topic Re: Endpoints access internet delayed few mins while Web-Auth succeeded with ISE and WLC in Network Access Control

Endpoints access internet delayed few mins while Web-Auth succeeded with ISE and WLC

G2000 — Tue, 16 Jan 2018 00:00:30 GMT

Environment

ISE Version: 2.3.0.298

There’re three ISE PSN nodes, IP address: 10.10.100.67/24, 10.200.100.67/24, 10.10.100.77/24

Foreign WLC, 5520, version: 8.3.111.0

Anchor WLC, 2500, version: 8.3.111.0

Endpoints, we used Dell Laptop with Windows 10 and iPhone 7 with iOS 11

Related Configuration

ACLs for Web-Auth redirect and access internet configured same on both Foreign and Anchor WLCs.

Verification

After Web-Auth succeeded, we observed “guest-acl” ACL applied.

Traffic hit related ACLs.

Symptom

After key in the username and password prompted authentication successfully.

But meantime, could not open www.google.com immediately.

Analyse

It looks like somehow the ACL of “guest-acl” didn’t apply immediately after Web-Auth succeeded, need to wait a few minutes, then endpoints can access the internet.

Re: Endpoints access internet delayed few mins while Web-Auth succeeded with ISE and WLC

Arne Bier — Tue, 16 Jan 2018 06:21:41 GMT

on the Cisco WLC you can run a client debug that is quite useful

debug client xx:yy:zz:00:11:22

debug aaa event enable

debug aaa packet enable

have a look at the output and try to observe what's going on.

I am also using ISE 2.3.0.298 (patch 1) and Cisco WLC 8.5.105.0 and 8.2.151.0 - there was an issue with older 8.2.1xx release which broke the CoA process. Currently no issues with these WLC releases.

Do you have an ACL that is applied when the client first associates to the SSID and gets redirected to the ISE portal?

And then you should have a second ACL that is applied when a client successfully passes the MAB auth (MAC address found in Identity Group). This ACL should allow DHCP, DNS, PSNs, and internet access.

Re: Endpoints access internet delayed few mins while Web-Auth succeeded with ISE and WLC

Jason Kunst — Tue, 16 Jan 2018 16:09:30 GMT

CSCul83594 - You cannot enable radius accounting on both WLCs, they will each send accounting start/stop with different session ids, and ISE will get confused. Typically end user sees a “error 500” web page when redirected to the ISE portal. This is on a per WLAN basis. If you have other WLANs not using ISE then that setting maybe different.

On another note, with the new “Simplified config Apply Cisco ISE Default Settings ” on the WLC, if you check the ISE checkbox when creating an authentication server, an accounting server is automatically configured with the same ip and settings. And same things on the WLAN, the simplified config puts the ISE as both authentication and accounting for that WLAN. And this will trigger the issue if you do this on both WLCs.

Please reach out to tac if further assistance is needed

Re: Endpoints access internet delayed few mins while Web-Auth succeeded with ISE and WLC

G2000 — Tue, 16 Jan 2018 22:25:50 GMT

Thanks, Jason.

We didn't enable Accounting at Anchor WLC for the guest WLAN.

Re: Endpoints access internet delayed few mins while Web-Auth succeeded with ISE and WLC

G2000 — Tue, 16 Jan 2018 22:56:26 GMT

Thanks, Arne.

We did configure redirect ACL and access-internet ACL on both WLCs, we also observed traffic hit both ACLs. It can access the internet a few minutes later, which means ACLs configured properly.

One more action we tested while authenticated successfully, if I manually disconnect and re-connect the guest WLAN at end-point, then it can access the internet immediately just like the second ACL applied immediately.

Re: Endpoints access internet delayed few mins while Web-Auth succeeded with ISE and WLC

Craig Hyps — Tue, 16 Jan 2018 23:05:00 GMT

There should be no reason to configure both an access ACL and redirect ACL for same session. The redirect ACL handles both. If having issues, recommend remove the Airespace ACL. The access ACL is only needed post web auth. Also, I have found in past releases that for certain flows it helped to add access to the PSNs in the run ACL. This may no longer be the case, but it was sometimes possible to have a case where user was authenticated but client was trying to complete a web communication to the PSN at close of final connection message, and if ACL applied immediately, it stalled that connection. You should be able to see if ACL is applied by monitoring the WLC session info for the client and determine if present when user blocked/delayed access.

Re: Endpoints access internet delayed few mins while Web-Auth succeeded with ISE and WLC

G2000 — Tue, 16 Jan 2018 23:47:24 GMT

From WLC we can observe the access internet ACL applied while endpoint authenticated successfully.

Re: Endpoints access internet delayed few mins while Web-Auth succeeded with ISE and WLC

hslai — Tue, 23 Jan 2018 17:49:40 GMT

Since the access internet ACL already confirmed and applied on the WLC, it's best for you to troubleshoot it further by engaging Cisco wireless support teams.

Re: Endpoints access internet delayed few mins while Web-Auth succeeded with ISE and WLC

Akiva — Wed, 18 Dec 2019 19:01:44 GMT

Did you get a solution to this eventually, I have got the same problem