11-19-2013 08:50 AM - edited 07-04-2021 01:17 AM
TAC case logged for this problem a few days ago, TAC engineers still unable to find solution
A number of Guest users are unable to login to the ISE guest Portal page, some days a particular Guest can login other days the same Guest cannot. This varies day to day. When the Guest is unable to login, I simply remove their mac address on the Foreign and Anchor WLC's. Then straight after, they can login successfully.
Guest connects to the Guest SSID, obtain a DHCP, enter a website in the browser like google.com, Guest is redirected to ISE guest portal login page, Guest tries to login with their credentials. Rather than showing an error in the browser, the username/password icons return blank after clicking login. After I remove the Guest mac address from Foreign & Anchor WLC, user enters credentials again in their browser and success! user logs in fine.
Attached is an example where a4:17:31:4f:4a:82 is an affected Guest.
Attached output includes debug client a4:17:31:4f:4a:82 and debug aaa all enable.
I should say also ISE troubleshoot logs normally show either 8009 or 86010 user authentication failed for the particular Guest, after deleting the mac address on WLC's, guets login in ok, live authenctiation log turns green for user. ISE logs look clean though I did see a ISE latency Radius message a few days ago but hasn't repeated.
WLC's 5508 - (7.5.102.0)
ISE (1.2 patch 3)
AP's 3600
Any ideas anyone!
12-04-2013 03:50 AM
ISE BUG!
TAC have been working on my case since mid November. Finally I solved on a temporary basis a week ago.
I increased the Radius Authentication from 2 seconds to 10 seconds on all my WLC's for ISE Radius, after this there were no more user complaints. If anyone is interested, please note the below.....from the TAC engineer.
Thank you a lot for the update! Really, great finding.
Yes, sure: the latency bug is CSCuj47338 - Radius response delays seen on ISE with large Internal User store.
I have news on the fix: it potentially will go to the patch 7 for the
1.2.0 (at the end of February or March) and it should be fixed in 1.2.1 as well. Just to reiterate - for 1.3 there is no need to worry - the fix should be there.
There is nothing more we can do on this one, but just to wait.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide