Header Only - DO NOT REMOVE - Extreme Networks

How to config Wing to use Cisco ISE guestportal, redirect-URL in wing doesn't work


I have set up an SSID which using the ISE as the radius server proxy through wireless controller. My goal is to use the hotspot and GuestPortal in the ISE
Everything is fine in the ISE. The ISE returns the radius respons with and valid redirect-URL.
Access-Accept
The respons comes on standard radius port 1812.
But i have expected to see any trafic on CoA port 3799!!
I have struggling a lot, many hours seeking info about how to integrate ISE and WING.
Having read all availble documents and videos, tried every suggestions. No success.

My main problem is why is not the client redirected to the supplied URL?

It works fine with Aruba's CCPM, hotspot and sponsored guest.
Isn't it possible to use Cisco ISE with Wing, have any succeded in the task??

I am running Wing v.5.8.6 and using AP7532 and NX7510 and ISE v.2.3

Screeshoot of Radius respons from ISE

4 replies

Userlevel 3
please, can you post the wing configuration?
Userlevel 4
Your configuration maybe will help. Do you configure the DNS whitelist to give the user access to your captive portal site?
More info about the problem configuration.....

I don't get the webpages on the captiveportal presented on the client.
The captive portal status for authentication is redirected in Wing GUI console.
No redirection is done to the url inte radius repons.

The DNSwhitelist have all all ip's included.

Have tried to extract the importent from the config.
See attached text .

My ISE have ip 10.241.1.61 and controller has 10.2.50.71.

If there is any who have succeded with the ISE integration please send me or publish an copy of the config regarding the WLAN, CaptivePortal and AAA-policy because i am not fully sure how to its should be configurated to work.

-----------------------------------------------------
Extracted configuration....

aaa-policy ISE_TEST
authentication server 1 host 10.241.1.61 secret 0 ??
authentication server 1 proxy-mode through-controller
accounting server 1 host 10.241.1.61 secret 0 ???
accounting server 1 proxy-mode through-controller
mac-address-format pair-hyphen case lower attributes all
accounting type start-interim-stop
attribute cisco-vsa audit-session-id
attribute chargeable-user-identity
attribute location-information include-always
attribute framed-ip-address
!
dns-whitelist ISE
permit 10.2.50.71
permit 10.241.1.61
permit accessise.karlskoga.se
permit play.google.com
permit 10.2.1.6
permit 10.2.1.5
permit 10.129.6.4
permit 10.163.0.5
permit 10.129.6.1
!
captive-portal ISE_TEST
access-time 15
connection-mode https
server host accessise.karlskoga.se
server mode centralized
webpage-location external
webpage external login https://accessise.karlskoga.se:port/portal/gateway?sessionId=SessionIdValue&portal=f0ae43f0-7159-11e7-a355-005056aba474&daysToExpiry=value&action=cwa
webpage external welcome http://www.karlskoga.se
webpage external fail https://10.241.1.61:8443/portal/PortalSetup.action?portal=f0ae43f0-7159-11e7-a355-005056aba474
webpage external agreement https://accessise.karlskoga.se:8443/portal/PortalSetup.action?portal=f0ae43f0-7159-11e7-a355-005056a...
webpage external acknowledgement https://10.241.1.61:8443/portal/PortalSetup.action?portal=f0ae43f0-7159-11e7-a355-005056aba474
webpage external registration https://10.241.1.61:8443/portal/PortalSetup.action?portal=f0ae43f0-7159-11e7-a355-005056aba474
webpage external no-service https://10.241.1.61:8443/portal/PortalSetup.action?portal=f0ae43f0-7159-11e7-a355-005056aba474
accounting radius
use aaa-policy ISE_TEST
use dns-whitelist ISE
webpage internal registration field city type text enable label "City" placeholder "Enter City"
webpage internal registration field street type text enable label "Address" placeholder "123 Any Street"
webpage internal registration field name type text enable label "Full Name" placeholder "Enter First Name, Last Name"
webpage internal registration field zip type number enable label "Zip" placeholder "Zip"
webpage internal registration field via-sms type checkbox enable title "SMS Preferred"
webpage internal registration field mobile type number enable label "Mobile" placeholder "Mobile Number with Country code"
webpage internal registration field age-range type dropdown-menu enable label "Age Range" title "Age Range"
webpage internal registration field email type e-address enable mandatory label "Email" placeholder "you@domain.com"
webpage internal registration field via-email type checkbox enable title "Email Preferred"
!
wlan ISE-resticted
description Test Cisco ISE
ssid ISE1
vlan 1
bridging-mode local
encryption-type none
authentication-type mac
radius nas-identifier ISERestricted
no fast-bss-transition over-ds
wpa-wpa2 psk 0 ????
wpa-wpa2 exclude-wpa2-tkip
wpa-wpa2 use-sha256-akm
radius vlan-assignment
radius dynamic-authorization
accounting radius
wing-extensions ap-attributes-information
wing-extensions ap-attributes-information include-hostname
wing-extensions coverage-hole-detection 11k-clients
use aaa-policy ISE_TEST
use captive-portal ISE_TEST
captive-portal-enforcement
!
profile nx75xx ProfileNOC_NX7510-1
mint link force ip 10.2.200.1 level 2 cost 50
mint link ip 10.2.50.71 level 2
mint link ip 10.2.50.72 level 2
mint tunnel-across-extended-vlan
no legacy-auto-update ap650
ip name-server 10.2.1.5
ip name-server 10.2.1.6
ip domain-name karlskoga.se
ip default-gateway 10.2.3.1
ip route 10.128.0.0/10 10.163.0.1
ip route 10.220.56.0/24 10.163.0.1
no autoinstall configuration
no autoinstall firmware
device-upgrade auto ap7532
crypto ikev1 policy ikev1-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ikev2 policy ikev2-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
crypto ikev1 remote-vpn
crypto ikev2 remote-vpn
crypto auto-ipsec-secure
groupid KgaSec psk 0 Gregak88
crypto load-management
crypto remote-vpn-client
interface xge1
interface xge2
interface ge1
description MgmtNet
interface ge2
description "trunk if1"
switchport mode trunk
switchport trunk native vlan 130
switchport trunk native tagged
switchport trunk allowed vlan 130,138,147,1066
channel-group 1
interface ge3
description "trunk if2"
switchport mode trunk
switchport trunk native vlan 130
switchport trunk native tagged
switchport trunk allowed vlan 130,138,147,1066
channel-group 1
interface ge4
description "trunk if3"
switchport mode trunk
switchport trunk native vlan 130
switchport trunk native tagged
switchport trunk allowed vlan 130,138,147,1066
channel-group 1
interface ge5
description "trunk if4"
switchport mode trunk
switchport trunk native vlan 130
switchport trunk native tagged
switchport trunk allowed vlan 130,138,147,1066
channel-group 1
interface ge6
interface ge7
interface ge8
interface ge9
interface ge10
interface port-channel1
description "WiFi trunk"
switchport mode trunk
switchport trunk native vlan 130
switchport trunk native tagged
switchport trunk allowed vlan 130,138,147,1066
port-channel load-balance src-dst-mac
interface vlan1
description MgmtNet
ip address 172.30.200.70/16
no ipv6 address autoconfig
no ipv6 accept ra
no ipv6 redirects
interface vlan130
description Srvnet
ip address 10.2.50.70/16
no ipv6 address autoconfig
no ipv6 accept ra
no ipv6 redirects
interface vlan138
description KomnetWiFi
ip address 10.118.4.11/22
no ipv6 address autoconfig
no ipv6 accept ra
no ipv6 redirects
interface vlan147
description EdunetWiFi
ip address 10.163.0.5/20
ip nat outside
no ipv6 address autoconfig
no ipv6 accept ra
no ipv6 redirects
interface vlan199
description KonfigNet
ip address 192.168.208.1/20
ip nat inside
no ipv6 address autoconfig
no ipv6 accept ra
no ipv6 redirects
interface vlan1066
description "KgaGuestNet Firstspot"
ip address 192.168.16.3/20
no ipv6 address autoconfig
no ipv6 accept ra
no ipv6 redirects
interface vlan1072
description "local ElevZon"
ip address 192.168.80.2/22
no ipv6 address autoconfig
no ipv6 accept ra
no ipv6 redirects
use event-system-policy defaultKGA
use guest-management Komnet-smtp
use dhcp-server-policy NOC-Kga
use firewall-policy NOC
use auto-provisioning-policy NOC-KGA
use captive-portal server CPPM
use captive-portal server ElevNet
use captive-portal server ElevNetKga
use captive-portal server GuestNet-CP
use captive-portal server ISE
use captive-portal server NetLoan2
use captive-portal server Netloan
ntp server ntp2.karlskoga.se version 3
use client-identity-group MobileDevices
use role-policy Basic
cluster name NX7510-1
cluster member ip 10.2.50.71 level 2
cluster member ip 10.2.50.72 level 2
email-notification host 10.2.100.71 sender noc-nx7510@karlskoga.se port 25
email-notification recipient admin1@karlskoga.se
logging on
logging host 10.2.100.122
controller host 10.2.200.1 pool 1 level 2
service pm sys-restart
use routing-policy NX7510-1
router ospf
router bgp
l2tpv3 tunnel vlan1066
peer 1 hostname any router-id any
session vlan1066 pseudowire-id 1066 traffic-source vlan 1066
establishment-criteria cluster-master
dpi
dpi metadata voice-video
dpi metadata http
dpi metadata ssl
dpi logging on


nx75xx 84-24-8D-7F-4C-70
use profile ProfileNOC_NX7510-1
use rf-domain NOC
hostname KgaDH1-nx7510-1A
license AAP ??????????????????
trustpoint radius-ca-ldaps wctrl4a
trustpoint radius-server-ldaps karlskoga-se
rsa-key ssh karlskoga-rsa-key
service radius dynamic-authorization additional-port 3599
trustpoint https karlskoga-se
interface vlan1
ip address 172.30.200.71/16
interface vlan130
ip address 10.2.50.71/16
use captive-portal server ElevNet
use captive-portal server ElevNetKga
cluster member ip 10.2.50.72 level 2
cluster master-priority 255
cluster force-configured-state
cluster force-configured-state-delay 120
!

