ExtremeWireless (WiNG)

Expand all | Collapse all

How to config Wing to use Cisco ISE guestportal, redirect-URL in wing doesn't work

  • 1.  How to config Wing to use Cisco ISE guestportal, redirect-URL in wing doesn't work

    Posted 03-23-2018 07:48
    I have set up an SSID which using the ISE as the radius server proxy through wireless controller. My goal is to use the hotspot and GuestPortal in the ISE
    Everything is fine in the ISE. The ISE returns the radius respons with and valid redirect-URL.
    Access-Accept
    The respons comes on standard radius port 1812.
    But i have expected to see any trafic on CoA port 3799!!
    I have struggling a lot, many hours seeking info about how to integrate ISE and WING.
    Having read all availble documents and videos, tried every suggestions. No success.

    My main problem is why is not the client redirected to the supplied URL?

    It works fine with Aruba's CCPM, hotspot and sponsored guest.
    Isn't it possible to use Cisco ISE with Wing, have any succeded in the task??

    I am running Wing v.5.8.6 and using AP7532 and NX7510 and ISE v.2.3

    Screeshoot of Radius respons from ISE





  • 2.  RE: How to config Wing to use Cisco ISE guestportal, redirect-URL in wing doesn't work

    Posted 03-23-2018 07:51
    please, can you post the wing configuration?


  • 3.  RE: How to config Wing to use Cisco ISE guestportal, redirect-URL in wing doesn't work

    Posted 03-26-2018 04:53
    Your configuration maybe will help. Do you configure the DNS whitelist to give the user access to your captive portal site?


  • 4.  RE: How to config Wing to use Cisco ISE guestportal, redirect-URL in wing doesn't work

    Posted 03-27-2018 09:50
    More info about the problem configuration.....

    I don't get the webpages on the captiveportal presented on the client.
    The captive portal status for authentication is redirected in Wing GUI console.
    No redirection is done to the url inte radius repons.

    The DNSwhitelist have all all ip's included.

    Have tried to extract the importent from the config.
    See attached text .

    My ISE have ip 10.241.1.61 and controller has 10.2.50.71.

    If there is any who have succeded with the ISE integration please send me or publish an copy of the config regarding the WLAN, CaptivePortal and AAA-policy because i am not fully sure how to its should be configurated to work.

    -----------------------------------------------------
    Extracted configuration....

    aaa-policy ISE_TEST
    authentication server 1 host 10.241.1.61 secret 0 ??
    authentication server 1 proxy-mode through-controller
    accounting server 1 host 10.241.1.61 secret 0 ???
    accounting server 1 proxy-mode through-controller
    mac-address-format pair-hyphen case lower attributes all
    accounting type start-interim-stop
    attribute cisco-vsa audit-session-id
    attribute chargeable-user-identity
    attribute location-information include-always
    attribute framed-ip-address
    !
    dns-whitelist ISE
    permit 10.2.50.71
    permit 10.241.1.61
    permit accessise.karlskoga.se
    permit play.google.com
    permit 10.2.1.6
    permit 10.2.1.5
    permit 10.129.6.4
    permit 10.163.0.5
    permit 10.129.6.1
    !
    captive-portal ISE_TEST
    access-time 15
    connection-mode https
    server host accessise.karlskoga.se
    server mode centralized
    webpage-location external
    webpage external login https://accessise.karlskoga.se:port/portal/gateway?sessionId=SessionIdValue&portal=f0ae43f0-7159-11e7-a355-005056aba474&daysToExpiry=value&action=cwa
    webpage external welcome http://www.karlskoga.se
    webpage external fail https://10.241.1.61:8443/portal/PortalSetup.action?portal=f0ae43f0-7159-11e7-a355-005056aba474
    webpage external agreement https://accessise.karlskoga.se:8443/portal/PortalSetup.action?portal=f0ae43f0-7159-11e7-a355-005056a...
    webpage external acknowledgement https://10.241.1.61:8443/portal/PortalSetup.action?portal=f0ae43f0-7159-11e7-a355-005056aba474
    webpage external registration https://10.241.1.61:8443/portal/PortalSetup.action?portal=f0ae43f0-7159-11e7-a355-005056aba474
    webpage external no-service https://10.241.1.61:8443/portal/PortalSetup.action?portal=f0ae43f0-7159-11e7-a355-005056aba474
    accounting radius
    use aaa-policy ISE_TEST
    use dns-whitelist ISE
    webpage internal registration field city type text enable label "City" placeholder "Enter City"
    webpage internal registration field street type text enable label "Address" placeholder "123 Any Street"
    webpage internal registration field name type text enable label "Full Name" placeholder "Enter First Name, Last Name"
    webpage internal registration field zip type number enable label "Zip" placeholder "Zip"
    webpage internal registration field via-sms type checkbox enable title "SMS Preferred"
    webpage internal registration field mobile type number enable label "Mobile" placeholder "Mobile Number with Country code"
    webpage internal registration field age-range type dropdown-menu enable label "Age Range" title "Age Range"
    webpage internal registration field email type e-address enable mandatory label "Email" placeholder "you@domain.com"
    webpage internal registration field via-email type checkbox enable title "Email Preferred"
    !
    wlan ISE-resticted
    description Test Cisco ISE
    ssid ISE1
    vlan 1
    bridging-mode local
    encryption-type none
    authentication-type mac
    radius nas-identifier ISERestricted
    no fast-bss-transition over-ds
    wpa-wpa2 psk 0 ????
    wpa-wpa2 exclude-wpa2-tkip
    wpa-wpa2 use-sha256-akm
    radius vlan-assignment
    radius dynamic-authorization
    accounting radius
    wing-extensions ap-attributes-information
    wing-extensions ap-attributes-information include-hostname
    wing-extensions coverage-hole-detection 11k-clients
    use aaa-policy ISE_TEST
    use captive-portal ISE_TEST
    captive-portal-enforcement
    !
    profile nx75xx ProfileNOC_NX7510-1
    mint link force ip 10.2.200.1 level 2 cost 50
    mint link ip 10.2.50.71 level 2
    mint link ip 10.2.50.72 level 2
    mint tunnel-across-extended-vlan
    no legacy-auto-update ap650
    ip name-server 10.2.1.5
    ip name-server 10.2.1.6
    ip domain-name karlskoga.se
    ip default-gateway 10.2.3.1
    ip route 10.128.0.0/10 10.163.0.1
    ip route 10.220.56.0/24 10.163.0.1
    no autoinstall configuration
    no autoinstall firmware
    device-upgrade auto ap7532
    crypto ikev1 policy ikev1-default
