Re: Delay in Guest Hotspot Redirect

Terence Lockette · ‎05-16-2019

Hello all,

I just had a group of coworkers run a stress test on our ISE guest hotspot access to get a feel for performance and end user experiences. Of those who participated, 86% of them reported that it took anywhere between 3 to 4 Website attempts before they received the URL redirect to the AUP page. I've noticed this behavior when I've tested for myself. Is there any reason why this would be happening? I'm running ISE 2.3 patch 6 with WLC code 8.5.140.0.

Terence

Jason Kunst · ‎05-16-2019

You’ll need to provide more information on the test. Also what hardware/resources you are running. How many users. How any attempts per second. Are you testing against a standalone deployment or directed to multipe PSNs..

Terence Lockette · ‎05-16-2019

Jason,

I am running a distributed deployment with two PANs/MnTs along with two PSNs. All appliances are virtual running on VMware using the OVA file to spin up the VM hardware resources. The number of users actively testing were approximately 10 (production guest users is estimated to be around 600 to 900 endpoints). Not sure about attempts per second. Here is a screenshot of the VM resource summary:

Jason Kunst · ‎05-16-2019

Can you please tell us what release? Current recommended ise 2.4 patch 8 just came out

https://community.cisco.com/t5/policy-and-access/recommended-most-stable-ise-version/td-p/3411538

Also check under resources for how to get help under http://cs.co/ise-help, this is not TAC, you will need to check maybe packet loss or something else happening? Not enough resource reservations? What you’re stating for your setup is plenty. Also not sure if this is production or not with lots of clients outside of guest or if this is dedicated to guest? but again you should really troubleshoot through TaC

Terence Lockette · ‎05-16-2019

Hey Jason,

I think TAC may be the best route to go at this point. Again, it doesn't happen to everyone and it appears to be random. The version of ISE I'm on is 2.3 patch 6 and it's not in production but we're ready to start moving it into production. I'm afraid to move to a higher release because I had a TAC case opened from June of 2018 that only got resolved when patch 6 for 2.3 was released back in March of this year. The issue went all the way up to the BU so it pushed our deployment back for almost a year. Due to this, I'm very hesitant to upgrade lest I run into an issue to further delays our deployment.

Jason Kunst · ‎05-16-2019

Please keep in mind that the release you’re on is not going to be supported for a long time. Version 2.4 is our current recommended long-term lease now is the perfect time to move to such supported vehicle

Terence Lockette · ‎05-16-2019

Jason,

I think you're right on this one. It's better to do it now when we're not in production versus waiting until we are in production and then find that we need to upgrade and disrupt the entire network.

Thanks!

Jason Kunst · ‎05-16-2019

Since you don’t have much going on right now you can build a new system in parallel to validate and then shutdown old system. Start fresh with recommendation and validation

craig.beck · ‎05-16-2019

DNS plays a big part. Have you checked that DNS resolution works every time? If users are simply retrying the web page a few times and not actually disconnect/reconnecting to the Wi-Fi I'd look at this first. You could have a flaky DNS server somewhere.

If DNS is ok, review the ISE Live Logs to see if users authenticate and authorize properly each time they connect. The logs are invaluable most of the time.

Do they hit the right ISE rule for CWA URL to be pushed to the WLC?

Does the WLC have intermittent issues with RADIUS servers? (Can you see anything in the WLC logs?)

Do the clients have a good Wi-Fi signal?

Is the CWA ACL at the WLC configured correctly? (DNS servers all allowed, correct portal IP and ports allowed for both PSNs?)

As Jason said, there's lots we need to know, but I'd start with the above. You might be able to work it out from there.

Terence Lockette · ‎05-17-2019

Craig,

As for the policy with ISE, clients authenticate to the correct policy each time. This particular issue is hit or miss as it doesn't happen every time. There are times in which I get redirected immediately and other times it takes a few tries before being redirected. I haven't considered DNS so I'll look into running a capture from start to finish and seeing what my response time is for DNS.

Terence Lockette · ‎05-17-2019

I ran another test on our guest hotspot and got the URL redirect immediately. Response time for network and application looks good.

Jason Kunst · ‎05-17-2019

Was a change done? Please share

Terence Lockette · ‎05-17-2019

No changes made on ISE, the network, or with DNS. Again, it doesn't happen all the time but it was pretty consistent when multiple authentications to the PSNs were made simultaneously.