Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2711
Views
0
Helpful
6
Replies

ISE 1.2 Guest Access session expired

Go to solution
cd2
Level 1
Level 1

‎03-06-2014 05:16 AM - edited ‎03-10-2019 09:30 PM

We have set up the ISEs to allow wired guest users to logon with CWA but every time we get

"Your session has expired. Sign on again".

We successfully get to the portal and can logon, change password, accept conditions but then we just get the session expired page.

From the switch (some data redacted fro privacy):

sw01#sh auth ses int f0/1

            Interface:  FastEthernet0/1

          MAC Address:  0021.xxda.xx28

           IP Address:  xxx.xx.40.45

            User-Name:  00-21-xx-DA-xx-28

               Status:  Authz Success

               Domain:  DATA

       Oper host mode:  multi-domain

     Oper control dir:  both

        Authorized By:  Authentication Server

          Vlan Policy:  901

              ACS ACL:  xACSACLx-IP_GuestWired_ISE_Portal_Access-53182da8

     URL Redirect ACL:  dot1x_WEBAUTH-REDIRECT

         URL Redirect:  https://guest.ourdomain.com:8443/guestportal/gateway?sessionId=AC1262FB000000FA0FCEFDB8&portal=TT_GuestPortal&action=cwa

      Session timeout:  N/A

         Idle timeout:  N/A

    Common Session ID:  AC1262FB000000FA0FCEFDB8

      Acct Session ID:  0x000001CF

               Handle:  0x370000FB

Runnable methods list:

       Method   State

       dot1x    Failed over

       mab      Authc Success

The ISE reports a failed login

Event5418 Guest Authentication Failed
Failure Reason86017

Now the reason appears to be that the guest portal being accesed is on an ISE in our DMZ but the RADIUS/MAB authentication is done by our internal ISEs (all ISEs are part of the same cluster however).  This is because the NAD is a switch and its management interface is on the inside of the network while  the guest VLAN is in a DMZ.  If we authenticate the RADIUS and guest on the same ISE (by breaking routing/security) then the access is granted and it all works corrcetly.

We are summarising that the session ID sent by the RADIUS ISE server is not avaialble to the Guest Portal ISE server so the session ID does not exist in the session cache.

So does the  guest portal ISE server have to be the same ISE server that does the RADIUS/MAB session generation?  There is no obvious way to tie a FQDN (e.g. guest.ourdomain.com) to the ISE used by the NAD.

Should the session ID not be shared across all enforcement nodes?

Any other ideas or thoughts?

Chris Davis

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
jan.nielsen
Level 7
Level 7

‎03-07-2014 02:48 AM

SessionID's are not replicated, you need to make sure that the ISE that has the portal, is the same as the that responded to the original mab request from your switch.

Jan

View solution in original post

0 Helpful

Go to solution
jan.nielsen
Level 7
Level 7
In response to cd2

‎03-07-2014 05:36 AM

Designing ISE solutions properly is probably abit out of the scope of this forum, but if you need to use the "hostname/static ip" option for web portals in ise, you need to take care of loadbalancing traffic, while maintaining stickyness on the radius sessionid, that ise uses for many things.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
jan.nielsen
Level 7
Level 7

‎03-07-2014 02:48 AM

SessionID's are not replicated, you need to make sure that the ISE that has the portal, is the same as the that responded to the original mab request from your switch.

Jan

0 Helpful

Go to solution
cd2
Level 1
Level 1
In response to jan.nielsen

‎03-07-2014 04:32 AM

Thanks Jan, do you know if this is by design, even across nodes in node groups?  I'm guessing that Bug CSCul10677 is the same issue.

Thing is, it rather makes the CWA static IP/Hostname option redundant/useless in a resilient configuration.  It also means that the NAD must use the guest network for dot1x traffic or that the guest nework must be able to route over/into the internal network neither of which appear to be ideal from a security perspective...

0 Helpful

Go to solution
jan.nielsen
Level 7
Level 7
In response to cd2

‎03-07-2014 05:36 AM

Designing ISE solutions properly is probably abit out of the scope of this forum, but if you need to use the "hostname/static ip" option for web portals in ise, you need to take care of loadbalancing traffic, while maintaining stickyness on the radius sessionid, that ise uses for many things.

0 Helpful

Go to solution
kaaftab
Level 4
Level 4
In response to jan.nielsen

‎03-10-2014 03:41 AM

do check if any of the ports are not being block through firewall and you are using patch 6 for ISE and clock needs to be sync

domain Permit DNS for name resolution
permit tcp  8443 Permit CWA/CPP to ISE Policy Service node
permit tcp any any eq 80 Allow http for redirection to Policy Service node
permit tcp any any eq 443 Allow https for redirection to Policy Service node
permit tcp 8905 Allow Agent discovery direct to Policy Service node
permit udp  8905 Allow Agent discovery and keep-alives
permit tcp  80 Explicit allow to remediation server

 

0 Helpful

Go to solution
cd2
Level 1
Level 1
In response to kaaftab

‎03-18-2014 08:35 AM

We've had it confirmed by TAC that as Jan said, this is by design although there is an internal engineering request to address this.

0 Helpful

Go to solution
Venkatesh Attuluri
Cisco Employee
Cisco Employee

‎03-11-2014 05:27 AM

CWA Redirection URL:

https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cwa

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents