I have a very strange issue with wireless WebAuth where the users get redirected successfully to the WebAuth page and can enter their credentials, but once they accept the AUP they get redirected right back to the login page. ISE 1.1 and WLC 220.127.116.11.
On my WLAN, I have L3 web policy Authentication enabled, an ACL-WEBAUTH-REDIRECT preauth ACL, AAA override and external URL redirect to my local policy service node with the following syntax - https://<server FQDN>:8443/guestportal/Login.action
On ISE, my default authorization policy is WebAuth and I have another policy above that to identify my Guest identity group to be given InternetOnly permissions.
Same results occur for internal guest user identity and sponsor guest identities. From Operations>Authentications, I see the successful authentication of the guest account, but it is not applying the authorization profile. When I view the client in the WLC, I see the state is WEBAUTH_REQD. It appears the redirect is maybe not attaching a session ID to the end users. Tried from several different devices and getting the same results. Also tried to build a wired CWA and also having the same results. User always gets redirected to the webauth page and can login, but acceptance of the AUP just brings the user back to the login page in an endless loop.
I feel like I am missing something simple here. Anyone have any ideas?
I have a TAC case opened for the almost the same issue. The current (temp) solution is to add a authorization rule with condition "Network Access:UseCase EQUALS Guest Flow". Any user authenticated by the ISE guestportal should hit this condition.
I have found that specifying the AAA server under the WLAN appears to fix the issue, although this configuration is not listed as a requirement in the Trustsec DIG 2.0. The WLC had other AAA servers configured globally and the session was likely defaulting the authentication request to one of those servers. By statically defining the AAA server under the WLAN, we can ensure the authentication goes to the proper server.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...