I’m using a Catalyst 9300 with an embedded wireless controller (non-SD-Access) and software 17.3.3. Additionally, I have a single ISE server running v3.0.
With MAC filtering disabled on the guest WLAN the wireless clients are able to reach the ISE on tcp/8443 (so I’m guessing my firewall rules are ok), but when I try CWA on the ISE (MAC filtering enabled) the wireless clients cannot reach the guest portal.
The Authorisation Profile looks like this:
Access Type = ACCESS_ACCEPT cisco-av-pair = url-redirect-acl=ACL_WEBAUTH_REDIRECT cisco-av-pair = url-redirect=https://<ISE_PSN_IP>:port/portal/gateway?sessionId=SessionIdValue&portal=c7953325-4b27-487b-8172-9b1a1efe6972&action=cwa
The redirect ACL looks like this:
ip access-list extended ACL_WEBAUTH_REDIRECT deny udp any eq bootpc any eq bootps deny udp any any eq domain deny tcp any host <ISE PSN> eq 8443 permit tcp any any eq www permit tcp any any eq 443
If I try using MAB on the wired network (using the same Authorisation Profile, and consequently the same redirect ACL on the switch) it does work. The redirect ACL works, and I’m able to reach the guest portal. The wired and wireless subnets are different, but they're much the same in terms of topology and firewall policy.
Any help is greatly appreciated!
No comments:
Post a Comment