Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
823
Views
2
Helpful
9
Replies

ISE Guest Portal login is not working

BearingPoint
Level 1
Level 1

‎01-23-2024 05:40 AM

Hello,

I have configured the Cisco ISE as a guest portal. The users can register themselves and then a sponsor has to approve them. This all works. I now have the problem that in the first phase, as soon as I click on the SSID, I am redirected and can do everything, but as soon as I want to log in, there is an error in the second phase.

I get the following error in the log.

Event 5417 Dynamic Authorization failed 
				
Failure Reason 11213 No response received from Network Access Device after sending a Dynamic Authorization request

I have already checked. CoA is activated and allow AAA override is also set. An ACL with Aerospace ACL name was also specified in the Authorization Profile and this is also created on the WLC with Permit any any. (Permit any any because the firewall is supposed to manage all guest traffic)

The port udp 1700 is also permitted on the firewall.

 

Do you have any ideas as to what the problem might be?

 

BR Mario

 

Labels:
Preview file
179 KB
Preview file
284 KB
9 Replies 9

Aref Alsouqi
VIP
VIP

‎01-24-2024 01:40 AM - edited ‎01-24-2024 01:40 AM

Do you see any logs on the firewall for that CoA traffic going from ISE to the WLC and vice-versa? Please note that not only ISE needs to send a CoA request, but also the WLC would need to send a CoA ack back to ISE.

0 Helpful

BearingPoint
Level 1
Level 1
In response to Aref Alsouqi

‎01-24-2024 02:40 AM

I see the traffic from both sides. WLC towards ISE I see the protocols NEW-RADIUS (UDP 1812) and NEW-RADIUS-ACCOUNTING (UDP 1813) and these are allowed. ISE towards WLC I see traffic with port 1700 and this is also allowed.

 

0 Helpful

Aref Alsouqi
VIP
VIP
In response to BearingPoint

‎01-24-2024 03:05 AM

If you run some packet capture on the firewall on the interface facing the WLC, do you see any CoA traffic coming from the WLC to ISE?

0 Helpful

BearingPoint
Level 1
Level 1

‎01-24-2024 02:45 AM

What is also strange is that I sometimes see in the log that the Authorization Profile has been sent and an Accept is received, but I still cannot connect to the SSID, but the ISE shows it as a session. You can also see that the same device is also sending rejected requests, as shown in the previous document

 

Preview file
94 KB
0 Helpful

MHM Cisco World
VIP
VIP

‎01-24-2024 03:12 AM

in these case I separate the issue into 
NAD 
ISE 
FW or router in path between NAD and ISE 
what I get from your last reply the FW/R is not drop the CoA between the ISE and NAD (WLC)
what is WLC platform and and is the ver. <<- it better to open new post in wireless for same issue it can be bug WLC ver. you run
MHM

0 Helpful

BearingPoint
Level 1
Level 1
In response to MHM Cisco World

‎01-25-2024 05:17 AM

I opened a TAC Case - If I get an Solution I will post it

MHM Cisco World
VIP
VIP
In response to BearingPoint

‎01-25-2024 09:57 AM

Thanks a lot 

Have a nice day 

MHM

0 Helpful

Ping127001
Level 1
Level 1
In response to BearingPoint

‎03-19-2024 11:49 AM

Hello, did you get a solution from your TAC ?

0 Helpful

BearingPoint
Level 1
Level 1
In response to Ping127001

‎03-20-2024 07:40 AM

Hello,

it was a configuration issue on the wlc. 

 

 

0 Helpful
Customers Also Viewed These Support Documents