Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Client unable to login into ISE Guest portal

TAC case logged for this problem a few days ago, TAC engineers still unable to find solution

A number of Guest users are unable to login to the ISE guest Portal page, some days a particular Guest can login other days the same Guest cannot. This varies day to day. When the Guest is unable to login, I simply remove their mac address on the Foreign and Anchor WLC's. Then straight after, they can login successfully.

Guest connects to the Guest SSID, obtain a DHCP, enter a website in the browser like google.com, Guest is redirected to ISE guest portal login page, Guest tries to login with their credentials. Rather than showing an error in the browser, the username/password icons return blank after clicking login. After I remove the Guest mac address from Foreign & Anchor WLC, user enters credentials again in their browser and success! user logs in fine.

Attached is an example where a4:17:31:4f:4a:82 is an affected Guest.

Attached output includes debug client a4:17:31:4f:4a:82 and debug aaa all enable.

I should say also ISE troubleshoot logs normally show either 8009 or 86010 user authentication failed for the particular Guest, after deleting the mac address on WLC's, guets login in ok, live authenctiation log turns green for user. ISE logs look clean though I did see a ISE latency Radius message a few days ago but hasn't repeated.

WLC's 5508 - (7.5.102.0)

ISE (1.2 patch 3)

AP's 3600

Any ideas anyone!

1 REPLY
Community Member

Re: Client unable to login into ISE Guest portal

ISE BUG!

TAC have been working on my case since mid November. Finally I solved on a temporary basis a week ago.

I increased the Radius Authentication from 2 seconds to 10 seconds on all my WLC's for ISE Radius, after this there were no more user complaints. If anyone is interested, please note the below.....from the TAC engineer.

Thank you a lot for the update! Really, great finding.

Yes, sure: the latency bug is CSCuj47338 - Radius response delays seen on ISE with large Internal User store.

I have news on the fix: it potentially will go to the patch 7 for the

1.2.0 (at the end of February or March) and it should be fixed in 1.2.1 as well. Just to reiterate - for 1.3 there is no need to worry - the fix should be there.

There is nothing more we can do on this one, but just to wait.

540
Views
0
Helpful
1
Replies
CreatePlease to create content