topic Re: ISE Redirection in Network Access Control

ISE Redirection

KevinR99 — Sat, 08 Oct 2022 15:37:41 GMT

I have a strange issue and no doubt I'm missing something basic but it has me scratching my head.

I've been playing around with Guest portals. I have Guest 1 on Gig1 and Guest 2 on Gig 2. In my authorization profile I supply the portal IP address to bypass DNS resolution. The policy is pretty simple. The authentication rule checks Guest Users and has the options set to Auth fail and User not found to continue. The Authorization policy is as standard. The first rule matches Wireless MAB and Guest flow then permits. The second rule matched MAB and the SSID name and invokes an authorization profile pointing to the Guest Self register portal. The portal is enabled on Gig1 and the profile applies a redirect ACL that is on the WLC and the Guest self register portal is chosen.

I've been testing this over the last few days. I know my redirect ACL is good as it's not changed from when it was working. Prior to a test connection I delete the client from the Context visibility - Endpoints area and I make sure the WLC doesn't have the client as connected. I then try to connect. This time the client just connects. No redirection attempted. When I look in the ISE live logs it says the client is authenticated based on their MAC address and the correct redirect URL has been sent. But my clients never redirect anymore.

I have done this lots of times before and the usual issue I have to solve is the client gets redirected but can't get to the portal for some reason. I can usually fix that no problem. This time it just lets the client on and in the WLC log it has been authenticated based on the MAC. I see the following in the ISE logs

The host is not found in the internal endpoints identity store
	15048	Queried PIP - Radius.Called-Station-ID
	15016	Selected Authorization Profile - XXX-portal-redirect
	11002	Returned RADIUS Access-Accept

So I expect the client to be redirected to allow me to enter credentials and then the registered username is what is successfully authenticated for access on the ISE and WLC.

Anyone have any ideas on this one?

Thanks, Kev.

Re: ISE Redirection

KevinR99 — Sun, 09 Oct 2022 14:35:41 GMT

I decided to do a rebuild of my lab and all is ok now. Not quite sure what the issue was but I have it working now. As a troubleshooting aid does anyone have recommended debugs I can use on Cat9800's for such issues? I find the radioactive trace on a client MAC produces way too much info and it's difficult to find what you're looking for.

Thanks, Kev.

Re: ISE Redirection

hslai — Sun, 09 Oct 2022 20:39:20 GMT

See Cisco Catalyst 9800 WLC > Troubleshooting TechNotes > Collect Logs and Debugs from Catalyst 9800 WLC for Various Scenarios > Guest Central Web Authentication(CWA) or Local Web Authentication(LWA) Issues

Re: ISE Redirection

KevinR99 — Tue, 11 Oct 2022 07:44:45 GMT

hslai

I appreciate your response. However, the Cat9800 does point me to all those logs etc in that URL. My issue is there is just too much there and I'm looking for specific debugs that may assist rather than a great big load of output that takes significant time, or TAC, to look through. I was hoping for a debug to maybe show traffic the WLC has decided to redirect. Sometimes there are debugs that throw up a concise nugget of info that points us to the issue rather than grabbing lots of logs and captures and having to plough through them looking for the nuggets.

I do appreciate your contribution though.

Kev.