profile ap7532 NOC-Komnet-1-ap7532
bridge vlan 1066
bridging-mode tunnel
ip igmp snooping
ip igmp snooping querier
ipv6 mld snooping
ipv6 mld snooping querier
ip name-server 10.2.1.5
ip name-server 10.2.1.6
ip domain-name komnet.karlskoga.se
ip route 10.11.0.0/16 10.16.0.1
ip route 10.2.0.0/16 10.16.0.1
ip default-gateway priority static-route 50
autoinstall configuration
autoinstall firmware
no led
crypto ikev1 policy ikev1-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ikev2 policy ikev2-default
isakmp-proposal default encryption aes-256 group 2 hash sha
crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
crypto ikev1 remote-vpn
crypto ikev2 remote-vpn
crypto auto-ipsec-secure
crypto load-management
crypto remote-vpn-client
interface radio1
data-rates custom basic-12 basic-24 18 36 48 54 mcs-1s mcs-2s mcs-3s
wlan KgaGuestNet bss 1 primary
wlan Komnet-TLS bss 2 primary
wlan Kga-Personal bss 3 primary
interface radio2
data-rates custom basic-12 basic-24 18 36 48 54 mcs-1s mcs-2s mcs-3s
wlan KgaNet2 bss 2 primary
wlan KgaNet bss 3 primary
wlan Komnet-TLS bss 4 primary
interface ge1
switchport mode trunk
switchport trunk native vlan 1
no switchport trunk native tagged
switchport trunk allowed vlan 1,200,400
interface vlan1
ip address dhcp
ip address zeroconf secondary
no ipv6 address autoconfig
no ipv6 accept ra
no ipv6 redirects
interface vlan199
description KonfigNet
ip address 192.168.208.1/20
ip nat inside
no ipv6 address autoconfig
no ipv6 accept ra
no ipv6 redirects
interface vlan200
description EduNetWifi
ip address dhcp
ip dhcp client request options all
use ip-access-list in NAT-KonfigNet-AP
ip nat outside
no ipv6 address autoconfig
no ipv6 accept ra
no ipv6 redirects
interface vlan400
description ControllVLAN
interface vlan1072
description PreElevInternet
ip address 192.168.80.2/22
ip nat inside
no ipv6 address autoconfig
no ipv6 accept ra
no ipv6 redirects
interface pppoe1
use event-system-policy defaultKGA
use management-policy AP
use dhcp-server-policy Komnet-AP7532
use firewall-policy Standard
use auto-provisioning-policy NOC-KGA
use captive-portal server ElevNet
use captive-portal server ElevNetKga
ntp server ntp2.karlskoga.se version 3
use client-identity-group MobileDevices
use role-policy Basic
ip dns-server-forward
email-notification host 10.2.100.71 sender noc-1-ap7532@karlskoga.se port 25
email-notification recipient admin1@karlskoga.se
logging on
logging host 10.2.100.122
controller host 10.2.50.71 pool 1 level 2
ip nat inside source list NAT-GuestNet-AP precedence 20 interface vlan200 overload
ip nat inside source list NAT-KonfigNet-AP precedence 10 interface vlan200 overload
service pm sys-restart
use routing-policy Komnet-ap7532
router ospf
l2tpv3 tunnel vlan1066
peer 1 ip-address 10.2.50.71 hostname KgaDH1-nx7510-1A router-id any
peer 2 ip-address 10.2.50.72 hostname KgaDH1-nx7510-1B router-id any
session vlan1066 pseudowire-id 1066 traffic-source vlan 1066
establishment-criteria rf-domain-manager
l2tpv3 inter-tunnel-bridging
dpi
dpi metadata voice-video
dpi metadata http
dpi metadata ssl
dpi logging on
!


ap7532 74-67-F7-00-87-C4
use profile NOC-Komnet-1-ap7532
use rf-domain 40-SKFALL
hostname SKFALL2FC-ITv2b
interface radio1
channel 9
wlan KgaGuestNet bss 1 primary
wlan Komnet-TLS bss 2 primary
wlan Kga-Personal bss 3 primary
wlan ElevNetWebAuth bss 4 primary
wlan EduXtra bss 5 primary
wlan CPPM bss 7 primary
interface radio2
wlan EduNet-noMac bss 1 primary
wlan KonfigNet bss 2 primary
wlan KgaNet bss 3 primary
wlan Komnet-TLS bss 4 primary
wlan ISE-resticted bss 5 primary
wlan EduXtra bss 6 primary
wlan ISE0-Open bss 7 primary
wlan TestGuestSSID bss 8 primary
wlan CPPM bss 9 primary
use captive-portal server ElevNet
use captive-portal server ElevNetKga
use captive-portal server HotSpot-Public
use captive-portal server ISE
use captive-portal server ISE_TEST
use captive-portal server NetLoan2
use captive-portal server Netloan
!

/Roger
so in your AP profile... try: service radius dynamic-authorization additional-port

Cisco ISE: is typically 1700 i believe..

Reply