topic Re: ISE 2.4 and 9800 WLC: Wireless guest issue in Wireless

ISE 2.4 and 9800 WLC: Wireless guest issue

ittechk4u1 — Tue, 21 Sep 2021 09:47:08 GMT

Hello Experts,

I am facing a issue with guest access authentication. Old AIROS wlcs are working but now I have a installed a new 9800 wlc and its creating an issue.

Requesting help to troubleshoot below authentication fail error messages seen for wireless guest users.

Event	5400 Authentication failed
Failure Reason	15039 Rejected per authorization profile
Resolution	Authorization Profile with ACCESS_REJECT attribute was selected as a result of the matching authorization rule. Check the appropriate Authorization policy rule-results.
Root cause	Selected Authorization Profile contains ACCESS_REJECT attribute
Username	USERNAME

Its not hitting the right Authentication policy.

Auth policies:

Steps

	11001	Received RADIUS Access-Request
	11017	RADIUS created a new session
	15049	Evaluating Policy Group
	15008	Evaluating Service Selection Policy
	15048	Queried PIP
	15041	Evaluating Identity Policy
	15013	Selected Identity Source -
	22043	Current Identity Store does not support the authentication method; Skipping it
	22064	Authentication method is not supported by any applicable identity store(s)
	22058	The advanced option that is configured for an unknown user is used
	22060	The 'Continue' advanced option is configured in case of a failed authentication request
	24715	ISE has not confirmed locally previous successful machine authentication for user in Active Directory
	15036	Evaluating Authorization Policy
	15048	Queried PIP
	15048	Queried PIP
	15048	Queried PIP
	15016	Selected Authorization Profile - DenyAccess
	15039	Rejected per authorization profile
	11003	Returned RADIUS Access-Reject
	5434	Endpoint conducted several failed authentications of the same scenario

Thanks in advance

Best Regards

Re: ISE 2.4 and 9800 WLC: Wireless guest issue

craig.beck — Thu, 12 Aug 2021 22:29:02 GMT

15039 Rejected per authorization profile

Can you show the full failure log, please?

Re: ISE 2.4 and 9800 WLC: Wireless guest issue

ittechk4u1 — Fri, 13 Aug 2021 07:50:58 GMT

which logs you want to me paste ?

from ISE side or debug from WLC ?

Re: ISE 2.4 and 9800 WLC: Wireless guest issue

Grendizer — Mon, 16 Aug 2021 17:47:38 GMT

you need to change (redirect portal ipv4 192.0.2.1) to the ISE IP Address instead.

Check this line (redirect for-login guest.corp.com) Which ISE portal will reply the requests?

you're using Guest Users (meaning the users are configured in ISE)

not sure about this condition: WLC_Web_Authentication (it needs to check ISE Guest Users group as you specified in AuthC rule)

moreover, ISE portal is using by default TCP port 8443 and with that you will need to create a Pre-Auth ACL that will be applied on the WLAN > Security > Layer3 > Preauthentication ACL > IPv4, example ACL below:

permit tcp any host ISE_IP_ADDRESS eq 8443

permit tcp host ISE_IP_ADDRESS eq 8443 any

permit tcp any any eq domain

permit udp any any eq domain

permit udp any any eq bootpc

permit udp any any eq bootps

deny ip any any

Re: ISE 2.4 and 9800 WLC: Wireless guest issue

ittechk4u1 — Tue, 17 Aug 2021 05:10:25 GMT

Hi,

Thanks for your input but I am using Portal on customized WLC itself.

Portal is on WLC

Guest users are in ISE sponsor Portal

Best Regards

Re: ISE 2.4 and 9800 WLC: Wireless guest issue

Grendizer — Tue, 17 Aug 2021 17:02:09 GMT

Ok, then you need to do these changes:
Changes on 9800:
Add the below command:
aaa authentication webauth default local group ISE
to check the WLC local users first then ISE, if you need to check the 9800 local users/guest accounts then you have to add this line too (aaa authorization network default local)
OR
aaa authentication webauth default group ISE
to check the users from ISE only
Note: "Named Method lists not supported for webauth" so in your case we can't use the method list ISE so instead we have to use default as in above cli.
also you shouldn't use the below lines under global parameter map: (by the way you can use different "new" parameter map and will work too, meaning doesn't have to be the global parameter map but that works too)
redirect for-login guest.corp.com
redirect portal ipv4 192.0.2.1
Because if you want to use guest.corp.com as the DNS name to the ipv4 virtual IP address then you need to put that in (Virtual IPv4 Hostname) section also you need a DNS record to point the guests to the 9800 virtual IP address, meaning, DNS record for guest.corp.com=192.0.2.1 and of course you need a certificate signed by public CA (with SAN) so guests will not see certificate error, info is here https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213917-generate-csr-for-third-party-certificate.html
side note: i didn't see ISE1 as RADIUS configured but it used under group ISE so either you configure that or remove it from that group
for more info, check this doc Custom Web Authentication on Catalyst 9800 Wireless Controllers Configuration Example
https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/216121-custom-web-authentication-on-catalyst-98.html

