How to config Wing to use Cisco ISE guestportal, redirect-URL in wing doesn't work

  • 0
  • 1
  • Question
  • Updated 6 months ago
  • Answered
I have set up an SSID which using the ISE as the radius server proxy through wireless controller. My goal is to use the hotspot and GuestPortal in the ISE
Everything is fine in the ISE. The ISE returns the radius respons with and valid redirect-URL.
Access-Accept
The respons comes on standard radius port 1812. 
But i have expected to see any trafic on CoA port 3799!!
I have struggling a lot, many hours seeking info about how to integrate ISE and WING. 
Having read all availble documents and videos, tried every suggestions. No success.

My main problem is why is not the client redirected to the supplied URL?

It works fine with Aruba's CCPM, hotspot and sponsored guest.
Isn't it possible to use Cisco ISE with Wing, have any succeded in the task??

I am running Wing v.5.8.6 and using AP7532 and NX7510 and ISE v.2.3

Screeshoot of Radius respons from ISE
Photo of Roger Jansson

Roger Jansson

  • 80 Points 75 badge 2x thumb
  • frustrated

Posted 7 months ago

  • 0
  • 1
Photo of Andrew Blomley

Andrew Blomley, Employee

  • 962 Points 500 badge 2x thumb
please, can you post the wing configuration? 
Photo of Timo

Timo

  • 3,210 Points 3k badge 2x thumb
Your configuration maybe will help. Do you configure the DNS whitelist to give the user access to your captive portal site?
Photo of Roger Jansson

Roger Jansson

  • 80 Points 75 badge 2x thumb
More info about the problem configuration.....

I don't get the webpages on the captiveportal presented on the client.
The captive portal status for authentication is redirected in Wing GUI console.
No redirection is done to the url inte radius repons.

The DNSwhitelist have all all ip's included.

Have tried to extract the importent from the config.
See attached text  .

My ISE have ip 10.241.1.61 and controller has 10.2.50.71.

If there is any who have succeded with the ISE integration please send me or publish an copy of the config regarding the WLAN, CaptivePortal and AAA-policy because  i am not fully sure how to its should be configurated to work.


-----------------------------------------------------
Extracted configuration....

aaa-policy ISE_TEST
 authentication server 1 host 10.241.1.61 secret 0 ??
 authentication server 1 proxy-mode through-controller
 accounting server 1 host 10.241.1.61 secret 0 ???
 accounting server 1 proxy-mode through-controller
 mac-address-format pair-hyphen case lower attributes all
 accounting type start-interim-stop
 attribute cisco-vsa audit-session-id
 attribute chargeable-user-identity
 attribute location-information include-always
 attribute framed-ip-address
!
dns-whitelist ISE
 permit 10.2.50.71 
 permit 10.241.1.61 
 permit accessise.karlskoga.se 
 permit play.google.com 
 permit 10.2.1.6 
 permit 10.2.1.5 
 permit 10.129.6.4 
 permit 10.163.0.5 
 permit 10.129.6.1 
!
captive-portal ISE_TEST
 access-time 15
 connection-mode https
 server host accessise.karlskoga.se
 server mode centralized
 webpage-location external
 webpage external login https://accessise.karlskoga.se:port/portal/gateway?sessionId=SessionIdValue&portal=f0ae43f0-7159...
 webpage external welcome http://www.karlskoga.se
 webpage external fail https://10.241.1.61:8443/portal/PortalSetup.action?portal=f0ae43f0-7159-11e7-a355-005056aba474
 webpage external agreement https://accessise.karlskoga.se:8443/portal/PortalSetup.action?portal=f0ae43f0-7159-11e7-a355-005056a...
 webpage external acknowledgement https://10.241.1.61:8443/portal/PortalSetup.action?portal=f0ae43f0-7159-11e7-a355-005056aba474
 webpage external registration https://10.241.1.61:8443/portal/PortalSetup.action?portal=f0ae43f0-7159-11e7-a355-005056aba474
 webpage external no-service https://10.241.1.61:8443/portal/PortalSetup.action?portal=f0ae43f0-7159-11e7-a355-005056aba474
 accounting radius
 use aaa-policy ISE_TEST
 use dns-whitelist ISE
 webpage internal registration field city type text enable label "City" placeholder "Enter City"
 webpage internal registration field street type text enable label "Address" placeholder "123 Any Street"
 webpage internal registration field name type text enable label "Full Name" placeholder "Enter First Name, Last Name"
 webpage internal registration field zip type number enable label "Zip" placeholder "Zip"
 webpage internal registration field via-sms type checkbox enable title "SMS Preferred"
 webpage internal registration field mobile type number enable label "Mobile" placeholder "Mobile Number with Country code"
 webpage internal registration field age-range type dropdown-menu enable label "Age Range" title "Age Range"
 webpage internal registration field email type e-address enable mandatory label "Email" placeholder "you@domain.com"
 webpage internal registration field via-email type checkbox enable title "Email Preferred"
!
wlan ISE-resticted
 description Test Cisco ISE
 ssid ISE1
 vlan 1
 bridging-mode local
 encryption-type none
 authentication-type mac
 radius nas-identifier ISERestricted
 no fast-bss-transition over-ds
 wpa-wpa2 psk 0 ????
 wpa-wpa2 exclude-wpa2-tkip
 wpa-wpa2 use-sha256-akm
 radius vlan-assignment
 radius dynamic-authorization
 accounting radius
 wing-extensions ap-attributes-information
 wing-extensions ap-attributes-information include-hostname
 wing-extensions coverage-hole-detection 11k-clients
 use aaa-policy ISE_TEST
 use captive-portal ISE_TEST
 captive-portal-enforcement
!
profile nx75xx ProfileNOC_NX7510-1
 mint link force ip 10.2.200.1 level 2 cost 50
 mint link ip 10.2.50.71 level 2
 mint link ip 10.2.50.72 level 2
 mint tunnel-across-extended-vlan
 no legacy-auto-update ap650
 ip name-server 10.2.1.5
 ip name-server 10.2.1.6
 ip domain-name karlskoga.se
 ip default-gateway 10.2.3.1
 ip route 10.128.0.0/10 10.163.0.1
 ip route 10.220.56.0/24 10.163.0.1
 no autoinstall configuration
 no autoinstall firmware
 device-upgrade auto ap7532
 crypto ikev1 policy ikev1-default 
