07-02-2012 12:20 PM - edited 03-10-2019 07:15 PM
I'm new to ISE and have run into a snag that I'm not sure how to handle. I have CWA configured and when I access the ISE SSID I am redirected to the guest login page. When I login it asks me to accept the AUP, I accept, it tells me authentication is successful but when I try to browse to another site I can't get anywhere and it brings me right back to the guest login page. Any ideas or suggestions?
Solved! Go to Solution.
07-02-2012 03:38 PM
Replace the condition on the left from Guest to Any....the policy you defined below is to redirect all mab requests to the redirection portal where the user can enter then authentication information.
Thanks,
tarik admani
As always please remember to rate any feedback that you find helpful.
07-02-2012 01:33 PM
David,
You will have to create another authorization policy above this rule that they will have to hit once their Endpoint profile changes...this is where CoA comes into play and this is what ISE uses over other radius servers.
When the user authenticates and is unknown to ISE then the endpoint gets redirected to the web portal. Once the user authentication, this is where coa takes effect and searches for another matching authorization policy. Have you created an authorization poilcy for guests?
Thanks,
Tarik admani
07-02-2012 01:50 PM
I've attached a copy of my authorization policy.
Thanks for replying.
07-02-2012 01:54 PM
David,
Do you have radius nac enabled on the your WLC also what version of code are you running on the controller?
Also when the authentication event occurs can you post a screenshot of the authentication page (under Monitoring > Authentication)
Along with AAA override, should be under the advance settings on the SSID.
Thanks
tarik Admani
Message was edited by: Tarik Admani
07-02-2012 02:01 PM
I've attached screenshots
WLC Code
WLAN Settings
07-02-2012 02:07 PM
The controller side looks fine, we need to see if you you have CoA enabled globally. Can you check the following and set the COA to reauth (default is set to to No COA).
http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_prof_pol.html#wp1340803
Please post a screenshot of the authentication report..Monitoring>Authentications
thanks,
Tarik Admani
07-02-2012 02:15 PM
I did not have CoA enabled and set to reauth, set that option disconnected from the WLAN, reassociated, still loops back to the guest page. Attached a screenshot of the authentications - I assumed on ISE and not on the WLC.
07-02-2012 02:22 PM
Can you post a screeshot of your Guest policy i only see the Identity group conditoin but the authorization profile that you assigned to this rule.
Thanks
tarik Admani
07-02-2012 02:24 PM
Guest Policy
07-02-2012 02:26 PM
Sorry,
I meant the authorization policy that is above your redirection policy under authorization.
07-02-2012 02:29 PM
The policy under Policy > Results then Authorization > Authorization Results?
07-02-2012 02:30 PM
Expand the screenshot in the 3rd message of this thread.
07-02-2012 02:34 PM
Nothing under Layer 3, I was sent a powerpoint called
ISE for CUWN Essentials:
Central Web Authentication (CWA)
Configuration Example
and I followed that, I would attach it but I can only attach images/video. It calls for Layer 2 MAC filtering an nothing for Layer 3. Maybe that's wrong but just filling you in on where I'm coming from.
Thanks,
David
07-02-2012 02:36 PM
Sorry about the previous message, I thought i had deleted that. I would like you to expand the screenshot in the 3rd message of this thread, it only shows the idenity group condition and not the result that you selected.
07-02-2012 02:39 PM
Got it, attached below.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide