Posted on October 24, 2020 12:45 pm
 |  Asked by carol
 |  212 views
0
0
Print Friendly, PDF & Email

Hi,

We are trying to setup Guest and BYOD SSID with HTTP Redirection to Cisco ISE, but im having difficulty getting the HTTP redirection to work, any advise will be appreciated.

FYI, i’ve gone thru the ISE Integration and Role Profile documentation.

Thanks

0
Answered on November 27, 2020 3:35 pm

Hello Carol,

I would appreciate if you could open a case with us so that we could take this up and check further logs and get this resolved.

Regards,

Pushkar

0
Posted by Ashish A Majumdar
Answered on January 13, 2021 12:04 am

Hi,

I am responding to this to ensure that it helps someone else in the same situation. For URL redirection, we need to first generate the URL using the ISE for Guest and BYOD onboarding.

The second step is to create two roles within CV Wifi,

  • Pre-auth role
  • Post-auth role

In the pre-auth role you need to use the URL that we generated from ISE and possibly set the VLAN in which the BYOD wireless user lands.  The post-auth role can be created to restrict a user download speed and possibly create filter rules to ensure that a BYOD user cannot access some parts of the network etc.

Once you create the role you will then configure the BYOD SSID and call these roles in SSID->Access Control ->Role based control.  The following image explains this better,

The pre-auth role is called Arista-BYOD-Redirect and the post auth role is called Arista-BYOD-Full. Here we were going to be utilizing the Arista Wireless Vendor specific attribute (Mojo-user-role), so that ISE can match the flow and send back the right roles which then allows for redirection to the BYOD url and then when the user is authenticated and the device registered allow for full network access.

An important configuration step on ISE would be to ensure that you change the URL redirection to static under network profiles to make this work. Cisco ISE uses Cisco VSA's for dynamic redirection which will obviously not work .

We also need CoA to make this work and you can use the RFC5176 disconnect CoA to signal the change in role and make this work.

I hope this helps.

 

 

 

 

 

 

Post your Answer

You must be logged in to post an answer.