03-06-2014 05:16 AM - edited 03-10-2019 09:30 PM
We have set up the ISEs to allow wired guest users to logon with CWA but every time we get
"Your session has expired. Sign on again".
We successfully get to the portal and can logon, change password, accept conditions but then we just get the session expired page.
From the switch (some data redacted fro privacy):
sw01#sh auth ses int f0/1
Interface: FastEthernet0/1
MAC Address: 0021.xxda.xx28
IP Address: xxx.xx.40.45
User-Name: 00-21-xx-DA-xx-28
Status: Authz Success
Domain: DATA
Oper host mode: multi-domain
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: 901
ACS ACL: xACSACLx-IP_GuestWired_ISE_Portal_Access-53182da8
URL Redirect ACL: dot1x_WEBAUTH-REDIRECT
URL Redirect: https://guest.ourdomain.com:8443/guestportal/gateway?sessionId=AC1262FB000000FA0FCEFDB8&portal=TT_GuestPortal&action=cwa
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC1262FB000000FA0FCEFDB8
Acct Session ID: 0x000001CF
Handle: 0x370000FB
Runnable methods list:
Method State
dot1x Failed over
mab Authc Success
The ISE reports a failed login
Event | 5418 Guest Authentication Failed |
Failure Reason | 86017 |
Now the reason appears to be that the guest portal being accesed is on an ISE in our DMZ but the RADIUS/MAB authentication is done by our internal ISEs (all ISEs are part of the same cluster however). This is because the NAD is a switch and its management interface is on the inside of the network while the guest VLAN is in a DMZ. If we authenticate the RADIUS and guest on the same ISE (by breaking routing/security) then the access is granted and it all works corrcetly.
We are summarising that the session ID sent by the RADIUS ISE server is not avaialble to the Guest Portal ISE server so the session ID does not exist in the session cache.
So does the guest portal ISE server have to be the same ISE server that does the RADIUS/MAB session generation? There is no obvious way to tie a FQDN (e.g. guest.ourdomain.com) to the ISE used by the NAD.
Should the session ID not be shared across all enforcement nodes?
Any other ideas or thoughts?
Chris Davis
Solved! Go to Solution.
03-07-2014 02:48 AM
SessionID's are not replicated, you need to make sure that the ISE that has the portal, is the same as the that responded to the original mab request from your switch.
Jan
03-07-2014 05:36 AM
Designing ISE solutions properly is probably abit out of the scope of this forum, but if you need to use the "hostname/static ip" option for web portals in ise, you need to take care of loadbalancing traffic, while maintaining stickyness on the radius sessionid, that ise uses for many things.
03-07-2014 02:48 AM
SessionID's are not replicated, you need to make sure that the ISE that has the portal, is the same as the that responded to the original mab request from your switch.
Jan
03-07-2014 04:32 AM
Thanks Jan, do you know if this is by design, even across nodes in node groups? I'm guessing that Bug CSCul10677 is the same issue.
Thing is, it rather makes the CWA static IP/Hostname option redundant/useless in a resilient configuration. It also means that the NAD must use the guest network for dot1x traffic or that the guest nework must be able to route over/into the internal network neither of which appear to be ideal from a security perspective...
03-07-2014 05:36 AM
Designing ISE solutions properly is probably abit out of the scope of this forum, but if you need to use the "hostname/static ip" option for web portals in ise, you need to take care of loadbalancing traffic, while maintaining stickyness on the radius sessionid, that ise uses for many things.
03-10-2014 03:41 AM
do check if any of the ports are not being block through firewall and you are using patch 6 for ISE and clock needs to be sync
domain Permit DNS for name resolution
permit tcp 8443 Permit CWA/CPP to ISE Policy Service node
permit tcp any any eq 80 Allow http for redirection to Policy Service node
permit tcp any any eq 443 Allow https for redirection to Policy Service node
permit tcp 8905 Allow Agent discovery direct to Policy Service node
permit udp 8905 Allow Agent discovery and keep-alives
permit tcp 80 Explicit allow to remediation server
03-18-2014 08:35 AM
We've had it confirmed by TAC that as Jan said, this is by design although there is an internal engineering request to address this.
03-11-2014 05:27 AM
CWA Redirection URL:
https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cwa
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: