Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
341
Views
15
Helpful
3
Replies

Cisco ISE Problems with Web Central authetication and Active Directory, and WLC

Tito Enrique Proano Rosero
Level 1
Level 1

‎09-25-2014 08:22 PM - edited ‎07-05-2021 01:35 AM

hi

I have a problem relating to the authentication and authorization of wireless users (WPA Personal + Web Authentication) using captive portal, the problem is because users belong to more than one group of the active directory is the repository for policies settings authorization, user gets the password (WPA) in unauthorized SSID and authenticates to the portal with their valid but corresponding to another profile and takes on another level of access because the ISE detected as a valid user, someone I you can give a suggestion as to solve this problem

Thank you

Labels:
0 Helpful
3 Replies 3

Abhishek Abhishek
Cisco Employee
Cisco Employee

‎09-25-2014 10:31 PM

 Cisco ISE Node Not Authenticating with Active Directory

Symptoms or Issue
    

The administrator receives "authentication failure" messages in the Authentication Failure Report on the Administration ISE node.

Conditions
    

This issue applies to Cisco ISE policy enforcement nodes added to an existing AD domain.

Possible Causes
    

•The administrator may not have changed the AD password on after joining the Cisco ISE node to the AD domain.

•The account used to join Cisco ISE to the Active Directory domain may have an expired password.

Resolution
    

Change the account password that was used to join the AD domain after adding Cisco ISE to Active Directory.

Tito Enrique Proano Rosero
Level 1
Level 1
In response to Abhishek Abhishek

‎09-25-2014 10:36 PM

Hi

Thanks for you response

but, the problem is not change to password

I'm going to tell you in detail our problem.

 

We are using web authentication with ISE 1.2 default guest portal using active directory users

 

We have 5 SSID and we have 5 active directory groups. We want to associate each SSID to each active directory group, so we have created one authorization rule for each SSID using the attribute "external group" to define the user's active directory membership; and we have used the atributte "airspace-wlan-id" to define SSID.

 

The problem is: Sometimes it works and sometimes not.

 

We have review the logs and we have seen that the user is successfully authenticate by the web authentication portal but do not match any authorization rule, so we think ISE is not reading the "external group" attribute.

 

In addition we have to say that users could be members to more than one group within this 5 groups that we are using.

 

0 Helpful

Ravi Singh
Level 7
Level 7
In response to Tito Enrique Proano Rosero

‎09-29-2014 11:54 AM

Please provide the authorization rule which you have defined on ISE.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card