Changes on ISE:
You're using (WLC_Web_Authentication) as a condition, the rules for this condition are:
Radius:NAS-Port-Type = Wireless - IEEE 802.11
Radius:Service-Type = Login
while in this case the Service Type is "Outbound" so will not match your rule, so you need to remove that condition or create a new one with Radius:Service-Type = Outbound

Re: ISE 2.4 and 9800 WLC: Wireless guest issue

ittechk4u1 — Tue, 21 Sep 2021 09:49:13 GMT

Hi @Grendizer ,

Thanks for detailed explanation!

I did as you mentioned above but still hitting the default policy with Deny Access:

1. Method list name created with name "default"

aaa authentication login default local group ISE
aaa authentication webauth default local group ISE

2. New Parameter MAP:

parameter-map type webauth LWA
type webauth
sleeping-client
redirect portal ipv4 192.0.2.1
logout-window-disabled
success-window-disable
cisco-logo-disable

3. Changes on ISE:

Authentication

AuthZ

SSId Config:

wlan CorpGuest 1 CorpGuest
peer-blocking drop
no security wpa
no security wpa wpa2
no security wpa wpa2 ciphers aes
no security wpa akm dot1x
security web-auth
security web-auth authentication-list default
security web-auth parameter-map LWA
no shutdown

Bets Regards

Re: ISE 2.4 and 9800 WLC: Wireless guest issue

Grendizer — Wed, 18 Aug 2021 16:00:23 GMT

Just remove the below lines as I mentioned before:
redirect on-success https://www.grammer.com/
redirect portal ipv4 192.0.2.1
with the above, this will be sent to ISE as Login, meaning to match on ISE you need Radius:Service-Type = Login
this is used if you have a Web server that provide you a portal or if you want to use one of the ISE portals, usually a copy of the sponsored Guest Portal, so in your case because you want to use the 9800 customized portal then you have to leave those fields empty by removing the above cli lines and that's mean when you check the username/pass with ISE (using ISE locally defined users or from Active Directory) then the 9800 will send those as "Outbound", Radius:Service-Type = Outbound
One more thing, in your ISE Policy Set, you're not telling ISE where to look and check for the usernames/pass that Guests will be using, meaning, if you need to check against AD group then you specify that group, if you need to check them against ISE local group you need to specify that. In below screenshot you can see that I'm using simple policy set to check both AD and internal ISE group without checking the service type, but you can definitely use that check too.

Re: ISE 2.4 and 9800 WLC: Wireless guest issue

ittechk4u1 — Thu, 19 Aug 2021 05:06:49 GMT

Thanks, I will configure the policies as you mentioned and will give a try and let you know!

Best Regards

Re: ISE 2.4 and 9800 WLC: Wireless guest issue

ittechk4u1 — Mon, 13 Sep 2021 07:22:00 GMT

Thank you. It working now.

Could you please also tell me how to install a wildcard certificate for webauth certificate eon 9800 WLC?

Thanks in advance.

Re: ISE 2.4 and 9800 WLC: Wireless guest issue

Sandeep Choudhary — Mon, 13 Sep 2021 08:45:27 GMT

Check this link:

https://thewlan.com.au/2020/07/14/9800-local-webauth-certs/

Regards

Dont forget to rate helpful posts

Re: ISE 2.4 and 9800 WLC: Wireless guest issue

Grendizer — Mon, 13 Sep 2021 14:59:06 GMT

Check this doc:
https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213917-generate-csr-for-third-party-certificate.html

Re: ISE 2.4 and 9800 WLC: Wireless guest issue

ittechk4u1 — Tue, 14 Sep 2021 11:29:09 GMT

I will try to install it and let you know.

Thanks

Re: ISE 2.4 and 9800 WLC: Wireless guest issue

Sandeep Choudhary — Tue, 21 Sep 2021 08:30:57 GMT

You can try this method as well.. I tried in my lab and it worked:

First you need to create a trustpoint on the WLC. The trustpoint contains the certificate authority that signed the certificate in use.

