Guest web authentication issue

Unanswered Question
Jul 16th, 2014
User Badges:

Hi Support team,

Issue with Guest CWA with ISE.

I can connect to guest SSID and redirection is happening to ISE guest portal page. Username and password (created by sponsor) is accepted in the guest portal. When i open a new browser it is again redirecting to guest portal rather moving to internet. Is it related to COA. Please advise. I am attaching the error what i am getting and the configuration also.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
nspasov Wed, 07/16/2014 - 15:01
User Badges:
  • Cisco Employee,
  • Cisco Designated VIP,

    2017 AAA, Identity and NAC Security

Hello-

The issue is with your authorization rules. You need to change the conditions for the "Wireless Guest Rule." Remove the current condition about the "guest flow" and add a new condition and instruct ISE to look at the ISE Identity Store group where the guest users are created. Typically, this is the "Guest" internal identity user group. Leave the second "condition" block blank.

Hope this helps!

 

Thank you for rating helpful posts! 

 

Stephen McBride Wed, 07/16/2014 - 19:12
User Badges:

Nothing wrong with your authorization rules but Neno's suggestion would make security tighter in the long run. Your WLC configuration that is incorrect for CWA. Don't do layer 3 security- do layer 2 open auth with mac filtering and no layer 3 security.

 

nspasov Wed, 07/16/2014 - 19:26
User Badges:
  • Cisco Employee,
  • Cisco Designated VIP,

    2017 AAA, Identity and NAC Security

Ops, I did not see the second set of screen shots. Yes, you need to disable L3 security and only use L2 with mac filtering as suggested above. You will also need to enable "radius NAC" under the advanced tab. The link below should walk you through the whole setup:

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html

 

On a side note, I still think that the current authorization rules are incorrect. If they are left alone, wouldn't the guest users be let on the network as soon as they enter the guest flow, thus never hitting the CWA rule? Or the "guest-flow" does not happen until after redirection has taken place and credentials are entered? I am not at home otherwise I would test it :)

 

Thank you for rating helpful posts! 

 

Stephen McBride Wed, 07/16/2014 - 20:06
User Badges:

Guest flow is added after the CWA bit. By not adding the group it means you can't differentiate between different internal groups eg contractor vs guest.

nspasov Wed, 07/16/2014 - 20:09
User Badges:
  • Cisco Employee,
  • Cisco Designated VIP,

    2017 AAA, Identity and NAC Security

Ah, so it is after the CWA. Thanks for confirming. (+5 from me)

Ferdy RHN Wed, 07/30/2014 - 04:57
User Badges:

Hi,

 

Did u ever get this solved? I rather have the same issue but the users are authenticated but redirected to the login page again. They do not get the "successfull" login screen but are authenticated anyway after the first time adding the credentials. Only after putting the credentials twice the successfull screen is shown.

 

Peter Koltl Wed, 07/30/2014 - 12:06
User Badges:
  • Silver, 250 points or more
  • Community Spotlight Award,

    Member's Choice, March 2016

Have you modified Wireless MAB authentication rule to Reject-Continue-Drop?

Select these values from the drop-down list:
 

  • Identity Source: TestSequence (this is the value created earlier)
  • If authentication failed: Reject
  • If user not found: Continue
  • If process failed: Drop

http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-000.html

Actions

This Discussion