Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1040
Views
0
Helpful
1
Replies

Client unable to login into ISE Guest portal

stephendrkw
Level 3
Level 3

‎11-19-2013 08:50 AM - edited ‎07-04-2021 01:17 AM

TAC case logged for this problem a few days ago, TAC engineers still unable to find solution

A number of Guest users are unable to login to the ISE guest Portal page, some days a particular Guest can login other days the same Guest cannot. This varies day to day. When the Guest is unable to login, I simply remove their mac address on the Foreign and Anchor WLC's. Then straight after, they can login successfully.

Guest connects to the Guest SSID, obtain a DHCP, enter a website in the browser like google.com, Guest is redirected to ISE guest portal login page, Guest tries to login with their credentials. Rather than showing an error in the browser, the username/password icons return blank after clicking login. After I remove the Guest mac address from Foreign & Anchor WLC, user enters credentials again in their browser and success! user logs in fine.

Attached is an example where a4:17:31:4f:4a:82 is an affected Guest.

Attached output includes debug client a4:17:31:4f:4a:82 and debug aaa all enable.

I should say also ISE troubleshoot logs normally show either 8009 or 86010 user authentication failed for the particular Guest, after deleting the mac address on WLC's, guets login in ok, live authenctiation log turns green for user. ISE logs look clean though I did see a ISE latency Radius message a few days ago but hasn't repeated.

WLC's 5508 - (7.5.102.0)

ISE (1.2 patch 3)

AP's 3600

Any ideas anyone!

1 person had this problem
Labels:
Preview file
153 KB
0 Helpful
1 Reply 1

stephendrkw
Level 3
Level 3

‎12-04-2013 03:50 AM

ISE BUG!

TAC have been working on my case since mid November. Finally I solved on a temporary basis a week ago.

I increased the Radius Authentication from 2 seconds to 10 seconds on all my WLC's for ISE Radius, after this there were no more user complaints. If anyone is interested, please note the below.....from the TAC engineer.

Thank you a lot for the update! Really, great finding.

Yes, sure: the latency bug is CSCuj47338 - Radius response delays seen on ISE with large Internal User store.

I have news on the fix: it potentially will go to the patch 7 for the

1.2.0 (at the end of February or March) and it should be fixed in 1.2.1 as well. Just to reiterate - for 1.3 there is no need to worry - the fix should be there.

There is nothing more we can do on this one, but just to wait.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card