Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1168
Views
5
Helpful
3
Replies

ISE CWA Causes Multiple Authorization Policy Hits

Go to solution
bret
Level 3
Level 3

‎11-01-2019 06:20 AM

I have a small Aruba environment that uses ISE 2.4 for the guest portal. The guest is able to connect to the guest WLAN, authenticate, and ultimately connect to the internet. Whats odd is that after logging in the client drops the wireless connection, then the wireless connection is reestablished and connects them to the internet. When I investigated this behavior it appears there are multiple hits on the authorization policy.

 

Aruba-CWA.png

 

What also weird is that I have this INVALID under identity and not sure why that is caused.

 

My authorization policies look like this:

Redirect

AND Aruba:Aruba-Essid-Name = Guest-WiFi OR Network Access:NetworkDeviceName=WLC1, Network Access:NetworkDeviceName=WLC2 -> Redirect to Portal

 

Guest-Endpoint-Auth

IDGroup-Name = Endpoint IDGroup:GuestEndpoints -> Guest-Accept

 

Guest-User-Auth

InternalUser-IDGroup MATCHES User IDGroup:GuestType_Daily -> Guest-Accept

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
howon
Cisco Employee
Cisco Employee

‎11-02-2019 12:16 AM

If you can reproduce the issue, you can reveal INVALID entry by going to Administration > System > Settings > Protocols > RADIUS and checking 'Disclose Invalid Usernames' (It may be different wording depending on ISE version).

You can also click on details of the CoA (Ones in the live log noted as Dynamic Authorization Succeeded) and look at the CoA reason to find out why CoA was issued which may provide hints.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
howon
Cisco Employee
Cisco Employee

‎11-02-2019 12:16 AM

If you can reproduce the issue, you can reveal INVALID entry by going to Administration > System > Settings > Protocols > RADIUS and checking 'Disclose Invalid Usernames' (It may be different wording depending on ISE version).

You can also click on details of the CoA (Ones in the live log noted as Dynamic Authorization Succeeded) and look at the CoA reason to find out why CoA was issued which may provide hints.

0 Helpful

Go to solution
bret
Level 3
Level 3
In response to howon

‎11-04-2019 05:19 AM

Thanks and I will review the live logs further for evidence of why the repeated COA is occurring. If need be I will then open a case.
0 Helpful

Go to solution
JohnNewman7082
Level 1
Level 1

‎11-04-2019 06:32 AM

The INVALID appears to be for a MAB authentication. So it is more than likely just the MAC address again.

 

If this is happening every authentication, I would double check the timers on the Aruba.  Ensure the session timer is at least 12 hours.

If this is happening only on the first auth of a device, its possible just profiling.

 

To really see what is going on, you need to dive deeper on the CoAs.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents