topic ISE Guest webauth error in Network Access Control

ISE Guest webauth error

David Niemann — Mon, 11 Mar 2019 02:55:58 GMT

Using central web auth 802.1x on a 3560 to ISE. I get to the web portal fine and was able to login with the guest account and change the password. Now when I get redirected to the portal everytime I login I get "Your session has expired. Please login again". The error in ISE is show up as Guest authentication failed: 86017: Session cache entry missing.

From the ISE log

Other Attributes:

ConfigVersionId=56,PortalName=DefaultGuestPortal,CPMSessionID=0A0A084E0000001B4CCB2B1B

From the switch show authentication sessions

ISE-test#sh authentication sessions int fa0/1
            Interface: FastEthernet0/1
          MAC Address: 5c26.0a38.a800
           IP Address: 172.31.255.15
            User-Name: 5C-26-0A-38-A8-00
               Status: Authz Success
               Domain: DATA
      Security Policy: Should Secure
      Security Status: Unsecure
       Oper host mode: multi-domain
     Oper control dir: both
        Authorized By: Authentication Server
           Vlan Group: N/A
     URL Redirect ACL: ACL-WEBAUTH-REDIRECT
         URL Redirect: https://oranetise01.naismc.com:8443/guestportal/gateway?sessionId=0A0A084E0000001B4CCB2B1B&action=cwa
      Session timeout: 3600s (local), Remaining: 1324s
       Timeout action: Reauthenticate
         Idle timeout: 900s (local), Remaining: 418s
    Common Session ID: 0A0A084E0000001B4CCB2B1B
      Acct Session ID: 0x000001C8
               Handle: 0xC400001C

Runnable methods list:
       Method   State
       mab      Authc Success
       dot1x    Not run

----------------------------------------
            Interface: FastEthernet0/1
          MAC Address: 0004.f21c.66a9
           IP Address: 10.20.0.177
            User-Name: 00-04-F2-1C-66-A9
               Status: Authz Success
               Domain: VOICE
      Security Policy: Should Secure
      Security Status: Unsecure
       Oper host mode: multi-domain
     Oper control dir: both
        Authorized By: Authentication Server
              ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-4f57e406
      Session timeout: 3600s (local), Remaining: 1253s
       Timeout action: Reauthenticate
         Idle timeout: N/A
    Common Session ID: 0A0A084E000000161ED6CBD9
      Acct Session ID: 0x000000F2
               Handle: 0x19000017

Runnable methods list:
       Method   State
       mab      Authc Success
       dot1x    Not run

The session ID from the browser of the PC seems to match the above session IDs. I'm at a loss.

ISE Guest webauth error

David Niemann — Wed, 02 Jan 2013 17:14:01 GMT

And now it works and I didn't change anything. How is the session ID generated and for how long does it last? Maybe it finally timed out and generated a new one. The PC stayed connected to the port the entire time and was not rebooted either.

From ISE

Other Attributes:

ConfigVersionId=56,EndPointMACAddress=5C-26-0A-38-A8-00,PortalName=DefaultGuestPortal,CPMSessionID=0A0A084E0000001B4CCB2B1B

sh authentication sessions int fa0/1
            Interface: FastEthernet0/1
          MAC Address: 5c26.0a38.a800
           IP Address: 172.31.255.15
            User-Name:
               Status: Authz Success
               Domain: DATA
      Security Policy: Should Secure
      Security Status: Unsecure
       Oper host mode: multi-domain
     Oper control dir: both
        Authorized By: Authentication Server
          Vlan Policy: 46
              ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-4f57e406
      Session timeout: 3600s (local), Remaining: 3357s
       Timeout action: Reauthenticate
         Idle timeout: 900s (local), Remaining: 657s
    Common Session ID: 0A0A084E0000001B4CCB2B1B
      Acct Session ID: 0x000001C8
               Handle: 0xC400001C

Runnable methods list:
       Method   State
       mab      Authc Success
       dot1x    Not run

----------------------------------------
            Interface: FastEthernet0/1
          MAC Address: 0004.f21c.66a9
           IP Address: 10.20.0.177
            User-Name: 00-04-F2-1C-66-A9
               Status: Authz Success
               Domain: VOICE
      Security Policy: Should Secure
      Security Status: Unsecure
       Oper host mode: multi-domain
     Oper control dir: both
        Authorized By: Authentication Server
              ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-4f57e406
      Session timeout: 3600s (local), Remaining: 1644s
       Timeout action: Reauthenticate
         Idle timeout: N/A
    Common Session ID: 0A0A084E000000161ED6CBD9
      Acct Session ID: 0x000000F2
               Handle: 0x19000017

Runnable methods list:
       Method   State
       mab      Authc Success
       dot1x    Not run

ISE Guest webauth error

Tarik Admani — Wed, 02 Jan 2013 23:19:32 GMT

David,

The sessionid is generated by the switch and is sent over to ISE in the access-request packet. What version of ISE are you on? You may want to consider upgrading to ise 1.1.2 since this has a few fixes related to session entries. I am fighting a simliar issue that you have pointed out but on the posturing side. Hope the upgrade fixes this for you. If you want to set a new session id, you can go into ISE and issue a COA (session termination) or just bounce the port.

Thanks,

Tarik Admani
*Please rate helpful posts*

ISE Guest webauth error

David Niemann — Thu, 03 Jan 2013 02:21:20 GMT

Yeah, I'm running 1.1.1.268. I was looking at that upgrade. Guess I'll try that this week and report back.

ISE Guest webauth error

fashour — Fri, 25 Jan 2013 17:34:44 GMT

I am facing the same issue as well while running 1.1.2.145. Please let me know if you find the fix. I will update from my side if I determine anything faulty.

ISE Guest webauth error

David Niemann — Mon, 18 Feb 2013 21:05:34 GMT

I upgraded to 1.1.2.145 and have not seen the issue again so far.

ISE Guest webauth error

eugenio desideri — Thu, 10 Oct 2013 14:31:40 GMT

Regarding the error below:

"Guest authentication failed: 86017: Session cache entry missing"

i stepped in the same situation , and solved it adjusting the UTC timezone during the guest creation in the sponsor portal.

i hope this helps.

Eugenio Desideri