  isakmp-proposal default encryption aes-256 group 2 hash sha 
 crypto ikev2 policy ikev2-default 
  isakmp-proposal default encryption aes-256 group 2 hash sha 
 crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
 crypto ikev1 remote-vpn
 crypto ikev2 remote-vpn
 crypto auto-ipsec-secure
  groupid KgaSec psk 0 Gregak88
 crypto load-management
 crypto remote-vpn-client
 interface xge1
 interface xge2
 interface ge1
  description MgmtNet
 interface ge2
  description "trunk if1"
  switchport mode trunk
  switchport trunk native vlan 130
  switchport trunk native tagged
  switchport trunk allowed vlan 130,138,147,1066
  channel-group 1
 interface ge3
  description "trunk if2"
  switchport mode trunk
  switchport trunk native vlan 130
  switchport trunk native tagged
  switchport trunk allowed vlan 130,138,147,1066
  channel-group 1
 interface ge4
  description "trunk if3"
  switchport mode trunk
  switchport trunk native vlan 130
  switchport trunk native tagged
  switchport trunk allowed vlan 130,138,147,1066
  channel-group 1
 interface ge5
  description "trunk if4"
  switchport mode trunk
  switchport trunk native vlan 130
  switchport trunk native tagged
  switchport trunk allowed vlan 130,138,147,1066
  channel-group 1
 interface ge6
 interface ge7
 interface ge8
 interface ge9
 interface ge10
 interface port-channel1
  description "WiFi trunk"
  switchport mode trunk
  switchport trunk native vlan 130
  switchport trunk native tagged
  switchport trunk allowed vlan 130,138,147,1066
  port-channel load-balance src-dst-mac
 interface vlan1
  description MgmtNet
  ip address 172.30.200.70/16
  no ipv6 address autoconfig
  no ipv6 accept ra
  no ipv6 redirects
 interface vlan130
  description Srvnet
  ip address 10.2.50.70/16
  no ipv6 address autoconfig
  no ipv6 accept ra
  no ipv6 redirects
 interface vlan138
  description KomnetWiFi
  ip address 10.118.4.11/22
  no ipv6 address autoconfig
  no ipv6 accept ra
  no ipv6 redirects
 interface vlan147
  description EdunetWiFi
  ip address 10.163.0.5/20
  ip nat outside
  no ipv6 address autoconfig
  no ipv6 accept ra
  no ipv6 redirects
 interface vlan199
  description KonfigNet
  ip address 192.168.208.1/20
  ip nat inside
  no ipv6 address autoconfig
  no ipv6 accept ra
  no ipv6 redirects
 interface vlan1066
  description "KgaGuestNet Firstspot"
  ip address 192.168.16.3/20
  no ipv6 address autoconfig
  no ipv6 accept ra
  no ipv6 redirects
 interface vlan1072
  description "local ElevZon"
  ip address 192.168.80.2/22
  no ipv6 address autoconfig
  no ipv6 accept ra
  no ipv6 redirects
 use event-system-policy defaultKGA
 use guest-management Komnet-smtp
 use dhcp-server-policy NOC-Kga
 use firewall-policy NOC
 use auto-provisioning-policy NOC-KGA
 use captive-portal server CPPM
 use captive-portal server ElevNet
 use captive-portal server ElevNetKga
 use captive-portal server GuestNet-CP
 use captive-portal server ISE
 use captive-portal server NetLoan2
 use captive-portal server Netloan
 ntp server ntp2.karlskoga.se version 3 
 use client-identity-group MobileDevices
 use role-policy Basic
 cluster name NX7510-1
 cluster member ip 10.2.50.71 level 2
 cluster member ip 10.2.50.72 level 2
 email-notification host 10.2.100.71 sender noc-nx7510@karlskoga.se port 25
 email-notification recipient admin1@karlskoga.se
 logging on
 logging host 10.2.100.122 
 controller host 10.2.200.1 pool 1 level 2
 service pm sys-restart
 use routing-policy NX7510-1
 router ospf
 router bgp
 l2tpv3 tunnel vlan1066
  peer 1 hostname any router-id any 
  session vlan1066 pseudowire-id 1066 traffic-source vlan 1066
  establishment-criteria cluster-master
 dpi
 dpi metadata voice-video
 dpi metadata http
 dpi metadata ssl
 dpi logging on

