cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

118
Views
5
Helpful
3
Replies
Participant

ISE CWA Causes Multiple Authorization Policy Hits

I have a small Aruba environment that uses ISE 2.4 for the guest portal. The guest is able to connect to the guest WLAN, authenticate, and ultimately connect to the internet. Whats odd is that after logging in the client drops the wireless connection, then the wireless connection is reestablished and connects them to the internet. When I investigated this behavior it appears there are multiple hits on the authorization policy.

 

Aruba-CWA.png

 

What also weird is that I have this INVALID under identity and not sure why that is caused.

 

My authorization policies look like this:

Redirect

AND Aruba:Aruba-Essid-Name = Guest-WiFi OR Network Access:NetworkDeviceName=WLC1, Network Access:NetworkDeviceName=WLC2 -> Redirect to Portal

 

Guest-Endpoint-Auth

IDGroup-Name = Endpoint IDGroup:GuestEndpoints -> Guest-Accept

 

Guest-User-Auth

InternalUser-IDGroup MATCHES User IDGroup:GuestType_Daily -> Guest-Accept

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ISE CWA Causes Multiple Authorization Policy Hits

If you can reproduce the issue, you can reveal INVALID entry by going to Administration > System > Settings > Protocols > RADIUS and checking 'Disclose Invalid Usernames' (It may be different wording depending on ISE version).

You can also click on details of the CoA (Ones in the live log noted as Dynamic Authorization Succeeded) and look at the CoA reason to find out why CoA was issued which may provide hints.

View solution in original post

3 REPLIES 3
Cisco Employee

Re: ISE CWA Causes Multiple Authorization Policy Hits

If you can reproduce the issue, you can reveal INVALID entry by going to Administration > System > Settings > Protocols > RADIUS and checking 'Disclose Invalid Usernames' (It may be different wording depending on ISE version).

You can also click on details of the CoA (Ones in the live log noted as Dynamic Authorization Succeeded) and look at the CoA reason to find out why CoA was issued which may provide hints.

View solution in original post

Highlighted
Participant

Re: ISE CWA Causes Multiple Authorization Policy Hits

Thanks and I will review the live logs further for evidence of why the repeated COA is occurring. If need be I will then open a case.
Beginner

Re: ISE CWA Causes Multiple Authorization Policy Hits

The INVALID appears to be for a MAB authentication. So it is more than likely just the MAC address again.

 

If this is happening every authentication, I would double check the timers on the Aruba.  Ensure the session timer is at least 12 hours.

If this is happening only on the first auth of a device, its possible just profiling.

 

To really see what is going on, you need to dive deeper on the CoAs.