Cisco ISE Problems with Web Central authetication and Active Directory, and WLC
I have a problem relating to the authentication and authorization of wireless users (WPA Personal + Web Authentication) using captive portal, the problem is because users belong to more than one group of the active directory is the repository for policies settings authorization, user gets the password (WPA) in unauthorized SSID and authenticates to the portal with their valid but corresponding to another profile and takes on another level of access because the ISE detected as a valid user, someone I you can give a suggestion as to solve this problem
We are using web authentication with ISE 1.2 default guest portal using active directory users
We have 5 SSID and we have 5 active directory groups. We want to associate each SSID to each active directory group, so we have created one authorization rule for each SSID using the attribute "external group" to define the user's active directory membership; and we have used the atributte "airspace-wlan-id" to define SSID.
The problem is: Sometimes it works and sometimes not.
We have review the logs and we have seen that the user is successfully authenticate by the web authentication portal but do not match any authorization rule, so we think ISE is not reading the "external group" attribute.
In addition we have to say that users could be members to more than one group within this 5 groups that we are using.
Transferring Crash file from standby: Login to the Active WLC in HA.
From CLI: (Cisco Controller) >transfer upload datatype crash (Cisco
Controller) >transfer upload filename (Cisco
Controller) >transfer upload mode tftp (Cisco Controller) >transfer
This is the start of a display filter cross reference between Wireshark
and OmniPeek. The 1st installment is a table of advanced filters. More
filters will be added as time allows. It is a living doc, so check back
for changes every so often Please feel f...