topic ISE authorization Policy not working in Wireless

ISE authorization Policy not working

Amol Patil — Mon, 05 Jul 2021 09:51:45 GMT

Hi ,

I have configured the ISE as per the belwo link

https://supportforums.cisco.com/document/110031/central-web-authentication-cwa-guests-ise

but my authorization policy is not working as when user get connected to guest wlan it get authneticated but when it look for authorization

it going to default policy it should hit on above policy created screen shot as below

Arnol, Your AUTHZ

ajc — Tue, 07 Apr 2015 22:20:45 GMT

Arnol,

Your AUTHZ configuration is wrong based on the steps you followed from the link. You should not combine Wireless MAB + Authentication Status equal to UNKNOWN User in the same rule.

If you check the link, the Wireless MAB applies only to the AUTHENTICATION Policy part of the ISE Configuration which is combined with the IF USER NOT FOUND = Continue.

The AUTHZ policy part ONLY requires 2 policies to be configured for CWA to work:

1.-Network Access equals to GUEST FLOW (This policy avoid a loop that is caused after going through the initial authentication process once you are redirected)

2.-Network Access Authentication EQUALS Unknown User THEN CWA (this is the initial redirect and authentication

3.-Disable temporarily the NEW_PC_USER AUTHZ policy you created and test again CWA only.

But when i apply 2.-Network

Amol Patil — Wed, 08 Apr 2015 08:03:45 GMT

But when i apply 2.-Network Access Authentication EQUALS Unknown User THEN CWA

policy it will not work and it matching the last default policy .

What version of ISE + patch

ajc — Wed, 08 Apr 2015 15:28:16 GMT

What version of ISE + patch are you running?. Could you please send an screenshot of AUTH policies including the default --- > USE part?. Are you using customized portal for the first authentication process?

CWA is pretty straightforward. Only issues I faced was multiple VM (ISE Personas) running on one single server was not replicating properly the AUTHZ policies so I added the PSN persona into the PAN Node and everything worked fine immediately. In addition to that, I realized that I needed at least ONE ENTRY into the ISE PAN Internal Endpoints DB so I could hit the AUTH Policy for MAB & user not found condition which sent me to the AUTHZ = User Unknown + Redirect. Once I authenticated the user using the Default Portal that meant I hit the GUEST FLOW policy. If you are using customized portals for the first authentication process, check: web portal mgmt. --- > Guest --- > MultiPortal Configurations --- > Customized Portal -- > Authentication part.