 
 nx75xx 84-24-8D-7F-4C-70
 use profile ProfileNOC_NX7510-1
 use rf-domain NOC
 hostname KgaDH1-nx7510-1A
 license AAP ??????????????????
 trustpoint radius-ca-ldaps wctrl4a
 trustpoint radius-server-ldaps karlskoga-se
 rsa-key ssh karlskoga-rsa-key
 service radius dynamic-authorization additional-port 3599
 trustpoint https karlskoga-se
 interface vlan1
  ip address 172.30.200.71/16
 interface vlan130
  ip address 10.2.50.71/16
 use captive-portal server ElevNet
 use captive-portal server ElevNetKga
 cluster member ip 10.2.50.72 level 2
 cluster master-priority 255
 cluster force-configured-state
 cluster force-configured-state-delay 120
 !

 profile ap7532 NOC-Komnet-1-ap7532
 bridge vlan 1066
  bridging-mode tunnel
  ip igmp snooping
  ip igmp snooping querier
  ipv6 mld snooping
  ipv6 mld snooping querier
 ip name-server 10.2.1.5
 ip name-server 10.2.1.6
 ip domain-name komnet.karlskoga.se
 ip route 10.11.0.0/16 10.16.0.1
 ip route 10.2.0.0/16 10.16.0.1
 ip default-gateway priority static-route 50
 autoinstall configuration
 autoinstall firmware
 no led
 crypto ikev1 policy ikev1-default 
  isakmp-proposal default encryption aes-256 group 2 hash sha 
 crypto ikev2 policy ikev2-default 
  isakmp-proposal default encryption aes-256 group 2 hash sha 
 crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
 crypto ikev1 remote-vpn
 crypto ikev2 remote-vpn
 crypto auto-ipsec-secure
 crypto load-management
 crypto remote-vpn-client
 interface radio1
  data-rates custom basic-12 basic-24 18 36 48 54 mcs-1s mcs-2s mcs-3s
  wlan KgaGuestNet bss 1 primary
  wlan Komnet-TLS bss 2 primary
  wlan Kga-Personal bss 3 primary
 interface radio2
  data-rates custom basic-12 basic-24 18 36 48 54 mcs-1s mcs-2s mcs-3s
  wlan KgaNet2 bss 2 primary
  wlan KgaNet bss 3 primary
  wlan Komnet-TLS bss 4 primary
 interface ge1
  switchport mode trunk
  switchport trunk native vlan 1
  no switchport trunk native tagged
  switchport trunk allowed vlan 1,200,400
 interface vlan1
  ip address dhcp
  ip address zeroconf secondary
  no ipv6 address autoconfig
  no ipv6 accept ra
  no ipv6 redirects
 interface vlan199
  description KonfigNet
  ip address 192.168.208.1/20
  ip nat inside
  no ipv6 address autoconfig
  no ipv6 accept ra
  no ipv6 redirects
 interface vlan200
  description EduNetWifi
  ip address dhcp
  ip dhcp client request options all
  use ip-access-list in NAT-KonfigNet-AP
  ip nat outside
  no ipv6 address autoconfig
  no ipv6 accept ra
  no ipv6 redirects
 interface vlan400
  description ControllVLAN
 interface vlan1072
  description PreElevInternet
  ip address 192.168.80.2/22
  ip nat inside
  no ipv6 address autoconfig
  no ipv6 accept ra
  no ipv6 redirects
 interface pppoe1
 use event-system-policy defaultKGA
 use management-policy AP
 use dhcp-server-policy Komnet-AP7532
 use firewall-policy Standard
 use auto-provisioning-policy NOC-KGA
 use captive-portal server ElevNet
 use captive-portal server ElevNetKga
 ntp server ntp2.karlskoga.se version 3 
 use client-identity-group MobileDevices
 use role-policy Basic
 ip dns-server-forward
 email-notification host 10.2.100.71 sender noc-1-ap7532@karlskoga.se port 25
 email-notification recipient admin1@karlskoga.se
 logging on
 logging host 10.2.100.122 
 controller host 10.2.50.71 pool 1 level 2
 ip nat inside source list NAT-GuestNet-AP precedence 20 interface vlan200 overload
 ip nat inside source list NAT-KonfigNet-AP precedence 10 interface vlan200 overload
 service pm sys-restart
 use routing-policy Komnet-ap7532
 router ospf
 l2tpv3 tunnel vlan1066
  peer 1 ip-address 10.2.50.71 hostname KgaDH1-nx7510-1A router-id any 
  peer 2 ip-address 10.2.50.72 hostname KgaDH1-nx7510-1B router-id any 
  session vlan1066 pseudowire-id 1066 traffic-source vlan 1066
  establishment-criteria rf-domain-manager
 l2tpv3 inter-tunnel-bridging
 dpi
 dpi metadata voice-video
 dpi metadata http
 dpi metadata ssl
 dpi logging on
 !

 
 ap7532 74-67-F7-00-87-C4
 use profile NOC-Komnet-1-ap7532
 use rf-domain 40-SKFALL
 hostname SKFALL2FC-ITv2b
 interface radio1
  channel 9
  wlan KgaGuestNet bss 1 primary
  wlan Komnet-TLS bss 2 primary
  wlan Kga-Personal bss 3 primary
  wlan ElevNetWebAuth bss 4 primary
  wlan EduXtra bss 5 primary
  wlan CPPM bss 7 primary
 interface radio2
  wlan EduNet-noMac bss 1 primary
  wlan KonfigNet bss 2 primary
  wlan KgaNet bss 3 primary
  wlan Komnet-TLS bss 4 primary
  wlan ISE-resticted bss 5 primary
  wlan EduXtra bss 6 primary
  wlan ISE0-Open bss 7 primary
  wlan TestGuestSSID bss 8 primary
  wlan CPPM bss 9 primary
 use captive-portal server ElevNet
 use captive-portal server ElevNetKga
 use captive-portal server HotSpot-Public
 use captive-portal server ISE
 use captive-portal server ISE_TEST
 use captive-portal server NetLoan2
 use captive-portal server Netloan
 !

/Roger
Photo of Peter Miller

Peter Miller, Employee

  • 100 Points 100 badge 2x thumb
so in your AP profile... try: 

 service radius dynamic-authorization additional-port <port number>

Cisco ISE: is typically 1700 i believe..