I can connect to guest SSID and redirection is happening to ISE guest portal page. Username and password (created by sponsor) is accepted in the guest portal. When i open a new browser it is again redirecting to guest portal rather moving to internet. Is it related to COA. Please advise. I am attaching the error what i am getting and the configuration also.
The issue is with your authorization rules. You need to change the conditions for the "Wireless Guest Rule." Remove the current condition about the "guest flow" and add a new condition and instruct ISE to look at the ISE Identity Store group where the guest users are created. Typically, this is the "Guest" internal identity user group. Leave the second "condition" block blank.
Nothing wrong with your authorization rules but Neno's suggestion would make security tighter in the long run. Your WLC configuration that is incorrect for CWA. Don't do layer 3 security- do layer 2 open auth with mac filtering and no layer 3 security.
Ops, I did not see the second set of screen shots. Yes, you need to disable L3 security and only use L2 with mac filtering as suggested above. You will also need to enable "radius NAC" under the advanced tab. The link below should walk you through the whole setup:
On a side note, I still think that the current authorization rules are incorrect. If they are left alone, wouldn't the guest users be let on the network as soon as they enter the guest flow, thus never hitting the CWA rule? Or the "guest-flow" does not happen until after redirection has taken place and credentials are entered? I am not at home otherwise I would test it :)
Did u ever get this solved? I rather have the same issue but the users are authenticated but redirected to the login page again. They do not get the "successfull" login screen but are authenticated anyway after the first time adding the credentials. Only after putting the credentials twice the successfull screen is shown.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...