    isakmp-proposal default encryption aes-256 group 2 hash sha
    crypto ikev2 policy ikev2-default
    isakmp-proposal default encryption aes-256 group 2 hash sha
    crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
    crypto ikev1 remote-vpn
    crypto ikev2 remote-vpn
    crypto auto-ipsec-secure
    groupid KgaSec psk 0 Gregak88
    crypto load-management
    crypto remote-vpn-client
    interface xge1
    interface xge2
    interface ge1
    description MgmtNet
    interface ge2
    description "trunk if1"
    switchport mode trunk
    switchport trunk native vlan 130
    switchport trunk native tagged
    switchport trunk allowed vlan 130,138,147,1066
    channel-group 1
    interface ge3
    description "trunk if2"
    switchport mode trunk
    switchport trunk native vlan 130
    switchport trunk native tagged
    switchport trunk allowed vlan 130,138,147,1066
    channel-group 1
    interface ge4
    description "trunk if3"
    switchport mode trunk
    switchport trunk native vlan 130
    switchport trunk native tagged
    switchport trunk allowed vlan 130,138,147,1066
    channel-group 1
    interface ge5
    description "trunk if4"
    switchport mode trunk
    switchport trunk native vlan 130
    switchport trunk native tagged
    switchport trunk allowed vlan 130,138,147,1066
    channel-group 1
    interface ge6
    interface ge7
    interface ge8
    interface ge9
    interface ge10
    interface port-channel1
    description "WiFi trunk"
    switchport mode trunk
    switchport trunk native vlan 130
    switchport trunk native tagged
    switchport trunk allowed vlan 130,138,147,1066
    port-channel load-balance src-dst-mac
    interface vlan1
    description MgmtNet
    ip address 172.30.200.70/16
    no ipv6 address autoconfig
    no ipv6 accept ra
    no ipv6 redirects
    interface vlan130
    description Srvnet
    ip address 10.2.50.70/16
    no ipv6 address autoconfig
    no ipv6 accept ra
    no ipv6 redirects
    interface vlan138
    description KomnetWiFi
    ip address 10.118.4.11/22
    no ipv6 address autoconfig
    no ipv6 accept ra
    no ipv6 redirects
    interface vlan147
    description EdunetWiFi
    ip address 10.163.0.5/20
    ip nat outside
    no ipv6 address autoconfig
    no ipv6 accept ra
    no ipv6 redirects
    interface vlan199
    description KonfigNet
    ip address 192.168.208.1/20
    ip nat inside
    no ipv6 address autoconfig
    no ipv6 accept ra
    no ipv6 redirects
    interface vlan1066
    description "KgaGuestNet Firstspot"
    ip address 192.168.16.3/20
    no ipv6 address autoconfig
    no ipv6 accept ra
    no ipv6 redirects
    interface vlan1072
    description "local ElevZon"
    ip address 192.168.80.2/22
    no ipv6 address autoconfig
    no ipv6 accept ra
    no ipv6 redirects
    use event-system-policy defaultKGA
    use guest-management Komnet-smtp
    use dhcp-server-policy NOC-Kga
    use firewall-policy NOC
    use auto-provisioning-policy NOC-KGA
    use captive-portal server CPPM
    use captive-portal server ElevNet
    use captive-portal server ElevNetKga
    use captive-portal server GuestNet-CP
    use captive-portal server ISE
    use captive-portal server NetLoan2
    use captive-portal server Netloan
    ntp server ntp2.karlskoga.se version 3
    use client-identity-group MobileDevices
    use role-policy Basic
    cluster name NX7510-1
    cluster member ip 10.2.50.71 level 2
    cluster member ip 10.2.50.72 level 2
    email-notification host 10.2.100.71 sender noc-nx7510@karlskoga.se port 25
    email-notification recipient admin1@karlskoga.se
    logging on
    logging host 10.2.100.122
    controller host 10.2.200.1 pool 1 level 2
    service pm sys-restart
    use routing-policy NX7510-1
    router ospf
    router bgp
    l2tpv3 tunnel vlan1066
    peer 1 hostname any router-id any
    session vlan1066 pseudowire-id 1066 traffic-source vlan 1066
    establishment-criteria cluster-master
    dpi
    dpi metadata voice-video
    dpi metadata http
    dpi metadata ssl
    dpi logging on


    nx75xx 84-24-8D-7F-4C-70
    use profile ProfileNOC_NX7510-1
    use rf-domain NOC
    hostname KgaDH1-nx7510-1A
    license AAP ??????????????????
    trustpoint radius-ca-ldaps wctrl4a
    trustpoint radius-server-ldaps karlskoga-se
    rsa-key ssh karlskoga-rsa-key
    service radius dynamic-authorization additional-port 3599
    trustpoint https karlskoga-se
    interface vlan1
    ip address 172.30.200.71/16
    interface vlan130
    ip address 10.2.50.71/16
    use captive-portal server ElevNet
    use captive-portal server ElevNetKga
    cluster member ip 10.2.50.72 level 2
    cluster master-priority 255
    cluster force-configured-state
    cluster force-configured-state-delay 120
    !

    profile ap7532 NOC-Komnet-1-ap7532
    bridge vlan 1066
    bridging-mode tunnel
    ip igmp snooping
    ip igmp snooping querier
    ipv6 mld snooping
    ipv6 mld snooping querier
    ip name-server 10.2.1.5
    ip name-server 10.2.1.6
    ip domain-name komnet.karlskoga.se
    ip route 10.11.0.0/16 10.16.0.1
    ip route 10.2.0.0/16 10.16.0.1
    ip default-gateway priority static-route 50
    autoinstall configuration
    autoinstall firmware
    no led
    crypto ikev1 policy ikev1-default
    isakmp-proposal default encryption aes-256 group 2 hash sha
    crypto ikev2 policy ikev2-default
    isakmp-proposal default encryption aes-256 group 2 hash sha
    crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
    crypto ikev1 remote-vpn
    crypto ikev2 remote-vpn
    crypto auto-ipsec-secure
    crypto load-management
    crypto remote-vpn-client
    interface radio1
    data-rates custom basic-12 basic-24 18 36 48 54 mcs-1s mcs-2s mcs-3s
    wlan KgaGuestNet bss 1 primary
    wlan Komnet-TLS bss 2 primary
    wlan Kga-Personal bss 3 primary
    interface radio2
    data-rates custom basic-12 basic-24 18 36 48 54 mcs-1s mcs-2s mcs-3s
    wlan KgaNet2 bss 2 primary
    wlan KgaNet bss 3 primary
    wlan Komnet-TLS bss 4 primary
    interface ge1
    switchport mode trunk
    switchport trunk native vlan 1
    no switchport trunk native tagged
    switchport trunk allowed vlan 1,200,400
    interface vlan1
    ip address dhcp
    ip address zeroconf secondary
    no ipv6 address autoconfig
    no ipv6 accept ra
    no ipv6 redirects
    interface vlan199
    description KonfigNet
    ip address 192.168.208.1/20
    ip nat inside
    no ipv6 address autoconfig
    no ipv6 accept ra
    no ipv6 redirects
    interface vlan200
    description EduNetWifi
    ip address dhcp
    ip dhcp client request options all
    use ip-access-list in NAT-KonfigNet-AP
    ip nat outside
    no ipv6 address autoconfig
    no ipv6 accept ra
    no ipv6 redirects
    interface vlan400
    description ControllVLAN
    interface vlan1072
    description PreElevInternet
    ip address 192.168.80.2/22
    ip nat inside
    no ipv6 address autoconfig
    no ipv6 accept ra
    no ipv6 redirects
    interface pppoe1
    use event-system-policy defaultKGA
    use management-policy AP
    use dhcp-server-policy Komnet-AP7532
    use firewall-policy Standard
    use auto-provisioning-policy NOC-KGA
    use captive-portal server ElevNet
    use captive-portal server ElevNetKga
    ntp server ntp2.karlskoga.se version 3
    use client-identity-group MobileDevices
    use role-policy Basic
    ip dns-server-forward
    email-notification host 10.2.100.71 sender noc-1-ap7532@karlskoga.se port 25
    email-notification recipient admin1@karlskoga.se
    logging on
    logging host 10.2.100.122
    controller host 10.2.50.71 pool 1 level 2
    ip nat inside source list NAT-GuestNet-AP precedence 20 interface vlan200 overload
    ip nat inside source list NAT-KonfigNet-AP precedence 10 interface vlan200 overload
    service pm sys-restart
    use routing-policy Komnet-ap7532
    router ospf
    l2tpv3 tunnel vlan1066
    peer 1 ip-address 10.2.50.71 hostname KgaDH1-nx7510-1A router-id any
    peer 2 ip-address 10.2.50.72 hostname KgaDH1-nx7510-1B router-id any
    session vlan1066 pseudowire-id 1066 traffic-source vlan 1066
    establishment-criteria rf-domain-manager
    l2tpv3 inter-tunnel-bridging
    dpi
    dpi metadata voice-video
    dpi metadata http
    dpi metadata ssl
    dpi logging on
    !


    ap7532 74-67-F7-00-87-C4
    use profile NOC-Komnet-1-ap7532
    use rf-domain 40-SKFALL
    hostname SKFALL2FC-ITv2b
    interface radio1
    channel 9
    wlan KgaGuestNet bss 1 primary
    wlan Komnet-TLS bss 2 primary
    wlan Kga-Personal bss 3 primary
    wlan ElevNetWebAuth bss 4 primary
    wlan EduXtra bss 5 primary
    wlan CPPM bss 7 primary
    interface radio2
    wlan EduNet-noMac bss 1 primary
    wlan KonfigNet bss 2 primary
    wlan KgaNet bss 3 primary
    wlan Komnet-TLS bss 4 primary
    wlan ISE-resticted bss 5 primary
    wlan EduXtra bss 6 primary
    wlan ISE0-Open bss 7 primary
    wlan TestGuestSSID bss 8 primary
    wlan CPPM bss 9 primary
    use captive-portal server ElevNet
    use captive-portal server ElevNetKga
    use captive-portal server HotSpot-Public
    use captive-portal server ISE
    use captive-portal server ISE_TEST
    use captive-portal server NetLoan2
    use captive-portal server Netloan
    !

    /Roger


  • 5.  RE: How to config Wing to use Cisco ISE guestportal, redirect-URL in wing doesn't work

    Posted 04-17-2018 16:43
    so in your AP profile... try: service radius dynamic-authorization additional-port

    Cisco ISE: is typically 1700 i believe..



  • 6.  RE: How to config Wing to use Cisco ISE guestportal, redirect-URL in wing doesn't work

    Posted 02-26-2021 13:21

    Hallo Roger,

     

    Were you able to solve this, and can you share your solution?

     

    Thanks in advance,