topic Guest flow is added after the in Network Access Control

Guest web authentication issue

deepuvarghese1 — Mon, 11 Mar 2019 04:52:30 GMT

Hi Support team,

Issue with Guest CWA with ISE.

I can connect to guest SSID and redirection is happening to ISE guest portal page. Username and password (created by sponsor) is accepted in the guest portal. When i open a new browser it is again redirecting to guest portal rather moving to internet. Is it related to COA. Please advise. I am attaching the error what i am getting and the configuration also.

Hi Team, Please find the

deepuvarghese1 — Wed, 16 Jul 2014 08:56:07 GMT

Hi Team,

Please find the attached..

Hello-The issue is with your

nspasov — Wed, 16 Jul 2014 22:01:21 GMT

Hello-

The issue is with your authorization rules. You need to change the conditions for the "Wireless Guest Rule." Remove the current condition about the "guest flow" and add a new condition and instruct ISE to look at the ISE Identity Store group where the guest users are created. Typically, this is the "Guest" internal identity user group. Leave the second "condition" block blank.

Hope this helps!

Thank you for rating helpful posts!

Nothing wrong with your

Stephen McBride — Thu, 17 Jul 2014 02:12:35 GMT

Nothing wrong with your authorization rules but Neno's suggestion would make security tighter in the long run. Your WLC configuration that is incorrect for CWA. Don't do layer 3 security- do layer 2 open auth with mac filtering and no layer 3 security.

Ops, I did not see the second

nspasov — Thu, 17 Jul 2014 02:26:16 GMT

Ops, I did not see the second set of screen shots. Yes, you need to disable L3 security and only use L2 with mac filtering as suggested above. You will also need to enable "radius NAC" under the advanced tab. The link below should walk you through the whole setup:

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html

On a side note, I still think that the current authorization rules are incorrect. If they are left alone, wouldn't the guest users be let on the network as soon as they enter the guest flow, thus never hitting the CWA rule? Or the "guest-flow" does not happen until after redirection has taken place and credentials are entered? I am not at home otherwise I would test it 🙂

Thank you for rating helpful posts!

Guest flow is added after the

Stephen McBride — Thu, 17 Jul 2014 03:06:16 GMT

Guest flow is added after the CWA bit. By not adding the group it means you can't differentiate between different internal groups eg contractor vs guest.

Ah, so it is after the CWA.

nspasov — Thu, 17 Jul 2014 03:09:15 GMT

Ah, so it is after the CWA. Thanks for confirming. (+5 from me)

Hi, Did u ever get this

Ferdy RHN — Wed, 30 Jul 2014 11:57:36 GMT

Hi,

Did u ever get this solved? I rather have the same issue but the users are authenticated but redirected to the login page again. They do not get the "successfull" login screen but are authenticated anyway after the first time adding the credentials. Only after putting the credentials twice the successfull screen is shown.

Have you modified Wireless

Peter Koltl — Wed, 30 Jul 2014 19:06:15 GMT

Have you modified Wireless MAB authentication rule to Reject-Continue-Drop?

Select these values from the drop-down list:

Identity Source: TestSequence (this is the value created earlier)
If authentication failed: Reject
If user not found: Continue
If process failed: Drop

http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-000.html