Guest CoA and Authorize-only

harrzhan · ‎01-24-2019

We have a Guest hotspot deployment with an AUP page. For some iPhones, after users accepted the AUP page, the CoA fires off correctly. However, the following request is an Authorize-only request, and it hits the default policy set (Basic authenticated access). it does not hit the Guest policy we created. If we remove the end point from the WLC and it comes back and hit the correct Guest policy.

Is there anyway to fix this Authorize-only request? it seems that it is not like wirelessMAB (the authentication method is authorize only) and that is the reason it does not hit the correct Mac filtering policy.

paul · ‎01-24-2019

What are you using as your policy set admission criteria for the Guest policy set? You should just be using RADIUS Called Station ID contains the name of your Guest SSID.

harrzhan · ‎01-24-2019

We use wireless_MAB for admission to the policy set. We have a few SSIDs, and Guest is one of the SSIDs doing MAC filtering. We do use called-station-id to match the SSID.

paul · ‎01-24-2019

Try using the RADIUS Called Station ID as the admission criteria and create a policy just for your Guest SSID. You should have a policy set for each SSID based on the Called Station ID.

Shorty · ‎02-21-2024

Paul,

Thanks for this pointer. I'm facing the exact same issue detailed by the OP and come to think of it, my Policy Set uses two conditions: Wireless_MAB AND Radius-Called-Station-ID EQUALS <SSID>.

So I removed Wireless_MAB from the top level. Will give this is a try first thing tomorrow and report back.

Shorty · ‎02-22-2024

Did you ever fix this? I have the same issue with iPhone devices only. Submitted a TAC case waiting to hear back.

dennis-hess · ‎03-18-2024

In order for ISE to process an Authorize Only Radius request, you can create an authentication policy with the condition “Radius: Service-Type equals Authorize Only” and then for the policy options, make sure that If Auth Fail is set to Continue.