Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Guest web authentication issue

Hi Support team,

Issue with Guest CWA with ISE.

I can connect to guest SSID and redirection is happening to ISE guest portal page. Username and password (created by sponsor) is accepted in the guest portal. When i open a new browser it is again redirecting to guest portal rather moving to internet. Is it related to COA. Please advise. I am attaching the error what i am getting and the configuration also.

Community Member

Hi Team, Please find the

Hi Team,


Please find the attached..

Cisco Employee

Hello-The issue is with your


The issue is with your authorization rules. You need to change the conditions for the "Wireless Guest Rule." Remove the current condition about the "guest flow" and add a new condition and instruct ISE to look at the ISE Identity Store group where the guest users are created. Typically, this is the "Guest" internal identity user group. Leave the second "condition" block blank.

Hope this helps!


Thank you for rating helpful posts! 


Community Member

Nothing wrong with your

Nothing wrong with your authorization rules but Neno's suggestion would make security tighter in the long run. Your WLC configuration that is incorrect for CWA. Don't do layer 3 security- do layer 2 open auth with mac filtering and no layer 3 security.


Cisco Employee

Ops, I did not see the second

Ops, I did not see the second set of screen shots. Yes, you need to disable L3 security and only use L2 with mac filtering as suggested above. You will also need to enable "radius NAC" under the advanced tab. The link below should walk you through the whole setup:


On a side note, I still think that the current authorization rules are incorrect. If they are left alone, wouldn't the guest users be let on the network as soon as they enter the guest flow, thus never hitting the CWA rule? Or the "guest-flow" does not happen until after redirection has taken place and credentials are entered? I am not at home otherwise I would test it :)


Thank you for rating helpful posts! 


Community Member

Guest flow is added after the

Guest flow is added after the CWA bit. By not adding the group it means you can't differentiate between different internal groups eg contractor vs guest.

Cisco Employee

Ah, so it is after the CWA.

Ah, so it is after the CWA. Thanks for confirming. (+5 from me)

Community Member

Hi, Did u ever get this



Did u ever get this solved? I rather have the same issue but the users are authenticated but redirected to the login page again. They do not get the "successfull" login screen but are authenticated anyway after the first time adding the credentials. Only after putting the credentials twice the successfull screen is shown.



Have you modified Wireless

Have you modified Wireless MAB authentication rule to Reject-Continue-Drop?

Select these values from the drop-down list:

  • Identity Source: TestSequence (this is the value created earlier)
  • If authentication failed: Reject
  • If user not found: Continue
  • If process failed: Drop

CreatePlease to create content