cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
828
Views
0
Helpful
5
Replies

ISE 2.3p2 - Guest AUP - redirect issue with few wireless devices

mitchp75
Level 1
Level 1

I have a small issue with a handful of Guest devices not being able to use Guest Wireless after they are presented with a Custom Portal splash page to accept terms and conditions. After acceptance the portal is set to forward the device to a www site and a couple iphones, androids seem to not work correctly however there are thousands of devices in the Enterprise that work fine. 

 

Design wise we have a WLC in the trusted area with a guest SSID and anchor controller in the DMZ where the PSN is located along with the Guest Circuit to the Internet.

 

I've researched the issue and it maybe due to both WLC's having the ISE PSN listed in the Radius accounting, is there a design document that shows what features/settings are recommended when using an Anchor Controller for both WLC's. Are there any other thoughts to why only a small number of devices have this problem? I have a TAC case open currently as well but thought I'd ask here as well.

2 Accepted Solutions

Accepted Solutions

I opened a TAC case on the WLC and found:

If you desire to configure accounting, then configure it on the foreign controller. Note that this should not be the case anymore starting 8.6 WLC software where the session id will be shared between anchor and foreign controllers and accounting will then be possible to enable on both. However, please notice that the 5508 WLC platform supports only up to 8.5 AireOS version; hence, we’ll need to apply this workaround instead in order for this situation not to be present on your network.

 

Thanks again for all the help!

View solution in original post

5 Replies 5

Thanks Jason, I'm 99% sure thats the issue we're having. Just to be clear is it safe to only remove the ISE PSN information listed inside the Guest SSID for Accounting or do you think it should be removed from the global area because it will probably never be used for Accounting due to the Anchor relationship under: Security > Radius > Accounting ?

The WLC code is 8.0.140.0, I don't believe it has the new simplified configuration check box for 'apply Cisco ISE default settings'

I would think that would be fine but not a wireless expert.

Recommend using 8.3 code as well. It has most updates for ise and is newer. Here is a list of recommendations


https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200046-tac-recommended-aireos.html

I opened a TAC case on the WLC and found:

If you desire to configure accounting, then configure it on the foreign controller. Note that this should not be the case anymore starting 8.6 WLC software where the session id will be shared between anchor and foreign controllers and accounting will then be possible to enable on both. However, please notice that the 5508 WLC platform supports only up to 8.5 AireOS version; hence, we’ll need to apply this workaround instead in order for this situation not to be present on your network.

 

Thanks again for all the help!

Keep in mind accounting is required to track sessions on ISE. Its not if you desire, its required.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: