topic Re: ISE, WLC: web auth, blocking user account in Network Access Control

ISE, WLC: web auth, blocking user account

Jaaazman777 — Tue, 26 Mar 2019 00:30:37 GMT

Hello!

We are implementing BYOD concept with ISE (1.1.4) and WLC 5508 (7.4.100).

On WLC there is SSID(WLAN) with MAC filtering without L2 security. For authentication user is redirected to the ISE Guest Portal.

Credentials are created at the ISE sponsor portal.

We create user account in ISE sponsor portal with one hour lease.

In 10 minutes we delete (or block) user credentials.

In spite of it the user is still able to work. Even if we manually disconnect client and reconnect it again, client opens the browser and there is no redirection to the ISE web auth page.

This happens because WLC thinks, that client is still associated.

There are session and idle timeout timers in WLC WLAN, but they can't solve the problem of automatic client session removing.

From my point of you, ISE must send some kind of reauth request to the user after account deletion, to make user authentication impossible .

In practice, ISE doesn't tell wlc or user, that client sesssion is blocked.

How the user account blocking process can be automated without manually deleting the client session from WLC client database?

Re: ISE, WLC: web auth, blocking user account

Shaoqin Li — Tue, 25 Jun 2013 16:10:00 GMT

I can't remember precisely, but once guest account timed out or admin deactivate it, ISE should send CoA to WLC, please check user guide.

You get redirected successfully so I would think you are correct with WLC config, with radius nac and aaa override.

check ISE live log whether it send CoA to WLC first.

Sent from Cisco Technical Support iPad App

Re: ISE, WLC: web auth, blocking user account

Ravi Singh — Wed, 26 Jun 2013 03:40:20 GMT

Shaogin is absolutely right. After the endpoint is created or updated, a success page appears, followed by a CoA termination being sent to the NAD/WLC. There is some problem with ISE configuration please cross check. For more detail you can see the below link.

http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_guest_pol.html

Re: ISE, WLC: web auth, blocking user account

Jaaazman777 — Wed, 26 Jun 2013 08:05:04 GMT

Thank you for reply!

sending CoA to WLC after deleting guest account really seems to be true way 😃

After the endpoint is created or updated, a success page appears, followed by a CoA termination being sent to the NAD/WLC

Is it a default behaviour of the ISE?

I didn't find the information about enabling or disabling this function

Re: ISE, WLC: web auth, blocking user account

Ravi Singh — Wed, 26 Jun 2013 08:08:11 GMT

Yes this is the default behaviour of ISE.

Re: ISE, WLC: web auth, blocking user account

Jaaazman777 — Wed, 26 Jun 2013 08:49:36 GMT

It seems that there is some bug about CoA when deleting Guest accounts

CSCuc82135

Guests need to be removed from the network on Suspend/Delete/Expiration

When a guest user is deleted from the system, the RADIUS sessions associated with that guest user still exists.

Workaround Reissue the Change of Authorization using the session information from Monitoring reports for the sessions associated with that guest user.

http://www.cisco.com/en/US/docs/security/ise/1.1.1/release_notes/ise111_rn.html#wp411891

from BUG Toolkit there is Release-Pending in "Fixed-in" option.

Re: ISE, WLC: web auth, blocking user account

Jaaazman777 — Wed, 26 Jun 2013 12:48:47 GMT

Practical tests show that

- ISE does not send CoA automatically, when you delete or suspend user account.

- When account is expired by timer, CoA works well.

In other words, when we give DefaultOneHour profile to user account, after one our ISE expires the account and sends CoA to the client.