Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Wireless LWA and ISE - unable to get past AUP

I have a very strange issue with wireless WebAuth where the users get redirected successfully to the WebAuth page and can enter their credentials, but once they accept the AUP they get redirected right back to the login page.  ISE 1.1 and WLC 7.0.235.0. 

On my WLAN, I have L3 web policy Authentication enabled, an ACL-WEBAUTH-REDIRECT preauth ACL, AAA override and external URL redirect to my local policy service node with the following syntax - https://<server FQDN>:8443/guestportal/Login.action

On ISE, my default authorization policy is WebAuth and I have another policy above that to identify my Guest identity group to be given InternetOnly permissions. 

Same results occur for internal guest user identity and sponsor guest identities.  From Operations>Authentications, I see the successful authentication of the guest account, but it is not applying the authorization profile.  When I view the client in the WLC, I see the state is WEBAUTH_REQD.  It appears the redirect is maybe not attaching a session ID to the end users.  Tried from several different devices and getting the same results.  Also tried to build a wired CWA and also having the same results.  User always gets redirected to the webauth page and can login, but acceptance of the AUP just brings the user back to the login page in an endless loop.

I feel like I am missing something simple here.  Anyone have any ideas?

Thanks,

Brian

  • AAA Identity and NAC
3 REPLIES
New Member

Wireless LWA and ISE - unable to get past AUP

are you using proxy for users?

Try on the machine to exclude proxy for ISE server

ie on internet explorer where you configure proxy just exlude ISE server from being proxied.

Hope to help.

New Member

Wireless LWA and ISE - unable to get past AUP

Hi Brian,

I have a TAC case opened for the almost the same issue. The current (temp) solution is to add a authorization rule with condition "Network Access:UseCase EQUALS Guest Flow". Any user authenticated by the ISE guestportal should hit this condition.

Hope that helps.

New Member

Wireless LWA and ISE - unable to get past AUP

I have found that specifying the AAA server under the WLAN appears to fix the issue, although this configuration is not listed as a requirement in the Trustsec DIG 2.0.  The WLC had other AAA servers configured globally and the session was likely defaulting the authentication request to one of those servers.  By statically defining the AAA server under the WLAN, we can ensure the authentication goes to the proper server.

1642
Views
0
Helpful
3
Replies
This widget could not be displayed.