×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ISE and Guest Portal

Unanswered Question
Jul 25th, 2012
User Badges:

WLC - 7.2.110.0

ISE - 1.1.1


I'm new to ISE. I want to set up a very basic method for BYOD users to access our wireless network. I've set up an SSID for external Web Auth, where users get redirected to the ISE Guest Portal: https://1.2.3.4:8443/guestportal/Login.action


At that screen, users can enter their Active Directory credentials and login. Although the authentcation shows as successful under Operations -> Authentications, the user is redirected to the device registration page. On that page they see the message "We are unable to determine access privileges in order to access the network. Please contact your administrator." Their device MAC is listed, and they can enter a description but the "Register" button is greyed out.


I'm getting overwhelmed with the amount of documentation available as well as the new terminology. I'm familiar with using Windows RADIUS servers, but ISE is very foreign to me now. Is there any documentation to help me understand how access requests are processed?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Tarik Admani Wed, 07/25/2012 - 15:11
User Badges:
  • Green, 3000 points or more

Are you seeing the coa request being sent from the ISE to the wireless controller? If so, it could be that the guest is hitting another authorization profile which redirects them to the device registration page.


Can you post a screenshot of your authorization rules.


Thanks,



Tarik Admani
*Please rate helpful posts*

b.gamble Wed, 07/25/2012 - 15:28
User Badges:

As far as I can tell there is no Authorization Profile being returned. I only have one authorization profile in addition to the defaults. This profile just checks AD group membership.

Tarik Admani Wed, 07/25/2012 - 15:34
User Badges:
  • Green, 3000 points or more

Sounds good, you will have to create another authorization profile that matches the guest identity group. That result should be permit access. See if that changes your luck.



Tarik Admani
*Please rate helpful posts*

b.gamble Wed, 07/25/2012 - 15:39
User Badges:

Forgive me for sounding obtuse, but how does one do that?


I thought that's what I was doing when I created an auth profile that matched the AD user group that the user I'm loging in with is a member of.


Tarik Admani Thu, 07/26/2012 - 07:41
User Badges:
  • Green, 3000 points or more

Hi,


Did you setup ISE as the radius server for the ssid and then set up the WLC as the radius client on ISE. It seems that you are being redirected properly, but the portal authentication is passing, however there is another transaction which is the radius portion that actually changes your network access. Please set that up and you should be good to go.


Thanks,


Tarik Admani
*Please rate helpful posts*

b.gamble Thu, 07/26/2012 - 07:51
User Badges:

Yes, I set up ISE as the radius server and I've added the WLC to ISE.

Tarik Admani Thu, 07/26/2012 - 07:55
User Badges:
  • Green, 3000 points or more

Which ip address did you use for the wireless lan controller? Did you use the management interface? Also can you check the Security settings make sure that the "Radius Server Overwrite interface Enabled " Is not checked? It seems as if the radius authentication is not making it to the ISE node.


Thanks,


Tarik Admani
*Please rate helpful posts*

Nicholas Copeland Fri, 03/22/2013 - 10:07
User Badges:

How are you setting up the redirect. I have seen that error when you are being sent without using CWA and it is related to not being able to see the session information.

Since the controller is on 7.2 you should be able to send the redirect through CWA on the ISE appliance. So you basically have an open SSID with mac filtering enabled and Radius NAC enabled. And a policy on ISE to redirect traffic.

Sent from Cisco Technical Support iPad App

b.gamble Fri, 03/22/2013 - 10:42
User Badges:

I forget what problem I was having, but I think I didn't have the authorization profile set up right, or at all. Sorry this thread got necro'd.  The issue has long since been solved.


Sorry.

Actions

This Discussion