Hello, I authenticated with

Benjamin Pfister · ‎08-12-2014

Hello Support Community,

we have a problem regarding customized web authentication on ISE 1.2 with Package ISE12CustomPortalPackage-v4.zip. We have a Virtual Wireless Controller where we do a redirect to ISE. When we use default guest portal on https://x.x.x.x:8443/guestportal/Login.action authentication and authorization works fine. When we do redirect to Cisco templates on https://x.x.x.x:8443/guestportal/portals/example/Login.html customized login page is displayed and after correct authentication guest successful page is displayed but we can't go to any webserver although ISE shows authentication and authorization as successful. When we try to reach a webserver after successful authentication we get redirected to customized login site. Virtual Wireless Controller shows client aus "Webauth Required" after successful authentication. Central Web Authentication isn't possible because we have a different AAA Server for 802.1X and only use wired guest access on a particular VLAN from WLC. Are there any known issues regarding customization template or is there something wrong regarding our redirect?

I hope somebody can help us.

Best Regards

Benjamin

nspasov · ‎08-13-2014

Hello Benjamin-

Can you:

1. Post screenshots of your WLAN configuraiotn tabs?

2. Check the logs in the WLC and see if there are any errors for that client/mac address

3. You can issue a debug (In CLI) for that mac address in the wlc post the results back here

Also, I am a bit confused on your statement about not being able to use CWA. The CWA is not tied to 802.1x so you should be fine using it for your SSID.

Thank you for rating helpful posts!

Benjamin Pfister · ‎08-13-2014

Hello Neno,

1. I attached screenshots below.

2. There is nothing related to this client.

3. I attached Debug below.

We are currently using MAB on our switches as a fallback to our 802.1X on our wired access. Order and Priority currently is 802.1X/MAB/Auth-Fail-VLAN. CWA is based on a failed MAC-Authentication which leads to an Authorization Profile to permit access with Webauth.
If you configure Wired guest access on WLC there isn't a possibility to configure MAC-Authentication.
CWA on our switches isn't possible because we are currently using failed MAC-Authentication to direct clients to our Auth-Fail-VLAN which has restricted access secured by SVI-ACL which allows us HTTP Access to printers (manual Cert Deployment) and automated Cert enrollment to our computers.

Best Regards

Benjamin

nspasov · ‎08-15-2014

Hmm that is very strange. It is acting as if the Pre-Auth ACL is not being removed after successful authentication. A couple more questions:

1. Can you edit the authorizatio profile and set it not to reference an ACL and then test it again

2. What version of code are you running on your WLC

On the CWA side. You can definitely enable CWA on your wireless network without affecting your wired deployment. If you are using ISE 1.2 you can utilize "Policy Sets" and configure the server so it applies different AAA policeis to wired, wireless, vpn, etc. If you don't have 1.2 running then you can make your "conditions" more specific, thus seperating wireless from wired.

Benjamin Pfister · ‎08-18-2014

1. Currently there is only a "permit access" authorization profile without referenced ACL.

2. 7.6.120

If you setup a wired guest "WLAN" on WLC there is no possibility of configuring MAC Filtering. Therefore CWA is not possible in our scenario.

Gurudatt Pai · ‎08-21-2014

Are you saying that once you authenticate with the custom portal, its loops back to the login page again? What ISE version and patch are you on?

Regards,

Gurudatt

Benjamin Pfister · ‎08-21-2014

Hello,

I authenticated with the custom portal and was redirected to "Default Authentication Success Page" (not customized) and when I entered the original URL again I was redirected to "Default Login Page".

ISE Version and patch is: 1.2.1.198

Regards,

Benjamin

Cisco ISE 1.2 Guest Portal customization with vWLC redirect