WLC1 (config)#crypto pki trustpoint WILDCARD
WLC1 (ca-trustpoint)#fqdn *.xyz.com
WLC1 (ca-trustpoint)#subject-name cn=*.xyz.com
WLC1 (ca-trustpoint)#revocation-check crl
WLC1 (ca-trustpoint)#rsakeypair WILDCARD

Next, you should import the certificate. There are multiple ways for importing the certificate, but you can use FTP/tftp to transfer the certificate from your laptop to the wlc.

Info: Certificate must be in PKCS12 (.pfx) form

WLC1(config)#crypto pki import WILDCARD pkcs12 ftp: password xyz12345

% Importing pkcs12...

Address or name of remote host []? 192.168.21.25

Source filename [WILDCARD]? WildcardCert.pfx

Reading file from ftp://192.168.21.25/WildcardCert.pfx!

[OK - 6048/4096 bytes]

% The CA cert is not self-signed.

% Do you also want to create trustpoints for CAs higher in

% the hierarchy? [yes/no]:yes

*Sep 16 10:38:02 UTC: %CRYPTO_ENGINE-5-KEY_ADDITION: A key named WILDCARD has been generated or imported by pki-pkcs12

CRYPTO_PKI: Imported PKCS12 file successfully.

WLC1(config)#exit

WLC1(config)#wr

*Sep 16 10:38:06 UTC: %PKI-6-TRUSTPOINT_CREATE: Trustpoint: WILDCARD-rrr1 created succesfully

*Sep 16 10:38:06 UTC: %PKI-6-PKCS12_IMPORT_SUCCESS: PKCS #12 import in to trustpoint WILDCARD successfully imported.

The certificate is now successfully imported into the WLC and can be associated with the Webauth wlan.

then you can assign wildcard certificate to webauth parameter map.

Regards

Dont forget to arte helpful posts

Re: ISE 2.4 and 9800 WLC: Wireless guest issue

ittechk4u1 — Tue, 21 Sep 2021 08:34:21 GMT

Thank you I will try it!

Could @Grendizer @Sandeep Choudhary please help me about this issue ? Here is the post about my Mobility express issue:

https://community.cisco.com/t5/wireless/mobility-express-issue-with-ise-amp-cloud-radius-server/m-p/4466968#M233371

Thanks again

Re: ISE 2.4 and 9800 WLC: Wireless guest issue

meditinst — Thu, 01 Sep 2022 13:16:16 GMT

Hi Grendizer,

I have a third-party certificate installed but when I put the guest.corp.com name for the certificate the guests get a "This site can't be reached" when it redirects to the name I put in. I believe this is because I need to enter a DNS record for guest.corp.com to 192.0.2.1 as you mentioned. How do I go about doing that? Is it through Administration > DNS and then add DNS Server or is there a different page to add that DNS record? Thanks for the hlep.

Re: ISE 2.4 and 9800 WLC: Wireless guest issue

Grendizer — Thu, 01 Sep 2022 15:10:51 GMT

Configuration > Security > Web Auth > global > General >
Virtual IPv4 Address: 192.0.2.1
Virtual IPv4 Hostname: guest.corp.com
and select the "Trustpoint" that contain your 3rd party cert
next, (from the DNS Server), you need to add to the DNS record to point the guests to the 9800 virtual IP address.

Re: ISE 2.4 and 9800 WLC: Wireless guest issue

meditinst — Thu, 01 Sep 2022 15:28:12 GMT

Hello,

It's that last part that I am confused about, what DNS server? We are using our ISP's DNS servers for the guest wireless so will I have to change that to use our local DNS then? If we use our local DNS is there a way for us to access the controller securely on the management IP vs guests accessing the virtual IP/DNS name when they sign in?

I am looking through the DHCP options, is it possible to add the ip and hostname there so we can keep the external DNS?

Re: ISE 2.4 and 9800 WLC: Wireless guest issue

Grendizer — Thu, 01 Sep 2022 16:03:05 GMT

The DNS query will be sent from the guests to the DNS to resolve guest.corp.com to 192.0.2.1 so no involvement from the WLC.
You can keep the external DNS for the guests but you can advertise the 192.0.2.1 IP Addresses to the public DNS as "forward only" DNS A record, in this case, from anywhere, a DNS lookup of the guest.corp.com will get the 192.0.2.1 IP Address, this will work fine for the Guests inside your network and they will get the portal with no issues, anyone from the internet will not get any response.
And obviously the second option to use your local DNS server for the guests.
There is no DHCP option to solve the above.