:13 AM »
screenshot of default policy set i'm using

Offline bposner

  • Cisco Newbie
  • *
  • Posts: 8
  • Reputation: 0
    • View Profile
  • Certification: N/A
Re: ISE 2.3 and Cisco Web Auth not working
« Reply #5 on: September 01, 2017, 09:35:59 AM »
screenshot of the Cisco_WebAuth_TEST AuthZ profile i'm using referencing the ACL on the WLC

Offline bposner

  • Cisco Newbie
  • *
  • Posts: 8
  • Reputation: 0
    • View Profile
  • Certification: N/A
Re: ISE 2.3 and Cisco Web Auth not working
« Reply #6 on: September 01, 2017, 09:36:30 AM »
screenshot of the REDIRECT acl as defined on the WLC

Offline bposner

  • Cisco Newbie
  • *
  • Posts: 8
  • Reputation: 0
    • View Profile
  • Certification: N/A
Re: ISE 2.3 and Cisco Web Auth not working
« Reply #7 on: September 01, 2017, 01:12:10 PM »
i found a few issues with my setup.  :o
 
1) i forgot to enable Radius NAC for the two SSIDs i had been testing with. that was a major break through. With that setting enabled I was finally getting a redirection page opening on my test client.
 
2) because i was using an Anchored WLC setup i also had to have the redirection url applied on the anchor WLC which explains why we weren't seeing any of the hit counters on the main WLC.
 
once i got both of those squared away and setup a guest account to test with it was in business.

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 362
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
    • View Profile
  • Certification: CCIE
Re: ISE 2.3 and Cisco Web Auth not working
« Reply #8 on: September 14, 2017, 08:34:06 PM »
Thanks for sharing your findings. Usually if you see ISE returning redirect URL to WLC but client is not redirected, it's usually WLC config issue. Adding anchor WLC certainly make things a little trickier. SSID config on both WLC and anchor should always be identical.

 

Related Topics

  Subject / Started by Replies Last post
1 Replies
2058 Views
Last post October 03, 2013, 11:43:58 PM
by MC
2 Replies
2087 Views
Last post July 20, 2014, 04:52:11 PM
by MC
2 Replies
2082 Views
Last post February 09, 2015, 10:54:52 AM
by ozone007
6 Replies
4589 Views
Last post July 20, 2015, 07:48:48 AM
by amsa
1 Replies
492 Views
Last post May 07, 2017, 09:55:33 PM
by MC

SimplePortal 2.3.5 © 2008-2012, SimplePortal