11-19-2023 07:12 PM
I'm hoping there is someone that might be able to help me with my issue.
I followed the guide down below to create an SSID that would do CWA for a client with ISE 3.2. My WLC is 17.9.4a.
https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213920-central-web-authentication-cwa-on-cata.html
I ran a wireshark, and see the attempt to go to www.msftconnecttest.com. I also see the DNS query for the ISE appliance hostname. It gets a response but never actually redirects and just takes me to MSN page. I have the wireshark below. The client is in a Web Auth Pending. The client shows action needed, no internet. What am I missing that is not allowing the client to redirect correctly? Let me know if additional details are needed.
11-19-2023 07:41 PM
to start with ddoes ISE return redirect url as authorization result? share ISE Logs, make sure there is no typo in redirect ACL
11-19-2023 07:57 PM
Is this what you are looking for? If not could you point me in the right direction?
11-19-2023 08:15 PM
this is good, also the ACL, are you seeing hits on REDIRECT ACL ? ideally you also want to add send another guest DACL as part of authorization at this stage which allows access to ISE, DNS, DHCP and blocks all other access for security purpose.
11-19-2023 08:19 PM - edited 11-19-2023 08:28 PM
These are the hits that I am seeing on the ACL. I am planning on doing that as the customer only wants them to have access to the Internet. I am sadly hung up on trying to just get this redirect to work. Also not sure if this helps, but I can manually go to the page. via the URL. Just doesn't happen automatically.
11-19-2023 08:31 PM - edited 11-19-2023 08:41 PM
seems good so far, assuming there is no additional ACLs or Firewall, http service is enabled, AAA overide and NAC state is enabled, if you paste the url from ISE into clients browser is it reaching the redirect page ?
11-19-2023 08:46 PM - edited 11-19-2023 08:48 PM
Yes, it does reach the page when i copy it the URL to the client. I do have ip http server, and webauth-http-enable is not in the config like the guide said. Is there anything that might be causing this? Or anything that might help shed light on this?
11-19-2023 09:05 PM - edited 11-19-2023 09:17 PM
problem so far seems to be on WLC, in packet 39 so you see the ISE url sent to client in capture, on packet 43 is that query to ISE FQDN ? whats the version/patch on WLC and ISE ? also will you be comfortable sharing embedded packet capture from WLC and TCp dump from ISE while testing ?
11-19-2023 09:18 PM - edited 11-19-2023 09:23 PM
It is ISE 3.2 with patch 3, and WLC is 17.9.4a.
This is what I see in 39. It is the fully qualified name.
on 43 it is doing a dns query for the FQDN of the ISE appliance.
Sorry I was using a different wireshark, same results though
11-19-2023 09:32 PM
looks good, I am sure you have tried on multiple devices, I don't see any known bugs related to this issue on this version, you can also review this guide, may be you spot something you haven't checked yet, else recommend opening a case.
11-19-2023 09:39 PM
I'll review it, and see if I missed something. Otherwise I will open a TAC case. I appreciate all your help.
11-20-2023 07:06 AM
sure , the only odd thing so far is your redirect ACL has no hits on ISE ACE
11-20-2023 07:55 AM
Yeah, I was noticing that as well. It does the DNS lookup for the FQDN but never tries to connect to it. I'm assuming why there isn't any hits. Not sure if you can see that in my packet capture.
11-20-2023 10:39 AM - edited 11-20-2023 10:50 AM
Sorry share all config cli.
11-21-2023 05:17 PM
Let me try to get that for ya. Is it possible that using a test machine with an ethernet connection screw up my results? I am not physically in the office, and work remotely. Would it be better to use a client that is strictly on the wireless?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide