Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Self-Registration Portal Cisco ISE 1.3 Keeps Going Back to Auth Page

We upgraded our Cisco ISE from 1.2.x to 1.3.x.  The migration was successful, and everything appears to be correct.  I see that our customized portals were brought over as well.  We've created a new customized guest portal.  We've updated the authorization profile to reflect the new portal.  When a user goes through the process of registering, they register successfully, and then use the registration information to sign in successfully.  However, when they attempt to browse to a web page, they are redirected right back to the authentication page.  I've checked the SSID.  It's set for L2 mac-filtering, Radius NAC, and for our ISE ACL.  For the authentication security, CoA is enabled.  When the upgrade was completed, I did follow all of the post-migration tasks.  Can anyone give me any ideas why users are being redirected right back to the auth screen, once successfully authenticating, and not able to get to any internet sites?  Thanks for your help!

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions

Can you export the

Can you export the Authorization policies and attach here? ISE 1.3 allows you to do so

10 REPLIES

Can you export the

Can you export the Authorization policies and attach here? ISE 1.3 allows you to do so

New Member

Salodh, Thank you so much for

Salodh,

 

Thank you so much for the quick reply!  Please find the export below:

 

<?xml version="1.0" encoding="UTF-8"?>

<Root>

<!--This section describes the Policy-Sets configured in ISE-->

<PolicySets> <PolicySet name="Wired" description=""> <Conditions relationship="OR"> <Condition name="Wired_MAB" type="REUSABLE_COMPOUND"/> <Condition name="Wired_802.1X" type="REUSABLE_COMPOUND"/> </Conditions> <Authentication> <rules> <rule name="Default" status="Enabled"> <Conditions/> <Result name="Default Network Access" type="AllowedProtocolServices"/> <IdentitySourceRules> <rule name="Default" status="Enabled"> <Conditions/> <IdentitySourceResult name="Internal Endpoints"> <IdentitySource name="Internal Endpoints" type="IdentityStore"/> <AuthenFailed>REJECT</AuthenFailed> <UserNotFound>CONTINUE</UserNotFound> <ProcessFailed>DROP</ProcessFailed> </IdentitySourceResult> </rule> </IdentitySourceRules> </rule> </rules> </Authentication> <Authorization> <StandardRules> <rule name="Default" status="Enabled"> <Conditions/> <identityGroups> <identityGroup name="Any"/> </identityGroups> <Result name="PermitAccess" type="Standard"/> </rule> </StandardRules> <LocalExceptionRules/> </Authorization> </PolicySet> <PolicySet name="Wireless" description=""> <Conditions relationship="OR"> <Condition name="Wireless_MAB" type="REUSABLE_COMPOUND"/> <Condition name="Wireless_802.1X" type="REUSABLE_COMPOUND"/> </Conditions> <Authentication> <rules> <rule name="Wireless Users" status="Enabled"> <Conditions relationship="AND"> <Condition name="Wireless_802.1X" type="REUSABLE_COMPOUND"/> </Conditions> <Result name="Default Network Access" type="AllowedProtocolServices"/> <IdentitySourceRules> <rule name="Default" status="Enabled"> <Conditions/> <IdentitySourceResult name="AD1"> <IdentitySource name="AD1" type="IdentityStore"/> <AuthenFailed>REJECT</AuthenFailed> <UserNotFound>REJECT</UserNotFound> <ProcessFailed>DROP</ProcessFailed> </IdentitySourceResult> </rule> </IdentitySourceRules> </rule> <rule name="Default" status="Enabled"> <Conditions/> <Result name="Default Network Access" type="AllowedProtocolServices"/> <IdentitySourceRules> <rule name="Default" status="Enabled"> <Conditions/> <IdentitySourceResult name="Internal Endpoints"> <IdentitySource name="Internal Endpoints" type="IdentityStore"/> <AuthenFailed>REJECT</AuthenFailed> <UserNotFound>CONTINUE</UserNotFound> <ProcessFailed>DROP</ProcessFailed> </IdentitySourceResult> </rule> </IdentitySourceRules> </rule> </rules> </Authentication> <Authorization> <StandardRules> <rule name="Internal-Users-KMTMACHINE" status="Enabled"> <Conditions relationship="AND"> <Condition name="WLAN-User" type="REUSABLE_COMPOUND"/> </Conditions> <identityGroups> <identityGroup name="Any"/> </identityGroups> <Result name="WLAN-PERMITALL" type="Standard"/> </rule> <rule name="Internal-Users-MDM" status="Enabled"> <Conditions relationship="AND"> <Condition name="WLAN-User" type="REUSABLE_COMPOUND"/> <Condition name="WLAN-UserMDM" type="REUSABLE_COMPOUND"/> </Conditions> <identityGroups> <identityGroup name="Any"/> </identityGroups> <Result name="WLAN-PERMITALL" type="Standard"/> </rule> <rule name="Internal-Users-NONMDM1" status="Enabled"> <Conditions relationship="AND"> <Condition name="WLAN-User" type="REUSABLE_COMPOUND"/> <Condition name="WLAN-NotMDM" type="REUSABLE_COMPOUND"/> </Conditions> <identityGroups> <identityGroup name="Any"/> </identityGroups> <Result name="WLAN-PERMITONLYINTERNET" type="Standard"/> </rule> <rule name="Guest" status="Enabled"> <Conditions relationship="AND"> <Condition type="ADHOC">DEVICE:Device Type EQUALS All Device Types#Wireless</Condition> </Conditions> <identityGroups> <identityGroup name="Guest" type="User Identity Groups"/> </identityGroups> <Result name="Internet-Only" type="Standard"/> </rule> <rule name="Guest-CWA" status="Enabled"> <Conditions relationship="AND"> <Condition type="ADHOC">DEVICE:Device Type EQUALS All Device Types#Wireless</Condition> </Conditions> <identityGroups> <identityGroup name="Any"/> </identityGroups> <Result name="Guest-CWA" type="Standard"/> </rule> <rule name="Default" status="Enabled"> <Conditions/> <identityGroups> <identityGroup name="Any"/> </identityGroups> <Result name="DenyAccess" type="Standard"/> </rule> </StandardRules> <LocalExceptionRules/> </Authorization> </PolicySet> <PolicySet name="Default" description="Default Policy Set"> <Conditions/> <Authentication> <rules> <rule name="MAB" status="Enabled"> <Conditions relationship="OR"> <Condition name="Wired_MAB" type="REUSABLE_COMPOUND"/> <Condition name="Wireless_MAB" type="REUSABLE_COMPOUND"/> </Conditions> <Result name="Default Network Access" type="AllowedProtocolServices"/> <IdentitySourceRules> <rule name="Default" status="Enabled"> <Conditions/> <IdentitySourceResult name="Internal Endpoints"> <IdentitySource name="Internal Endpoints" type="IdentityStore"/> <AuthenFailed>REJECT</AuthenFailed> <UserNotFound>REJECT</UserNotFound> <ProcessFailed>DROP</ProcessFailed> </IdentitySourceResult> </rule> </IdentitySourceRules> </rule> <rule name="Dot1X" status="Enabled"> <Conditions relationship="OR"> <Condition name="Wired_802.1X" type="REUSABLE_COMPOUND"/> <Condition name="Wireless_802.1X" type="REUSABLE_COMPOUND"/> </Conditions> <Result name="Default Network Access" type="AllowedProtocolServices"/> <IdentitySourceRules> <rule name="Default" status="Enabled"> <Conditions/> <IdentitySourceResult> <IdentitySource name="Internal Users" type="IdentityStore"/> <AuthenFailed>REJECT</AuthenFailed> <UserNotFound>REJECT</UserNotFound> <ProcessFailed>DROP</ProcessFailed> </IdentitySourceResult> </rule> </IdentitySourceRules> </rule> <rule name="Default" status="Enabled"> <Conditions/> <Result name="Default Network Access" type="AllowedProtocolServices"/> <IdentitySourceRules> <rule name="Default" status="Enabled"> <Conditions/> <IdentitySourceResult> <IdentitySource name="Internal Users" type="IdentityStore"/> <AuthenFailed>REJECT</AuthenFailed> <UserNotFound>REJECT</UserNotFound> <ProcessFailed>DROP</ProcessFailed> </IdentitySourceResult> </rule> </IdentitySourceRules> </rule> </rules> </Authentication> <Authorization> <StandardRules> <rule name="Wireless Black List Default" status="Enabled"> <Conditions relationship="AND"> <Condition name="Wireless_Access" type="REUSABLE_COMPOUND"/> </Conditions> <identityGroups> <identityGroup name="Blacklist" type="Endpoint Identity Groups"/> </identityGroups> <Result name="Blackhole_Wireless_Access" type="Standard"/> </rule> <rule name="Profiled Cisco IP Phones" status="Enabled"> <Conditions/> <identityGroups> <identityGroup name="Cisco-IP-Phone"/> </identityGroups> <Result name="Cisco_IP_Phones" type="Standard"/> </rule> <rule name="Profiled Non Cisco IP Phones" status="Enabled"> <Conditions relationship="AND"> <Condition name="Non_Cisco_Profiled_Phones" type="REUSABLE_COMPOUND"/> </Conditions> <identityGroups> <identityGroup name="Any"/> </identityGroups> <Result name="Non_Cisco_IP_Phones" type="Standard"/> </rule> <rule name="Default" status="Enabled"> <Conditions/> <identityGroups> <identityGroup name="Any"/> </identityGroups> <Result name="PermitAccess" type="Standard"/> </rule> </StandardRules> <LocalExceptionRules/> </Authorization> </PolicySet> <GlobalExceptions> <rules/> </GlobalExceptions> </PolicySets>

<!--This section describes the Reusable Conditions configured in ISE-->

<ReusableConditions> <Authentication> <Compound> <condition name="Wired_MAB" description="A condition to match MAC Authentication Bypass service requests from Cisco Catalyst Switches" relationship="AND"> <Condition type="ADHOC">Radius:Service-Type EQUALS Call Check</Condition> <Condition type="ADHOC">Radius:NAS-Port-Type EQUALS Ethernet</Condition> </condition> <condition name="Wireless_MAB" description="A condition to match MAC Authentication Bypass service requests from Cisco Wireless LAN Controller" relationship="AND"> <Condition type="ADHOC">Radius:Service-Type EQUALS Call Check</Condition> <Condition type="ADHOC">Radius:NAS-Port-Type EQUALS Wireless - IEEE 802.11</Condition> </condition> <condition name="Wired_802.1X" description="A condition to match an 802.1X based authentication requests from Cisco Catalyst Switches" relationship="AND"> <Condition type="ADHOC">Radius:Service-Type EQUALS Framed</Condition> <Condition type="ADHOC">Radius:NAS-Port-Type EQUALS Ethernet</Condition> </condition> <condition name="Wireless_802.1X" description="A condition to match an 802.1X based authentication request from Cisco Wireless LAN Controller" relationship="AND"> <Condition type="ADHOC">Radius:Service-Type EQUALS Framed</Condition> <Condition type="ADHOC">Radius:NAS-Port-Type EQUALS Wireless - IEEE 802.11</Condition> </condition> <condition name="Switch_Local_Web_Authentication" description="A condition to match authentication requests for Local Web Authentication from Cisco Catalyst Switches" relationship="AND"> <Condition type="ADHOC">Radius:Service-Type EQUALS Outbound</Condition> <Condition type="ADHOC">Radius:NAS-Port-Type EQUALS Ethernet</Condition> </condition> <condition name="WLC_Web_Authentication" description="A condition to match authentication requests for Web Authentication from Cisco Wireless LAN Controller" relationship="AND"> <Condition type="ADHOC">Radius:Service-Type EQUALS Login</Condition> <Condition type="ADHOC">Radius:NAS-Port-Type EQUALS Wireless - IEEE 802.11</Condition> </condition> </Compound> </Authentication> <Authorization> <Compound> <condition name="Wired_802.1X" description="Default condition used to match an 802.1X based authentication requests from Cisco Catalyst Switches." relationship="AND"> <Condition type="ADHOC">Radius:Service-Type EQUALS Framed</Condition> <Condition type="ADHOC">Radius:NAS-Port-Type EQUALS Ethernet</Condition> </condition> <condition name="Wired_MAB" description="Default condition used to match MAB Authentication Bypass service requests from Cisco Catalyst Switches." relationship="AND"> <Condition type="ADHOC">Radius:Service-Type EQUALS Call Check</Condition> <Condition type="ADHOC">Radius:NAS-Port-Type EQUALS Ethernet</Condition> </condition> <condition name="Wireless_802.1X" description="Default condition used to match an 802.1X based authentication request from Cisco Wireless LAN Controller." relationship="AND"> <Condition type="ADHOC">Radius:Service-Type EQUALS Framed</Condition> <Condition type="ADHOC">Radius:NAS-Port-Type EQUALS Wireless - IEEE 802.11</Condition> </condition> <condition name="Wireless_MAB" description="Default condition used to match MAB Authentication Bypass service requests from Cisco Wireless LAN Controller." relationship="AND"> <Condition type="ADHOC">Radius:Service-Type EQUALS Call Check</Condition> <Condition type="ADHOC">Radius:NAS-Port-Type EQUALS Wireless - IEEE 802.11</Condition> </condition> <condition name="Catalyst_Switch_Local_Web_Authentication" description="Default condition used to match authentication requests for Local Web Authentication from Cisco Catalyst Switches" relationship="AND"> <Condition type="ADHOC">Radius:Service-Type EQUALS Outbound</Condition> <Condition type="ADHOC">Radius:NAS-Port-Type EQUALS Ethernet</Condition> </condition> <condition name="WLC_Web_Authentication" description="Default condition used to match authentication requests for Web Authentication from Cisco Wireless LAN Controller" relationship="AND"> <Condition type="ADHOC">Radius:Service-Type EQUALS Login</Condition> <Condition type="ADHOC">Radius:NAS-Port-Type EQUALS Wireless - IEEE 802.11</Condition> </condition> <condition name="Non_Cisco_Profiled_Phones" description="Default condition used to match Non Cisco IP Phones" relationship="AND"> <Condition type="ADHOC">EndPoints:LogicalProfile EQUALS IP-Phones</Condition> </condition> <condition name="Wireless_Access" description="Default condition used to match any authentication request from Cisco Wireless LAN Controller." relationship="AND"> <Condition type="ADHOC">Radius:NAS-Port-Type EQUALS Wireless - IEEE 802.11</Condition> </condition> <condition name="KMT-WLAN-UserMDM" description="Default condition used to match an 802.1X based authentication request from Cisco Wireless LAN Controller." relationship="AND"> <Condition type="ADHOC">Radius:Service-Type EQUALS Framed</Condition> <Condition type="ADHOC">Radius:NAS-Port-Type EQUALS Wireless - IEEE 802.11</Condition> <Condition type="ADHOC">MDM:DeviceRegisterStatus EQUALS Registered</Condition> </condition> <condition name="KMT-WLAN-User" description="Default condition used to match an 802.1X based authentication request from Cisco Wireless LAN Controller." relationship="AND"> <Condition type="ADHOC">Radius:Service-Type EQUALS Framed</Condition> <Condition type="ADHOC">Radius:NAS-Port-Type EQUALS Wireless - IEEE 802.11</Condition> <Condition type="ADHOC">AD1:ExternalGroups EQUALS /Users/Domain Users</Condition> </condition> <condition name="KMT-WLAN-NotMDM" description="Kennametal device is NOT registered with AirWatch" relationship="AND"> <Condition type="ADHOC">Radius:Service-Type EQUALS Framed</Condition> <Condition type="ADHOC">Radius:NAS-Port-Type EQUALS Wireless - IEEE 802.11</Condition> <Condition type="ADHOC">MDM:DeviceRegisterStatus EQUALS UnRegistered</Condition> </condition> <condition name="KMT-WLAN-MACHINE" description="Machine authentication against Active Directory" relationship="AND"> <Condition type="ADHOC">Radius:Service-Type EQUALS Framed</Condition> <Condition type="ADHOC">Radius:NAS-Port-Type EQUALS Wireless - IEEE 802.11</Condition> <Condition type="ADHOC">AD1:ExternalGroups EQUALS /Users/Domain Computers</Condition> </condition> <condition name="KMT-WLAN-UserNotAD" description="User not in Active Directory" relationship="AND"> <Condition type="ADHOC">Radius:Service-Type EQUALS Framed</Condition> <Condition type="ADHOC">Radius:NAS-Port-Type EQUALS Wireless - IEEE 802.11</Condition> <Condition type="ADHOC">AD1:ExternalGroups NOT_CONTAINS /Users/Domain Users</Condition> </condition> </Compound> <Simple> <condition name="CertRenewalRequired" description="">CERTIFICATE:Days to Expiry LESS 15</condition> <condition name="CertRenewalRequired_copy" description="">CERTIFICATE:Days to Expiry LESS 15</condition> </Simple> </Authorization> </ReusableConditions>

<!--This section describes the Allowed Protocols configured in ISE-->

<AllowedProtocols> <AllowedProtocol name="Default Network Access" description="Default Allowed Protocol Service"> <Option name="Process Host Lookup" value="true"/> <Option name="Allow PAP/ASCII" value="true"> <Option name="Detect PAP as Host Lookup" value="false"/></Option> <Option name="Allow CHAP" value="false"/> <Option name="Allow MS-CHAPv1" value="false"/> <Option name="Allow MS-CHAPv2" value="false"/> <Option name="Allow EAP-MD5" value="true"> <Option name="Detect EAP-MD5 as Host Lookup" value="false"/></Option> <Option name="Allow EAP-TLS" value="true"/> <Option name="Allow LEAP" value="false"/> <Option name="Allow PEAP" value="true"> <Option name="PEAP-Allow EAP-MS-CHAPv2" value="true"> <Option name="Allow Password Change" value="true"/> <Option name="Retries" value="1"/></Option> <Option name="PEAP-Allow EAP-GTC" value="true"> <Option name="Allow Password Change" value="true"/> <Option name="Retries" value="1"/></Option> <Option name="PEAP-Allow EAP-TLS" value="true"/> <Option name="Allow PEAPv0 only for legacy clients" value="false"/></Option> <Option name="Allow EAP-FAST" value="true"> <Option name="EAP-FAST-Allow EAP-MS-CHAPv2" value="true"> <Option name="Allow Password Change" value="true"/> <Option name="Retries" value="3"/></Option> <Option name="EAP-FAST-Allow EAP-GTC" value="true"> <Option name="Allow Password Change" value="true"/> <Option name="Retries" value="3"/></Option> <Option name="EAP-FAST-Allow EAP-TLS" value="true"> <Option name="Use PACs" value="true"> <Option name="Tunnel PAC Time To Live in Seconds" value="7776000"/> <Option name="Proactive PAC update will occur after" value="90"/> <Option name="Allow Anonymous In-Band PAC Provisioning" value="true"/> <Option name="Allow Authenticated In-Band PAC Provisioning" value="true"> <Option name="Server Returns Access Accept After Authenticated Provisioning" value="true"/> <Option name="Accept Client Certificate For Provisioning" value="false"/></Option> <Option name="Use PACs-Allow Machine Authentication" value="true"> <Option name="Machine PAC Time To Live in Seconds" value="604800"/></Option> <Option name="Enable Stateless Session Resume" value="true"> <Option name="Authorization PAC Time To Live in Seconds" value="3600"/></Option></Option></Option> <Option name="Enable EAP Chaining" value="false"/></Option></AllowedProtocol> </AllowedProtocols>

<!--This section describes the Identity Sequences configured in ISE-->

<IdentitySequences> <Sequence name="MyDevices_Portal_Sequence" description="A built-in Identity Sequence for the My Devices Portal"> <Sources> <Source name="Internal Users"/></Sources> <option name="Select Certificate Authentication Profile" value="false"/> <option name="Do not access other stores in the sequence and set the AuthenticationStatus attribute to ProcessError" value="false"/> <option name="Treat as if the user was not found and proceed to the next store in the sequence" value="true"/></Sequence> <Sequence name="AD_Local" description=""> <Sources> <Source name="AD1"/> <Source name="Internal Users"/></Sources> <option name="Select Certificate Authentication Profile" value="false"/> <option name="Do not access other stores in the sequence and set the AuthenticationStatus attribute to ProcessError" value="true"/> <option name="Treat as if the user was not found and proceed to the next store in the sequence" value="false"/></Sequence> <Sequence name="Guest_Portal_Sequence" description="A built-in Identity Sequence for the Guest Portal"> <Sources> <Source name="Guest Users"/> <Source name="Internal Users"/></Sources> <option name="Select Certificate Authentication Profile" value="false"/> <option name="Do not access other stores in the sequence and set the AuthenticationStatus attribute to ProcessError" value="false"/> <option name="Treat as if the user was not found and proceed to the next store in the sequence" value="true"/></Sequence> <Sequence name="Sponsor_Portal_Sequence" description="A built-in Identity Sequence for the Sponsor Portal"> <Sources> <Source name="AD1"/> <Source name="Internal Users"/></Sources> <option name="Select Certificate Authentication Profile" value="false"/> <option name="Do not access other stores in the sequence and set the AuthenticationStatus attribute to ProcessError" value="true"/> <option name="Treat as if the user was not found and proceed to the next store in the sequence" value="false"/></Sequence> </IdentitySequences>

<!--This section describes the RADIUS Server Sequences configured in ISE-->

<Proxies/>

<!--This section describes the Authorization Results configured in ISE-->

<AznResults> <StandardResults> <Profile name="Blackhole_Wireless_Access" description="Default profile used to blacklist wireless devices. Ensure that you configure a BLACKHOLE ACL on the Wireless LAN Controller."> <option name="Attributes Details">cisco-av-pair = url-redirect=https://ip:port/blacklistportal/gateway?portal=5cfcae50-68f4-11e4-9468-7426acc9970c, cisco-av-pair = url-redirect-acl=BLACKHOLE</option> <option name="Access Type" value="ACCESS_ACCEPT"/> <option name="Service Template" value="false"/></Profile> <Profile name="Cisco_IP_Phones" description="Default profile used for Cisco Phones."> <option name="Attributes Details">cisco-av-pair = device-traffic-class=voice, DACL = PERMIT_ALL_TRAFFIC</option> <option name="Access Type" value="ACCESS_ACCEPT"/> <option name="Service Template" value="false"/></Profile> <Profile name="DenyAccess" description="Default Profile with access type as Access-Reject"> <option name="Access Type" value="ACCESS_REJECT"/> <option name="Service Template" value="false"/></Profile> <Profile name="Guest-CWA" description=""> <option name="Attributes Details">cisco-av-pair = url-redirect-acl=Web-Redirect, cisco-av-pair = url-redirect=https://ip:port/portal/gateway?sessionId=SessionIdValue&portal=589dd0f0-6908-11e4-9ef5-7426acc9970c&daysToExpiry=value&action=cwa</option> <option name="Access Type" value="ACCESS_ACCEPT"/> <option name="Service Template" value="false"/></Profile> <Profile name="Internet-Only" description=""> <option name="Attributes Details">Airespace-ACL-Name = Internet-Only</option> <option name="Access Type" value="ACCESS_ACCEPT"/> <option name="Service Template" value="false"/></Profile> <Profile name="KMT-WLAN-AD-LOGIN" description=""> <option name="Attributes Details">Airespace-ACL-Name = AD-LOGIN</option> <option name="Access Type" value="ACCESS_ACCEPT"/> <option name="Service Template" value="false"/></Profile> <Profile name="KMT-WLAN-PERMITALL" description=""> <option name="Attributes Details">Airespace-ACL-Name = PERMIT-ALL</option> <option name="Access Type" value="ACCESS_ACCEPT"/> <option name="Service Template" value="false"/></Profile> <Profile name="KMT-WLAN-PERMITONLYINTERNET" description=""> <option name="Attributes Details">Airespace-ACL-Name = EMP-INTERNETONLY</option> <option name="Access Type" value="ACCESS_ACCEPT"/> <option name="Service Template" value="false"/></Profile> <Profile name="Non_Cisco_IP_Phones" description="Default Profile used for Non Cisco Phones."> <option name="Attributes Details">cisco-av-pair = device-traffic-class=voice, DACL = PERMIT_ALL_TRAFFIC</option> <option name="Access Type" value="ACCESS_ACCEPT"/> <option name="Service Template" value="false"/></Profile> <Profile name="PermitAccess" description="Default Profile with access type as Access-Accept"> <option name="Access Type" value="ACCESS_ACCEPT"/> <option name="Service Template" value="false"/></Profile> </StandardResults> <SecurityGroups> <SecurityGroup name="Unknown" description="Unknown Security Group"> <option name="Security Group Tag" value="0"/></SecurityGroup> </SecurityGroups> </AznResults>

</Root>

New Member

Hello, deldotgov22 I'm having

Hello, deldotgov22

 

I'm having the same problem as yours. Updated my Cisco ISE to 1.3 and now I can not work anymore.

Could you provide me what url redirect you set in your WLC?

I'm trying to use hotspot or any other door, no more work.

Could you provide me what setting you applied in your Cisco ISE.

Thank you

New Member

Hello,Did anyone resolve that

Hello,

Did anyone resolve that issue? I've just upgraded ISE 1.2 to 1.3 and now I'm struggling with the same problem as deldotgov22 described (guest portal authentication loop).

Are you using CWA?. If it so,

Are you using CWA?. If it so, there is an specific AUTHZ policy you need to configure to avoid an AUTHZ loop (I tested in the lab before implementation). I think it has nothing to do with AUTH Process which is straightforward.

Something else that happened to me when I upgraded from 1.1.3 to 1.2. If you are using customized portals, you need to manually select the IDENTITY STORE SEQUENCE in the Authentication TAB of the customized portal. Maybe this part is missed (blank) when you upgraded from 1.2 to 1.3

Another idea, check if something change in your configuration during the upgrade in the AUTH Policies --- > Use --- > Internal Endpoints --- > (if authentication failed, if user not found, if process failed) Options that you had like CONTINUE, REJECT or DROP.

Hoping this helps.

 

 

New Member

Hi Abraham,Yes, I'm using CWA

Hi Abraham,

Yes, I'm using CWA. AuthZ policy is configured like that:
1. if Guest (identity group) then Internet-only (ACL on WLC)
2. if no matches, then CentralWebauth

Identity store sequence also is configured as it was before (just in case i changed policy to use default guest portal and default sponsor portal).

For Guest portal:
- Guest users
- Internal users

For Sponsor portal:
- Active directory
- Internal users

AuthN Policies looks pretty much the same too. I'm sure there is something wrong with AuthZ  and resolution might be trivial but don't know where to look now.

I also attached logfile.This is how it looks from controller's side (from the moment of logging in on Guest portal to the end of the loop).

As I see, the Internet-only ACL is not activated after login as it should be - according to AuthZ policy, so the user has never gained Guest identity, am I right?

Everything was working just fine before upgrade, so I'm just wondering which settings weren't transferred.

When I upgraded from 1.1.3 to

When I upgraded from 1.1.3 to 1.2 some configuration were missed. Maybe something similar happened when moving from 1.2 to 1.3.

Let me think what else you could check. 

Something else that I found weird was that my identity sequence store included guest, internal and AD but the authentication process was not working and I was sent back to the customized login page. So I had to remove internal & AD from the list, save it and then I could connect to Guest SSID. After that, I put it back AD and Internal in the list and I could connect on Guest. Try this as well.

 

New Member

Well, your last post put an

Well, your last post put an idea in my head. I disabled all of my imported AuthZ and AuthN policies and built them all from the beginning (more or less in the same way). Really don't know why but it works now.
Thank you for your help!
 

Nice to hear that. In fact,

Nice to hear that. In fact, the upgrade process from 1.1.3 to 1.2 for me was extremely complicated. We faced the following, so looks like something happened when you upgraded from 1.2 to 1.3.

ISE 1.2 upgrade failure at GuestUpgradeService.

Introduction:

When any customer is upgrading from ISE 1.1.X environment to ISE 1.2 environment and if customer is making using of AD users for login as sponsor users then they are likely to hit the below problem.

Problem:

In ISE 1.2 we have strict checks performed for Timezone , email for sponsor users and in previous version of ISE when a AD user is trying to login then a shadow sponsor object is created with null values.

The cause of this issue is that when a AD sponsor user is logged in to sponsor portal then a shadow sponsor object is created within ISE DB. This shadow sponsor objects are created with some missing values like email id or time zone and so on. During the upgrade process these shadow sponsor objects are not able to upgrade successfully with this missing values and this causing upgrade failures.

The error you see if upgrade fails at GuestUpgradeService

- Data upgrade step 78/80, NSFUpgradeService(1.2.0.881)... Done in 0 seconds.
- Data upgrade step 79/80, GuestUpgradeService(1.2.0.882)... Failed.
Rolling back the configuration database...
Starting application after rollback...
 
% Warning: Do the following steps to revert node to its pre-upgrade state.
-Register this node back to old Primary
error: %post(CSCOcpm-os-1.2.0-899.i386) scriptlet failed, exit status 1
Cisco Employee

I think there must be some

I think there must be some issue in migration process ,also please check the following link for proper configuration of Authpage redirect.

 

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html

610
Views
10
Helpful
10
Replies