Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2205
Views
0
Helpful
11
Replies

ISE and Guest Portal

b.gamble
Level 1
Level 1

‎07-25-2012 03:08 PM - edited ‎03-10-2019 07:20 PM

WLC - 7.2.110.0

ISE - 1.1.1

I'm new to ISE. I want to set up a very basic method for BYOD users to access our wireless network. I've set up an SSID for external Web Auth, where users get redirected to the ISE Guest Portal: https://1.2.3.4:8443/guestportal/Login.action

At that screen, users can enter their Active Directory credentials and login. Although the authentcation shows as successful under Operations -> Authentications, the user is redirected to the device registration page. On that page they see the message "We are unable to determine access privileges in order to access the network. Please contact your administrator." Their device MAC is listed, and they can enter a description but the "Register" button is greyed out.

I'm getting overwhelmed with the amount of documentation available as well as the new terminology. I'm familiar with using Windows RADIUS servers, but ISE is very foreign to me now. Is there any documentation to help me understand how access requests are processed?

Labels:
0 Helpful
11 Replies 11

Tarik Admani
VIP Alumni
VIP Alumni

‎07-25-2012 03:11 PM

Are you seeing the coa request being sent from the ISE to the wireless controller? If so, it could be that the guest is hitting another authorization profile which redirects them to the device registration page.

Can you post a screenshot of your authorization rules.

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

b.gamble
Level 1
Level 1
In response to Tarik Admani

‎07-25-2012 03:28 PM

As far as I can tell there is no Authorization Profile being returned. I only have one authorization profile in addition to the defaults. This profile just checks AD group membership.

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to b.gamble

‎07-25-2012 03:34 PM

Sounds good, you will have to create another authorization profile that matches the guest identity group. That result should be permit access. See if that changes your luck.

Tarik Admani
*Please rate helpful posts*

0 Helpful

b.gamble
Level 1
Level 1
In response to Tarik Admani

‎07-25-2012 03:39 PM

Forgive me for sounding obtuse, but how does one do that?

I thought that's what I was doing when I created an auth profile that matched the AD user group that the user I'm loging in with is a member of.

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to b.gamble

‎07-26-2012 07:41 AM

Hi,

Did you setup ISE as the radius server for the ssid and then set up the WLC as the radius client on ISE. It seems that you are being redirected properly, but the portal authentication is passing, however there is another transaction which is the radius portion that actually changes your network access. Please set that up and you should be good to go.

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

b.gamble
Level 1
Level 1
In response to Tarik Admani

‎07-26-2012 07:51 AM

Yes, I set up ISE as the radius server and I've added the WLC to ISE.

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to b.gamble

‎07-26-2012 07:55 AM

Which ip address did you use for the wireless lan controller? Did you use the management interface? Also can you check the Security settings make sure that the "Radius Server Overwrite interface Enabled " Is not checked? It seems as if the radius authentication is not making it to the ISE node.

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

Naveen Kumar
Level 4
Level 4

‎03-21-2013 12:11 PM

As you asked the documents related to ISE and Guest Portal. I am sending you two docs which will help you in this case. Please find the below documents:

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_guest_pol.html

http://www.cisco.com/en/US/docs/security/ise/1.0.4/user_guide/ise10_guest_pol.pdf

0 Helpful

Nicholas Copeland
Level 4
Level 4

‎03-22-2013 10:07 AM

How are you setting up the redirect. I have seen that error when you are being sent without using CWA and it is related to not being able to see the session information.

Since the controller is on 7.2 you should be able to send the redirect through CWA on the ISE appliance. So you basically have an open SSID with mac filtering enabled and Radius NAC enabled. And a policy on ISE to redirect traffic.

Sent from Cisco Technical Support iPad App

0 Helpful

b.gamble
Level 1
Level 1
In response to Nicholas Copeland

‎03-22-2013 10:42 AM

I forget what problem I was having, but I think I didn't have the authorization profile set up right, or at all. Sorry this thread got necro'd.  The issue has long since been solved.

Sorry.

0 Helpful

Ravi Singh
Level 7
Level 7

‎10-09-2013 12:00 PM

Please see the attached Doc for setting up BYOD

Preview file
3842 KB
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents