Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Looping Authentication Page after Successful Login - Cisco ISE Guest Access with WLC (Anchor+Foreign)

Hi,

Our setup is as follows;

1) Cisco ISE Policy Nodes within Internal Network

2) Guest controller at DMZ

3) Foreign Controller within Internal Network

4) Guest SSID

Once a user tries to access a website, the user is redirected to the authentication page of the policy node. When the user inderst the credentials, the page shows successful authentication but cannot access internet. When you try access the internet page again, a new login window is displayed. The ISE live authentication page shows successful login. What could be the issue?

Everyone's tags (1)
12 REPLIES
New Member

Please attach the

Please attach the Authorization policy

New Member

HiWe too face the same issue

Hi

We too face the same issue with ISE 1.2.1 with patch level 3.Guest is getting looped to the same URL after the successful login.

Matching the rule for cwa in authorization.

We have the controller model 2504 with Software Version 8.0.100.0

Please check the authentication, authorization, Policy_results and the WLC config for the reference.

New Member

Please check if after the

Please check if after the guest web authentication "Wireless Guest" policy is matched and Able to see new ACL in WLC for particular guest.

Please attach Authentications logs.

New Member

It is not hitting "Wireless

It is not hitting "Wireless Guest" policy rather looping in WLC_CWA  authorization policy.

New Member

Have you confirmed that if

Have you confirmed that if the guest user is part of guest or activated guest identity group?

 

For testing - Remove (Guest or Activated guest) condition.

and keep the rule as follows.

Wireless Guest If Network Access:UseCase EQUALS Guest Flow

And check the result

 

Make sure you have enabled the Radius NAC for the SSID

New Member

Thank youTried  without Guest

Thank you

Tried  without Guest or Activated Guest . But same result.

Wireless Guest If Network Access:UseCase EQUALS Guest Flow

 Yes i have enabled Radius NAC, AAA overide and MAC filtering..

Anything else is missing ? Is there any issue with the WLC model??

 

New Member

Hi shekharmore003 I found

Hi shekharmore003

 

I found Guest is working fine after i disabled and enabled the wireless. It is hitting the right profile. So let me brief the problem again

1. User getting connected to wireless guest SSID and obtained an IP.

2. It is redirecting to guest portal page for authentication.

3. After giving user name and password it gives the Acceptable page and then shows Signed on successfully

"You can now type in the original URL in the browser's address bar"

4.But when we open another url lets say google.com it is redirecting to guest portal page again for authentication. When i checked the live operational log i found the guest username with Guest Authentication Passed but it is not hitting our second rule.

5. Tried disabling/enabling wireless adapter then i found i am able to access internet and it is hitting the second rule correctly. Please find the attached logs.

Can we have a solution without disabling wireless adapter...

 

 

 

New Member

same, what's going on here?

same, what's going on here? for that bug, I'm not using "New Mobility (Converged Access)" .

so the workaround is not really useful.

Cisco Employee

Yep, most likely an issue

Yep, most likely an issue with your authorization policy, please attach a screenshot.

Thank you for rating helpful posts!
Cisco Employee

WLC Foreign-Anchor setup with

WLC Foreign-Anchor setup with CWA ISE keeps in web auth loop
CSCuo65407

Symptom:
Problem:
With WLC 5508 woring in Foreign-Anchor setup with ISE CWA, the client keeps running in Web Portal authentication loop.

Conditions:
Condition:
WLC 5508 with 7.6 version CWA.

Analyze:
ISE correctly configured and sending correct authorization policy information to Foreign WLC, however Anchor WLC keeps web-auth redirect ACL.

Workaround:
This only happens if "New Mobility (Converged Access) : Enabled"
Work around:
"New Mobility (Converged Access) : Disable"

Further Problem Description:

New Member

send me the link to this Bug

send me the link to this Bug ID.

Cisco Employee

https://tools.cisco.com

https://tools.cisco.com/bugsearch/bug/CSCuo65407

2753
Views
0
Helpful
12
Replies
CreatePlease to create content