Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco ISE 1.2 - Problem with Device Onboarding of internal users using AD Credentials

 

Dear experts,

 

We have implemented ISE 1.2 with WLC 7.5 in our organization. We are using Device Onboarding by letting the users enter their AD Username and Passowrd on Guest portal which then redirects them to device registration portal where they simply register their device and they get internet access.

The problem is that some users are unable to authenticate using this portal while some can successfully authenticate and register their devices. All users are of the same group in AD. Also, we have enabled this check on two places. One is when users connects to the SSID where the security WPA2-Enterprise uses 802.1x and asks for AD username password. The other is on the portal.

 

All users are able to connect to the SSID using their AD credentials. However, 30% of the users are not being authenticated when they are redirected to the Guest portal for device registration. Also, it gives no error or event on either ISE or on the mobille device. When the users enters their credentials, the same guest portal page comes back blank with no errors or logs anywhere.


Can someone guide me if there is some configuration mistake that I may have done or have someone faced this same issue and were/weren't able to resolve it.

 

Thanks in advance.

Jay

Everyone's tags (4)
4 REPLIES
Cisco Employee

Hi,FYIThe user or device may

Hi,

FYI

The user or device may not be supplying the correct credentials or RADIUS key to match with the external authentication source.

Please make sure and verify that the user credentials that are entered on the client machine are correct, and verify that the RADIUS server shared secret is correctly configured in both the NAD and Cisco ISE (they should be the same).

New Member

Hello,I'm curious as to who

Hello,

I'm curious as to who you have your WLAN and Security setup.  I am trying to do single ssid onboarding as well.  Initially I would connect with PEAP, authed upon inital connection. Then when opening safari I'm redirected to the guest login page.  If i enter the username and password again, I don't seem to go anywhere.  Sounds like a similiar issue.

New Member

Our problem got solved. It

Our problem got solved. It was related to a few user accounts in AD. Usually any authentication on AD User Account is carried out using the User ID. However, during Web Authentication, Login ID/Name is also checked by ISE and should be same as User ID.

The problem you are facing might also related be to AD since we had the similar issue. try to check this on a laptop as the mobile portal gives no error if the user is unknown or invalid. Also, you can enable logs for web authentication which are off by default. It will give you a pretty good idea where the problem lies. And yeah, do not keep the web authentications log on for long, it can hang your ISE.

 

Anyways, thanks for all the support.

New Member

As advice, please, downgrade

As advice, please, downgrade your WLC, this version 7.5 has several bug. The version 7.4 is more stable

 

Regards

358
Views
0
Helpful
4
Replies