Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Cisco ISE Problems with Web Central authetication and Active Directory, and WLC


I have a problem relating to the authentication and authorization of wireless users (WPA Personal + Web Authentication) using captive portal, the problem is because users belong to more than one group of the active directory is the repository for policies settings authorization, user gets the password (WPA) in unauthorized SSID and authenticates to the portal with their valid but corresponding to another profile and takes on another level of access because the ISE detected as a valid user, someone I you can give a suggestion as to solve this problem

Thank you


 Cisco ISE Node Not

 Cisco ISE Node Not Authenticating with Active Directory

Symptoms or Issue

The administrator receives "authentication failure" messages in the Authentication Failure Report on the Administration ISE node.


This issue applies to Cisco ISE policy enforcement nodes added to an existing AD domain.

Possible Causes

•The administrator may not have changed the AD password on after joining the Cisco ISE node to the AD domain.

•The account used to join Cisco ISE to the Active Directory domain may have an expired password.


Change the account password that was used to join the AD domain after adding Cisco ISE to Active Directory.

HiThanks for you responsebut,


Thanks for you response

but, the problem is not change to password

I'm going to tell you in detail our problem.


We are using web authentication with ISE 1.2 default guest portal using active directory users


We have 5 SSID and we have 5 active directory groups. We want to associate each SSID to each active directory group, so we have created one authorization rule for each SSID using the attribute "external group" to define the user's active directory membership; and we have used the atributte "airspace-wlan-id" to define SSID.


The problem is: Sometimes it works and sometimes not.


We have review the logs and we have seen that the user is successfully authenticate by the web authentication portal but do not match any authorization rule, so we think ISE is not reading the "external group" attribute.


In addition we have to say that users could be members to more than one group within this 5 groups that we are using.


Cisco Employee

Please provide the

Please provide the authorization rule which you have defined on ISE.

CreatePlease login to create content