Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

cd2
New Member

ISE 1.2 Guest Access session expired

We have set up the ISEs to allow wired guest users to logon with CWA but every time we get

"Your session has expired. Sign on again".

We successfully get to the portal and can logon, change password, accept conditions but then we just get the session expired page.

From the switch (some data redacted fro privacy):

sw01#sh auth ses int f0/1

            Interface:  FastEthernet0/1

          MAC Address:  0021.xxda.xx28

           IP Address:  xxx.xx.40.45

            User-Name:  00-21-xx-DA-xx-28

               Status:  Authz Success

               Domain:  DATA

       Oper host mode:  multi-domain

     Oper control dir:  both

        Authorized By:  Authentication Server

          Vlan Policy:  901

              ACS ACL:  xACSACLx-IP_GuestWired_ISE_Portal_Access-53182da8

     URL Redirect ACL:  dot1x_WEBAUTH-REDIRECT

         URL Redirect:  https://guest.ourdomain.com:8443/guestportal/gateway?sessionId=AC1262FB000000FA0FCEFDB8&portal=TT_GuestPortal&action=cwa

      Session timeout:  N/A

         Idle timeout:  N/A

    Common Session ID:  AC1262FB000000FA0FCEFDB8

      Acct Session ID:  0x000001CF

               Handle:  0x370000FB

Runnable methods list:

       Method   State

       dot1x    Failed over

       mab      Authc Success

The ISE reports a failed login

Event5418 Guest Authentication Failed
Failure Reason86017

Now the reason appears to be that the guest portal being accesed is on an ISE in our DMZ but the RADIUS/MAB authentication is done by our internal ISEs (all ISEs are part of the same cluster however).  This is because the NAD is a switch and its management interface is on the inside of the network while  the guest VLAN is in a DMZ.  If we authenticate the RADIUS and guest on the same ISE (by breaking routing/security) then the access is granted and it all works corrcetly.

We are summarising that the session ID sent by the RADIUS ISE server is not avaialble to the Guest Portal ISE server so the session ID does not exist in the session cache.

So does the  guest portal ISE server have to be the same ISE server that does the RADIUS/MAB session generation?  There is no obvious way to tie a FQDN (e.g. guest.ourdomain.com) to the ISE used by the NAD.

Should the session ID not be shared across all enforcement nodes?

Any other ideas or thoughts?

Chris Davis

Everyone's tags (2)
2 ACCEPTED SOLUTIONS

Accepted Solutions

ISE 1.2 Guest Access session expired

SessionID's are not replicated, you need to make sure that the ISE that has the portal, is the same as the that responded to the original mab request from your switch.

Jan

ISE 1.2 Guest Access session expired

Designing ISE solutions properly is probably abit out of the scope of this forum, but if you need to use the "hostname/static ip" option for web portals in ise, you need to take care of loadbalancing traffic, while maintaining stickyness on the radius sessionid, that ise uses for many things.

6 REPLIES

ISE 1.2 Guest Access session expired

SessionID's are not replicated, you need to make sure that the ISE that has the portal, is the same as the that responded to the original mab request from your switch.

Jan

cd2
New Member

ISE 1.2 Guest Access session expired

Thanks Jan, do you know if this is by design, even across nodes in node groups?  I'm guessing that Bug CSCul10677 is the same issue.

Thing is, it rather makes the CWA static IP/Hostname option redundant/useless in a resilient configuration.  It also means that the NAD must use the guest network for dot1x traffic or that the guest nework must be able to route over/into the internal network neither of which appear to be ideal from a security perspective...

ISE 1.2 Guest Access session expired

Designing ISE solutions properly is probably abit out of the scope of this forum, but if you need to use the "hostname/static ip" option for web portals in ise, you need to take care of loadbalancing traffic, while maintaining stickyness on the radius sessionid, that ise uses for many things.

Silver

do check if any of the ports

do check if any of the ports are not being block through firewall and you are using patch 6 for ISE and clock needs to be sync

domain Permit DNS for name resolution
permit tcp  8443 Permit CWA/CPP to ISE Policy Service node
permit tcp any any eq 80 Allow http for redirection to Policy Service node
permit tcp any any eq 443 Allow https for redirection to Policy Service node
permit tcp 8905 Allow Agent discovery direct to Policy Service node
permit udp  8905 Allow Agent discovery and keep-alives
permit tcp  80 Explicit allow to remediation server

 

cd2
New Member

We've had it confirmed by TAC

We've had it confirmed by TAC that as Jan said, this is by design although there is an internal engineering request to address this.

Cisco Employee

CWA Redirection URL:https:/

CWA Redirection URL:

https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cwa

1658
Views
0
Helpful
6
Replies