Authorization of comments in ise 2.0

Hi all

I'll install 2.0 ise in one of the corporate network that has routed many branch, I have a few questions about the guest user permission policy.

If authorization profile is configured with dynamic ACLs where I can give details of identification vlan for guest users consider id vlan for guest users is different for each branch? How guest users will obtain the IP address of rite VLAN?

Hello

If the VLAN is different on each location, you can make local switching AP instead of central switching within the WLC. This mode is called Flexconnect.

In combination with ISE and Flexconnect CWA, you a few resources available on Cisco's Web site.

I here copy a link to a step by step config:

http://www.Cisco.com/c/en/us/support/docs/security/identity-services-Eng...

Hope this answer your question.

PS: Please do not forget to rate and score as good response if this solves your problem

Tags: Cisco Security

Similar Questions

  • Cisco authentication at the portal comments disabled ISE

    Hey you...

    How to disabled authentication in portal invited to end users? Is it possible? We have customers who have the laptop with group policy, which allows to not show my feedback portal.

    TKS

    I do not understand your question... they have a GPO that prevents the user to see the guest SSID?  If so, you can't do something about that and have remove this restriction of group policy.  If you're talking of end-users did not pass by the portal page, then your is it connect to other SSID or circumvent your doing a mac.

    Scott

  • That treats the assignment do VLAN authorization Cisco ISE?

    Hello

    When I create an authorization policy in Cisco ISE, under common tasks, it is the assignment of VLANS. What makes that? Is it puts the user on this VLAN?

    Thank you.

    Yes, this will overwrite the VLAN configured on the switch port/SSID or wireless. For example, all ports can be configured to be part of VLAN 10, but you want users to finances in VLAN 20. You can use the profile of EHT permission to do exactly this.

    Thank you for evaluating useful messages!

  • Cisco ISE 1.3 disable "Identity Resolve" step?

    Currently, I am working for a client with a Cisco ISE 1.3 deployment.

    The Cisco access point are currently authenticated by MAB, the customer wants to improve that I proposed to implement EAP-FAST speed of the MAB for the AP for a quick and easy solution.

    I work in the test and production environment, but I was cycling through the authentication process and found something strange.

    I created a rule that if the Tunnel network protocol is EAP-FAST are authenticated by internal users.

    It works very well, the ISE recognizes the flow and internal users through authenticatie.

    15041 assessment political identity
    15048 questioned PIP - Network Access.EapAuthentication
    15048 questioned PIP - Network Access.EapTunnel
    15004 Matched rule - EAP-FAST
    15013 selected identity Source - internal users
    24210 Looking user in IDStore of internal users - >
    24212 found user in internal users IDStore
    Authentication 22037 spent

    On the way he also decided to search for the user in Active Directory.

    Given that the user has not been created in Active Directory, that it does not.

    Looking 24432 user in Active Directory - >
    Identity resolution 24325 - >
    Search 24313 of corresponding accounts at the junction - >
    24318 no corresponding account found in the forest - >
    24322 identity resolution detected no corresponding case
    Failure of the 24352 - ERROR_NO_SUCH_USER identity resolution
    24412 not found user in Active Directory - >
    15048 questioned PIP - >. ExternalGroups
    15048 questioned PIP - Network Access.EapTunnel
    15004 Matched rule - AP_EAPFAST
    15016 selected the authorization - AP_Lan profile
    11002 returned access RADIUS acceptance

    So the authentication and authorization is successful but he try's to resolve the user in active directory.

    I checked the authentication for MAB process, and here I see the same error.

    The MAC address of the device used to MAB also is added to the ISE, then authentication through internal users, authentication and authorization is successful, but ISE wants to solve the (MAC address of the device) user in Active Directory.

    We also see this step for the flow of EAP - TLS, and in this case the identity stage via resolution is successful.

    Is it possible that I can disable the resolution of identity through AD when the internal user group? (or in the world?)

    I did some research and found this (search for LDAP users)

    http://www.Cisco.com/en/us/docs/security/ISE/1.0/user_guide/ise10_man_id...

    When I look at our deployment, it is nothing configured under LDAP.

    If you have rules in your authorization rules that use ad groups that are in front of your MAB or the EAP-FAST rules, ISE will do a search to see if it needs to match this rule. Put your MAB and EAP-FAST rules about AD membership rules, and it won't do the research.

  • VLAN voice ISE with MAB

    Hi all

    I just configured the ISE and the switch to make authentication for my phones of vlan voice.

    Authentication and authorization works well with ISE.

    #show TEST-CONTACT authentication sessions

    Interface MAC address method field status Fg Session ID
    Item in gi1/0/1 001a.e867.4c1a mab VOICE Auth 0A0B1050000000250136CED3

    But, I've only one ip phone connected to the switchport mode multi-domain, I don't have any pc connected to the phone yet, but the command 'show mac - add table int xx' show me the telephone ip and two local area networks virtual, 316(voice vlan) mac and vlan 1.

    The question is, why vlan 1? is it good?

    I have only the VLANs voice 316 configured policy result with the VLAN TAG = 316 and permission of field voice check box selected.

    SWITCH-TEST mac address-table interface gigabitEthernet 0/1/1 #show

    Mac address table
    -------------------------------------------

    VLAN Mac Address Type Ports
    ----    -----------       --------    -----
    316 001a.e867.4c1a STATIC item in gi1/0/1
    1 001a.e867.4c1a STATIC item in gi1/0/1

    Thank you

    Rafael

    I would recommend that you keep the command ' switchport voice vlan "because it is what allows the port to be a port" multi - vlan "without set it up as a trunk. If you remove this command and you always want to spend two VLANS (one per voice) and other data, then you will need to configure the port as 'trunk '. Unfortunately, it won't only 802. 1 x is not supported on the trunk ports :)

    I hope this helps!

    Thank you for evaluating useful messages!

  • ISE 1.2 Guest Access expired session

    We have implemented the ISEs to allow cable users to open a session with CWA, but every time we get

    "Your session has expired. Reconnect. "

    We get successfully on the portal and the logon, change password, accepts terms but then we get just the page of session has expired.

    Switch (some redacted BLAH data privacy):

    SW01 #sh auth its int f0/1

    Interface: FastEthernet0/1

    MAC address: 0021.xxda.xx28

    IP address: xxx.xx.40.45

    Username: 00-21-xx-DA-xx-28

    Status: Authz success

    Area: DATA

    Oper host mode: multi-domain

    Oper control dir: both

    Authorized by: authentication server

    Policy of VLAN: 901

    ACL ACS: xACSACLx-IP_GuestWired_ISE_Portal_Access-53182da8

    URL Redirect ACL: REDIRECTION dot1x_WEBAUTH

    Redirect URL: https://guest.ourdomain.com:8443/guestportal/gateway? sessionId = AC1262FB000000FA0FCEFDB8 & Portal = TT_GuestPortal & action = cwa

    The session timeout: N/A

    Idle timeout: N/A

    The common Session ID: AC1262FB000000FA0FCEFDB8

    ACCT Session ID: 0x000001CF

    Handle: 0x370000FB

    Executable methods list:

    The method state

    dot1x Failed on

    MAB Authc success

    The ISE reports a failure of the connection

    Event Failed authentication 5418 comments
    Reason for failure 86017

    Now, the reason seems to be that portal comments be accesed on an ISE in our DMZ but authentication RADIUS/MAB is done by our internal ISEs (ISEs all belong to the same cluster, however).  This is because the n is a switch and its management interface is inside the network while the guest VLAN THAT is in a demilitarized zone.  If authenticate us the RADIUS and comments on the ISE even (breaking the routing/security), access is granted and everything works corrcetly.

    In summary, we are sent by the RADIUS ISE Server session ID is not accessible to the general public on the comment Portal ISE server so the session ID does not exist in the session cache.

    If the portal comments ISE server must be the same ISE server that made the RADIUS/MAB generation of session?  It is has no obvious way to link a domain EHT (for example guest.ourdomain.com) FULL name, used by the n.

    The session ID should not be shared on all nodes in the application of the Act?

    Any other ideas or thoughts?

    Chris Davis

    SessionID is not replicated, you must ensure that the ISE who owns the portal, is the same who answered the request of original mab to your switch.

    Jan

  • WiFi using Dot1x comments

    Hi all

    I have been using the comments in ISE 1.1.4 feature (and earlier versions) for some time and I've always been frustrated with it. I am now in the process of establishing another feedback network using dot1x to refer to the internal source of Userids (where all registered customers are stored) in ISE to authenticate clients.

    It seems to work perfectly for all enabled guests, but newly created account receives the following...

    Status of RADIUS:
    		 Failed authentication: 24206 disabled user

    Is there a way to bypass activation through the NCB and thus make it possible for customers registered to authenticate using dot1x?

    Political will to change the Configuration of comments portal (not used (s) / first logon / each logon) or the Type of authentication (comments/CWA/the two) solve this problem? Las to change on the fly in a production environment.

    Thank you

    http://www.Cisco.com/c/en/us/support/docs/security/identity-services-Eng...

  • CIsco ISE with HP and Fortigate

    Hello

    I configured the switches HP 5820 X and 5130 for authentication radius AAA with Cisco ISE 2.0.0.306.

    The switch receives the response from authorization successful; but unable to connect. What are the Advanced profile Radius authorization attributes in

    ISE?

    In addition, ISE supports Fotigate firewall?

    Oh and Yes ISE supports any device using the RADIUS in accordance with rfc, it is usually only a question about this that av-pairs to send to that specific device, there is not really standard for this.

  • ISE Voice Vlan a dynamic assignment using MAB

    Hi all

    I just configured the ISE and the switch for voice authentication for my phones vlan and users. The issue I'm having is attribution a vlan dynamic voice for my VTC units

    Authentication and authorization works well with ISE and I am able to assign the vlan users, but I have problems with the vlan voice.

    Any help would be appreciated!

    Thank you!

    Alex,

    We cannot install several VLANs can one voice. -What are you trying to achieve?

    Do not push no matter what id vlan in the authorization rule. By pushing the class = attribute voice will assign vlan 210 (vlan voice).

    Only the vlan data should be assigned dynamically.

    Hope that helps

    Kind regards

    ~ JG

    Note the useful messages

  • 802. 1 x with the login script

    Hello

    Before you set the 802. 1 x with ISE. Logon user with a script to map the network drive.

    We deployed the 802. 1 x with ip phone and your PC successfully, but the logon script does not work now.

    Whatever measures are necessary to make the login script work?

    ISE:2.1

    switch: 3750 with 12.2 (55) SE10

    PC:Win7 (to connect to the ip phone)

    IP phone: 6921 (connect to switch f 1/0/4)

    Switch configuration is to see more:

    !
    version 12.2
    no service button
    tcp KeepAlive-component snap-in service
    a tcp-KeepAlive-quick service
    horodateurs service debug datetime localtime show-timezone msec
    Log service timestamps datetime localtime show-timezone msec
    no password encryption service
    Service linenumber
    sequence numbers service
    !
    hostname ISESW01
    !
    boot-start-marker
    boot-end-marker
    !
    enable password 7 xxxxxxxxxxxxxxxxxxxxxx
    !
    username password 7 xxxxxxxxxxxxxxxxxxxx xxxxxxxxxxx
    !
    !
    AAA new-model
    !
    !
    RADIUS AAA server group ISE
    auth-port 1645 10.202.152.91 Server acct-port 1646
    auth-port 1645 10.202.152.92 Server acct-port 1646
    !
    default AAA dot1x ISE authentication group
    AAA authorization network default group ISE
    AAA authorization auth-proxy default group ISE
    accounting AAA periodic update 5
    accounting dot1x default start-stop group AAA ISE
    AAA accounting system by default start-stop group ISE
    !
    !
    AAA server RADIUS Dynamics-author
    customer 10.202.152.91
    customer 10.202.152.92
    !
    AAA - the id of the joint session
    switch 1 supply ws-c3750v2-48ps
    mtu 1500 routing system
    VTP transparent mode
    DHCP excluded-address IP 10.202.21.1 10.202.21.10
    DHCP excluded-address IP 10.202.121.196
    !
    IP dhcp pool testingdhcp
    Network 10.202.19.0 255.255.255.0
    router by default - 10.202.19.1
    10.202.152.21 DNS server
    !
    !
    analysis of IP device
    !
    MLS qos map policed dscp 0 10 18 24 46-8
    MLS qos map cos-dscp 0 8 16 24 32 46 48 56
    MLS qos srr-queue input bandwidth 70 30
    MLS 1 80 90 qos srr-queue input threshold
    priority-queue input bandwidth 2 30 MLS qos srr-queue
    queue threshold 1 MLS qos srr-queue input cos-map 2 3
    queue threshold 1 MLS qos srr-queue input cos-map 3 6 7
    queue threshold 2 MLS qos srr-queue input cos-map 1 4
    queue threshold 1 MLS qos srr-queue input dscp-map 2 24
    queue threshold 1 MLS qos srr-queue input dscp-map 3 48 49 50 51 52 53 54 55
    queue threshold 1 MLS qos srr-queue input dscp-map 3 56 57 58 59 60 61 62 63
    queue threshold 2 MLS qos srr-queue input dscp-map 3 32 33 40 41 42 43 44 45
    -More - mls qos srr-queue input dscp-map 2 3 46 47 threshold queue
    queue threshold cos 1-map of MLS qos srr-queue output 3 4 5
    queue threshold cos 2-map of MLS qos srr-queue output 1 2
    queue threshold 2 cos-MLS qos srr-queue output 2 3 card
    queue threshold cos 2-map of MLS qos srr-queue output 3 6 7
    queue threshold cos 3-map of MLS qos srr-queue output 3 0
    queue threshold 4 cos-MLS qos srr-queue output 3 1 card
    queue threshold 1 dscp-map of MLS qos srr-queue output 3 32 33 40 41 42 43 44 45
    queue threshold 1 dscp-map of MLS qos srr-queue output 3 46 47
    queue threshold 2 dscp-map of MLS qos srr-queue output 1 16 17 18 19 20 21 22 23
    queue threshold 2 dscp-map of MLS qos srr-queue output 1 26 27 28 29 30 31 34 35
    queue threshold 2 dscp-map of MLS qos srr-queue output 1 36 37 38 39
    queue threshold 2 dscp-map of MLS qos srr-queue output 2 24
    queue threshold 2 dscp-map of MLS qos srr-queue output 3 48 49 50 51 52 53 54 55
    queue threshold 2 dscp-map of MLS qos srr-queue output 3 56 57 58 59 60 61 62 63
    queue threshold 3 dscp-map of MLS qos srr-queue output 3 0 1 2 3 4 5 6 7
    queue threshold 4 dscp-map of MLS qos srr-queue output 1 8 9 11 13 15
    queue threshold 4 dscp-map of MLS qos srr-queue output 2 10 12 14
    MLS qos all the output queue 1 1 100 100 50 200 threshold
    MLS qos queue of output 1 all threshold 2 125 125 100 400
    MLS qos queue of output 1 all threshold 3 100 100 100 400
    MLS qos queue of output 1 all 4 60 150 50 200 threshold
    MLS qos all the output queue 1 15 25 40 20 buffers
    MLS qos
    !
    Crypto pki trustpoint TP-self-signed-1210376576
    enrollment selfsigned
    name of the object cn = IOS - Self - signed - certificate - 1210376576
    revocation checking no
    rsakeypair TP-self-signed-1210376576
    !
    !
    TP-self-signed-1210376576 crypto pki certificate chain
    certificate self-signed 01
    xxxxxxxxx
    quit smoking
    Auto qos srnd4
    control-dot1x system-auth
    dot1x critical eapol
    !
    !
    !
    !
    pvst spanning-tree mode
    spanning tree extend id-system
    VLAN spanning tree priority 819 61440
    !
    internal allocation policy of VLAN ascendant
    !
    VLAN 121
    name Voice_Vlan
    !
    VLAN 819
    name 19F_VLAN
    !
    VLAN 888 899
    !
    !
    class-map correspondence AUTOQOS_VOIP_DATA_CLASS
    match ip dscp ef
    class-map correspondence AUTOQOS_DEFAULT_CLASS
    match the name of access by DEFAULT ACL-AUTOQOS group
    class-map correspondence AUTOQOS_VOIP_SIGNAL_CLASS
    match ip dscp cs3
    class-map correspondence AutoQoS-VoIP-RTP-Trust
    match ip dscp ef
    class-map correspondence AutoQoS-VoIP-control-Trust
    match ip dscp cs3 af31
    !
    !
    Policy-map AUTOQOS-SRND4-CISCOPHONE-POLICY
    class AUTOQOS_VOIP_DATA_CLASS
    DSCP ef Set
    128000 8000 exceed-action of the police controlled-dscp-transmit
    class AUTOQOS_VOIP_SIGNAL_CLASS
    DSCP Set cs3
    32000 8000 exceed-action of the police controlled-dscp-transmit
    class AUTOQOS_DEFAULT_CLASS
    Set default dscp
    10000000 8000 exceed-action of the police controlled-dscp-transmit
    Policy-map AutoQoS-Police-CiscoPhone
    class AutoQoS-VoIP-RTP-Trust
    DSCP ef Set
    320000 8000 exceed-action of the police controlled-dscp-transmit
    class AutoQoS-VoIP-control-Trust
    DSCP Set cs3
    32000 8000 exceed-action of the police controlled-dscp-transmit
    !
    !
    !
    !

