Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Guest Re-Authentication on ISE

Good Afternoon,

Am using ISE 1.2 to authenticate guest users on the WLC.

I created a sponsor account that creates guest credentials (username and password) and a time profile of 8hours, 24hours, 1week, 1month and 3months repectively and it worked fine.

Recently, it accepts the guest credentials and gives access to the network for about 2 to 3 minutes before it terminates the session and asks the user to re-authentication on the guest portal. This continues repeatedly irrespective of the time profile i choose. Moreover, every other users aside from the Guest users authenticate on the ISE without such challenge.

Thanks for ur suggestions in advance.

15 REPLIES
Cisco Employee

Re: Guest Re-Authentication on ISE

Hi Joseph,

As shown in below screen shot , For  Authz profile that these guest are hitting there is a default session timeout value set for re-authentication and also there is a attribute to maintain connectivity .

Maintain Connectivity During Reauthentication has two option :

Default :-  If you set this option , it will take the CoA action 'Terminate'

Radius-Request :-  If you set this option , it will take the CoA action 'Re-auth'

Can you please check if these values are intact to your configuration.

Community Member

Re: Guest Re-Authentication on ISE

Hello nginjupa,

Thanks for the assistance, however, am not using the reauthentication option in the Authz profile. Am using a DACL name of which i have create the access-list on the Downloadable ACLs. This is used to push down the access-list to the switch and the WLC.

It still gives access to the network after authentication by the guest user, but knocks the user off after about 3 - 5 minutes. That is, the user will have to re-authenticate again with the same credentials and the problem re-occur again over and over.

See below the screen shots for both the Authz profile and the Authz policy.

Authz profile.PNGAuthz policy.PNG

Cisco Employee

Sample autorization policy

Sample autorization policy for guest user

 

Community Member

Hi Guys,I am also facing the

Hi Guys,

I am also facing the same issue as we have updated the image to 1.2.1 and usinf cwa ( mac filtering ) on wlc, session time 1800 on wlc.

But still after 5-6 min guest user asking for username and password to guest redirection url.

 

Can anybody gives me the solution for the same.

 

Thanks & Reagrds

Pranav 

Community Member

It is a software bug on the

It is a software bug on the wireless controller software 7.4MR2.  You need to open a TAC case and request an engineering release from Cisco that contains the fix.  The fix was put in 7.4.121.17

Community Member

same issue, I have tried to

same issue, I have tried to configure both the radius attributes Radius:Idle-Timeout and Radius:Session-Timeout. Bot hhave been set to 1900.

I keep being disconnected around 10 min after the iphone goes to sleep.

Could you show us your authorization profile ?

Community Member

What version of software are

What version of software are you running on your wireless controllers?

Community Member

8.0.133 on both the foreign

8.0.133 on both the foreign and anchor controllers

I have been told we can configure the user idle time out per SSID on 8.1

Cisco Employee

Re: Guest Re-Authentication on ISE

Hi ,

Its worth checking SSID setting in - > advanced - >Enable Session Timeout . Hope the value configured around 1800 ..

Cisco Employee

You might start by doing a

You might start by doing a debug client <mac> and see on the WLC what causes client disconnection.

Also make sure you are running a recent version of the WLC as there could be some issues.

Check also what is the Policy state of the client after web auth. It should move from WEBAUTH_REQD to RUN (you can see this in the monitor > Client menu). WLC will expire all clients that are in WEBAUTH_REQD state after 10 mn.

Community Member

Hi!I have the same problem

Hi!

I have the same problem since yestarday because I have updated the wlc to 7.4.121 and the Ise to patch6-Meanwhile I am thinking that could be a bug or a change in the default properties-I don´t know.

I hope somebody can solve the problem-otherwise I should open a case.... :(

 

regards alex

Community Member

I have the exact same problem

I have the exact same problem. TAC said it looked like a bug. Have you come up with a work a round? https://tools.cisco.com/bugsearch/bug/CSCul43158 Symptom:Wireless devices are randomly disconnected every 5-10 minutes with unknown policy timeout message in debug client Conditions:Clients using Central Web Authentication (CWA). Workaround:none More Info:
Community Member

I had the same problem. I

I had the same problem. I have vWLC and 2500 series WLC. The bug  CSCul43158 Was fixed.

I upgrade from 7.6.100 to 7.6.130.0 and the problem was fixed. Now the wireless is working fine.

Silver

check the WLC for time out

check the WLC for time out value if no change has been made on ISE since last deployment.

Community Member

We had the same challenges.

We had the same challenges. The issue is that the device is going to sleep and the WLC times out the connection.

The way we fixed it was to use RADIUS attribute in the AuthZ profile to set the session timeout and inactivity timeout value to 8hrs. Works great

3799
Views
5
Helpful
15
Replies
CreatePlease to create content