Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1520
Views
0
Helpful
2
Replies

ISE and central web authentication

gnijs
Level 4
Level 4

‎03-05-2012 08:10 AM - edited ‎03-10-2019 06:52 PM

Hello all,

I have followed the steps in this document in detail:

http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080ba6514.shtml

however, my central authentication does not work. I get to the guest portal, i get authenticated through the guest portal,

but then the "second" MAB authenticatino doesn't happen.

In the last screencapture of the document, you get a green "Dynamic Authorization" line (third line from below). On my system

this is a red line with the error message "11213 No response received from Network Access Device".

(i have a successfull guest authentication in my ise logs, but it seems ise is unable to bounce or initiate the second MAB....)

Any ideas ?

regards,

Geert

Labels:
0 Helpful
2 Replies 2

gnijs
Level 4
Level 4

‎03-05-2012 08:36 AM

Ok, so it seems i was missing the CoA configuration:

After adding

aaa server radius dynamic-author

client server-key

it worked....

0 Helpful

gnijs
Level 4
Level 4
In response to gnijs

‎03-08-2012 05:59 AM

By the way, i feel the document example is a bit too general. For example, if you implement the document, ISE will do web authentication and redirection even when you are using a 802.1X client and are authenticated (and you have no other rules in your Autorization sequence table)

I managed to prevent this by adding an additional condition to the first rule "MAC not known" that has the CentralWebAuth policy. Only do webautentication if MAC not known AND Wired_MAB is being used.

0 Helpful
Customers Also Viewed These Support Documents