    interface FastEthernet1/0/4
    switchport access vlan 819
    switchport mode access
    switchport voice vlan 121
    authentication event fail following action method
    action of death event authentication server allow voice
    no response from the authentication event action allow vlan 889
    living action of the server reset the authentication event
    multi-domain of host-mode authentication
    authentication order dot1x mab
    authentication priority dot1x
    Auto control of the port of authentication
    MAB
    added mac-SNMP trap notification change
    deleted mac-SNMP trap notification change
    dot1x EAP authenticator
    dot1x tx-time 10
    spanning tree portfast
    !

    !
    interface Vlan1
    no ip address
    !
    interface Vlan819
    IP 10.202.19.11 255.255.255.0
    !
    default IP gateway - 10.202.19.1
    IP classless
    IP http server
    IP http secure server
    !
    !
    IP access-list extended by DEFAULT ACL-AUTOQOS
    allow an ip
    IP access-list extended redirection
    deny udp any eq bootpc any eq bootps
    deny udp any any eq bootps
    deny udp any any eq field
    deny ip any host 10.202.154.192
    allow an ip
    !
    !
    SNMP - server RO Cisco123 community
    RADIUS attribute 6 sur-pour-login-auth server
    Server RADIUS attribute 8 include-in-access-req
    RADIUS attribute 25-application access server include
    dead-criteria 30 tent 3 times RADIUS server
    RADIUS-server host 10.202.152.91 auth-port 1645 acct-port 1646 borders 7 xxxxxxxxxxxxxxxxxxxxxxxx
    RADIUS-server host 10.202.152.92 auth-port 1645 acct-port 1646 borders 7 xxxxxxxxxxxxxxxxxxxxxxx
    RADIUS vsa server send accounting
    RADIUS vsa server send authentication

    I had a similar problem the workstations where the value "of the computer or user authentication" in the PEAP protocol settings. What is happening is that list DACL that served as of when the computer account has been authenticated restricted just DCs etc, but don't understand the locations required for the login script. It seems that Windows 7 user logon script runs before the dot1x presents the user credentials to the switch.

    Thus, in our case, we have modified the DACL is in place for the computer account to allow access to the locations required for the login script (i.e. the network sharing servers), and everything works.

  • Authorization of ISE comments

    Hi all

    Can someone help me for ISE design approval users comments.

    Requirement:

    1. the various comments authorization need to user through ISE, each guest should have different access according to the requirement. Is this possible? If so, how do we achieve this? Base license is purchased.

    Thank you

    Kamlesh

    Here you go:

    http://www.Cisco.com/c/en/us/support/docs/wireless/5500-Series-Wireless-...

    -Jousset

  • Comments ISE FQDN Portal

    It is possible to create the portal comments FQDN?

    I'll try to explain.

    Requirements:

    Network WiFi 1) must be secured with L2-security(WPA2-Enterprise,PEAP) - redirect Web or not L3.

    WiFi 2 users) should use separate external Authority(AD or LDAP, not enterprise and not ISE local)

    (3) it is not necessary for managing personal devices.

    WiFi 4 users) must have the ability to change their password of the intranet portal, which is available with the FULL domain name.

    There is no problem with req 1-3, it doesn't seem like chance to create the portal only for change of user password. These requirements related to the question "mobile devices do not allow option to change password" If ISE send request to change (tested on iPhone, Android and WindowsMobile with Active Directory).

    Hi Sefedoro,

    The 1.3 ISE does support use of domain name COMPLETE with portals of comments. This can be defined in the authorization profile that specifies the CWA portal. However this FQDN of the portal comments accessible only by customers with active sessions in the comments workflow process. Also, change password via the portal of comments is supported for ISE internal comments and not AD accounts. Once network connectivity is established by a windows through WPA2-Enterprise client, a user can change his or her password via ctrl-alt - del-> change password option. If you use user or user authentication or computer begging I would test this process on a couple different windows builds.   BONE and the supplicant should automatically pick the password change. If you use an intermediate intranet portal, the user must connect to the wide and turn it on again for the laptop with the new credentials. You use the authentication of the computer (computer only) will avoid these problems.

  • Comments by cable CWA with ISE

    Having a devil of a time getting it works.

    First option is for the device to try to authenticate using Dot1X/EAP-TLS - to only the devices in the field.

    If that fails, they want the option to skip a CWA portal where they can enter any creds AD or internal comments user creds.

    My challenge is the policy and the insertion location.

    I use the ISE 1.2 strategy games

    Currently, I have these statements in the set default policy:

    Name of the rule Conditions Permissions
    Auth Portal wired comments If Net Access: UseCase equals Guest Flow Allow access
    Wired reviews redirection If Wired_MAB Wired CWA

    I thought, it's if they fail the .1x, they let fall down here at Wired MAB, and who will launch a redirect and comments feed.

    Relationship problems:

    First of all, there is no try; an auth sess show indicates the correct redirect URL sent to the switchport.

    Unfortunately, my browser pop gives me an error of unrecognized certificate, and if I try to continue anyway, it does nothing. Wireless reviews, that I copied works very well.

    Second challenge is that it requires the redirect if I (n) switch to Monitor Mode or Low Impact.  This is a problem because there are several sites, and we'll cut each more low Impact gradually.

    He saw someone, or a document detailing terms of step by step implementation of this?

    Thanks in advance.

    Hi Andrew! Yes, good work on the portal of setting question!

    And Yes, authorization rules are considered even in open mode. And you are as good as you need create different rules to account for DNA which are in production and to the DNA that are in monitor mode. I always liked using a separate strategy defined for the Mode Monitor and a separate strategy defined for the Modeof Production . Then, I used edge location to match with these conditions. For each location, I have two subgroups: one for the instructor and one for Production. This way I can move a n leave monitor mode full production by simply changing its group.

    Finally, Yes, your CWA rules must be at the bottom of your authorization of production rules.

    Thank you for evaluating useful messages!

  • Cisco ISE comments Portal - DNS problem - External area

    Hello

    I have a client that has the following sceanrio:

    In a wireless deployment and deployment Cisco ISE 1.1.3 with CWA, when the wireless client receives the URL ISE redictect (URL to access the portal of ISE comments), this URL is based on the ISE DNS name, not on its IP address. Thus, the PC cannot solve this problem by DNS name because there is no DNS in the external area (for the guets) or by using the addresses of servers DNS ISP provided by the DHCP server, and therefore it cannot access the portal comments at all;

    I know that in an attempt to manually code the IP address - it doesn't (IE in the authorization profile CWA, the equivalent URL redirection via the pair av CISCO as follows:)

    Cisco-AV-Paire = redirect url =https://10.10.10.10:8443/guestportal/gateway? sessionId = sessionIdValue & action = cwa,)

    given that the sessionIdValue variable is not replaced by its real value when sending to the wireless client)

    My question is: this question has been addressed in version 1.2 of Cisco of ISE - has anyone tried it if has been processed? If not in Cisco 1.2 - does anyone know iof this feature will become available?

    Thanks in advance for your answers.

    Robert C.

    Robert,

    Manual assignment has been made available in version 1.2 of the ISE.

    M.

  • Change the URL redirection in Cisco ISE 2.1.0 comments Portal CWA

    Hello

    I've set up a guest Portal CWA with WLC 5508 8.0.133.0 and ISE 2.1.0.

    I did all the rules both Authenticatin and authorization, and I also see customers hit the rules of law. The rule of being redirects the client to a captive portal in ISE like this: cisco-av-pair = redirect url =https://ip:port/Portal/Gateway? sessionId = SessionIdValue & Portal = d30c7eb0...

    I have 3 different customer portals for each SSID and everything works fine.

    The problem is that, when the wireless client receives the URL ISE redictect (URL to access the portal of ISE comments), this URL is based on ISE DNS name, not on its IP address. My ISE FULL domain name is iselab01.example.local and the certificate indicating that the portal comments field is example.local.

    Now I was asked to create a new portal of comments but this time I have the certificate belongs to the domain example.org and need to redirect to this new portal comments use this new domain.

    I tried to code, in the authorization profile CWA, redirection to equivalent URL through the CISCO av pair as follows:

    Cisco-av-pair = redirect url =https://iselab01.example.org:8443/Portal/Gateway? sessionId = SessionIdValu...

    but it does not work, since the sessionIdValue is not replaced with its actual value when sending to the wireless client.

    Is it possible to change the URL for redirection of ISE somewhere just for a portal of comments?

    Best regards

    Simply use the automatic CWA parameter in the authz profile, rather than enter the cisco-av-pair yourself, you will find that you can change the part of the FQDN of the url, if the session ID is kept intact.

Maybe you are looking for