topic Re: Need policy set of Cisco ISE CWA ISE 2.4 in Network Access Control

Need policy set of Cisco ISE CWA ISE 2.4

pcno — Wed, 01 Jul 2020 18:45:16 GMT

Can anyone share me a screenshot of Wireless Authentication and Authorization policy set in ISE 2.4+ for a user to get Permit all, right after he enters username and password inside the CWA portal?

Lab minute CWA video policy doesn't work with ISE 2.4+ Radius username is not working unless I specify the name which is not practical.

Right now the user gets redirected to CWA portal there he enters username password of AD then CWA portal check with local AD once Auth success shows a new page says "you will get the Internet" but I am not getting internet since I don't have a policy set to give permitall please help me it is Urgent.

Re: Need policy set of Cisco ISE CWA ISE 2.4

Francesco Molino — Thu, 02 Jul 2020 03:10:40 GMT

Hi

So you're able to authenticate your users over a CWA?
When they get authenticated, what authorization are you pushing?
Can you share your config to see what you're missing?

Re: Need policy set of Cisco ISE CWA ISE 2.4

pcno — Thu, 02 Jul 2020 15:08:04 GMT

Thank you, Francesco, Please check the attached screenshot of my current policy and guest portal details.
Right now redirection works and the user enters their username password in the CWA portal and Authentication is a success with AD also device is registered in the particular group as well. But after all these process users still, doesn't have a permit all access.

Thanks

Re: Need policy set of Cisco ISE CWA ISE 2.4

pcno — Sun, 05 Jul 2020 06:43:25 GMT

Is there any solution for this ?? It's been more than 4 days.

Re: Need policy set of Cisco ISE CWA ISE 2.4

Francesco Molino — Sun, 05 Jul 2020 17:51:10 GMT

Sorry for the delay, I didn't had time this week due to work schedule.
Can you share the authentication result please? I believe you have at least a condition not matching from your policies.
To validate this, you can create a simple authorization policy matching only your AD group and see if you get a permit result.

Re: Need policy set of Cisco ISE CWA ISE 2.4

pcno — Mon, 06 Jul 2020 08:11:46 GMT

Thank you, Francesco, we all are busy with Job I do understand the pressure 🙂
I have tried with a simple AD group as well but it is still not hitting permit all policy.
Once the CWA portal comes and the user enters their user name and password in it then the user gets a prompt saying you have internet access now and then if I type anything in the web portal it took me back to redirect page again where it asks for the username & password it is like a loop.

Please check the attached screenshot of the live log and the policy set (I tried with web auth as well no output).
if possible please send me a screenshot of a policy that is normally used in a CWA method for Portal redirection and Permit all access.

Thanks

Re: Need policy set of Cisco ISE CWA ISE 2.4

hslai — Wed, 08 Jul 2020 03:14:34 GMT

Please review ISE Guest Access Prescriptive Deployment Guide if not already done and start with simpler authorization policy rules.

Re: Need policy set of Cisco ISE CWA ISE 2.4

pcno — Wed, 08 Jul 2020 11:58:01 GMT

Hslai, I am able to get redirection which means my WLC, ACL, and ISE redirection policy is correct... Can you tell me where we are specifying Permit access ACL for the user after successful login in the CWA portal?
I tried a lot of policy set as above for permit all but none of them get a Hit.

In portals and components, I can only see Sucess Login: Original URL, no place where I can put a permit all setup.

Is CWA chaining only works with MAB?

Please reply if you have a solution.

Re: Need policy set of Cisco ISE CWA ISE 2.4

Francesco Molino — Thu, 09 Jul 2020 00:27:26 GMT

You're not matching any of your authorization rules.
Have you tried to filter just using an ad group for example and attach a permit to it.
This will work for sure

Re: Need policy set of Cisco ISE CWA ISE 2.4

pcno — Thu, 09 Jul 2020 06:33:21 GMT

Francesco, I did try by putting a simple policy like external group > corp users>permit all.
No hit for this policy as well, can you share me a screenshot of policy set just to make sure I am doing the same?
Till this day almost 20+ policies are tried but nothing gets any Hit after user enter username and password in CWA portal.

Re: Need policy set of Cisco ISE CWA ISE 2.4

hslai — Sat, 11 Jul 2020 23:09:40 GMT

We consider CWA Chaining different from CWA. I found you asked CWA Chaining with Intune earlier and Greg Gibbs provided you the info.

The condition example "CWA:CWA_ExternalGroups= Employee" works only with on-premise AD infrastructure at present. If your user already present there and in the proper AD group, then it's possible you are hitting a bug.

Re: Need policy set of Cisco ISE CWA ISE 2.4

Francesco Molino — Mon, 13 Jul 2020 21:57:45 GMT

Ok let me share some screenshots.

I will use a user called testcwa member of WiFi AD group.

WLC SSID config:

WLC ACL:

Cisco ISE Authorization Profile Redirect:

Cisco ISE Authorization Profile Permit:

I have a dedicate Policy-set,

Cisco ISE Policy-Set:

Now, I connect to this SSID, my user authenticates and get internet access.

Below results from ISE:

Hope this helps.

Can you reproduce it in a very simple way like I did to make sure your Guest work and then you can start adding attributes to filter user authentication.

Re: Need policy set of Cisco ISE CWA ISE 2.4

pcno — Tue, 14 Jul 2020 10:46:29 GMT

Thank you, Francesco, I did try the same but it didn't give permit access, Today I installed a new ISE with Latest patch and tried the same and it worked looks like some bug. Anyway, Thank you so much for helping me with this. Closing this discussion now.

Re: Need policy set of Cisco ISE CWA ISE 2.4

Francesco Molino — Wed, 15 Jul 2020 01:53:42 GMT

Glad it worked. Can't tell what you faced and TAC would have been able to help. Anyways you've installed a new ise and your issue is now solved