cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1362
Views
0
Helpful
3
Replies

86017 Session Missing after guest user credentials deleted and readded due to forgotten password

davijones
Level 1
Level 1

Hi,
I'm hoping to get some insight into a problem with guest authentications we are currently experiencing.  First of all, we running ISE version 1.2 patch 5.

The problem seems to be triggered by a guest user forgetting his password and locking out his account.  Our Helpdesk can re-enable the account, but because he no longer remembers the password, they can only delete the account and reissue new credentials to him.  However, upon logging in with new credentials, the user gets the message "SessionID is missing. Please contact your System Administrator."  On the ISE we see under Failure Reason "86017 Session Missing". This is repeated several times.  In the past, the only thing that has cleared this is to simply wait (sometimes overnight)..

In my opinion, it appears that the ISE is still holding on to the user (session?) information after the original credentials are deleted and that this is somehow confusing the ISE when the user tries again with his new (but identical) credentials - just a guess though...

Is anyone else seeing this?  Can anyone suggest an action with more immediate results other than telling the user to wait for some hours (or overnight) and then trying again?

Thanks in advance,
Dave

3 Replies 3

nathan demers
Level 1
Level 1

I have this same issue.  Magically appeared this morning.  Did you find a solution?

mohanak
Cisco Employee
Cisco Employee
CSCul10677ISE 1.2 CWA FailureReason 86017
CSCul10677

Symptom:
Intermittent 86017 Failure reason displayed for CWA access.
Guest users are redirected to Guest login page on initial access to guest wireless network.
User enters their credentials and are taken to the AUP page.
They click ok and are redirected back to the login page.
The live authentication log shows the above attempt as an 86017 error.
Attempt to clear client from controller and try another login yields the same error.

Conditions:
Seen with ISE 1.2
Seen on guest wireless access on iOS and windows devices (could be seen on other type of devices as well)

Workaround:
Terminate session from admin UI and type in the original URL to redirect to guest portal with a new session-id.

Disconnect SSID, wait for a few minutes, reconnect and enter the original URL to redirect to guest portal with the new session-id.

nathan demers
Level 1
Level 1

Problem resolved,  

The issue was as follows.  I was getting the above described error however the problem was that we have a WLC that relies on ISE for authentication.  It also uses AAA override.  More info here: http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_0111100.html

" It enables you to apply VLAN tagging, Quality of Service (QoS), and Access Control Lists (ACLs) to individual clients based on the returned RADIUS attributes from the AAA server."

 

The WLC does not not download the ACL like a switch does.  ISE will send a radius response with the appropriate ACL for permissions.  If there is a web redirect included that ACL will also have to be sent....thus that ACL will have to be created on the WLC as well.  Keep in mind that the ACL name is all that really matters.  It does not download the entire ACL.  ISE merely send the ACL name and says use this ACL.  If the WLC does not have it then it is forced to disconnect the client (or give no access.).

 

This was my problem.  I did not have the ACL redirect created on the WLC.  So it would connect, get an ip, and attempt to redirect but it wasnt allowed to.