Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
772
Views
0
Helpful
2
Replies

Captive Portal Looping

JohnC3
Level 1
Level 1

‎03-06-2024 06:38 AM

We are running 6 ISE ver 3.2 patch 3 servers and WLC-9800 ver 17.6.4. We have a WLC that are both on prem and at the datacenters.

It appears to have about every 30 days and this only happens with the offices that have the WLC on prem.  I will get a call and the users cannot log into the wifi.  After entering the credentials on the captive portal, either on the guest or corporate SSID.  The captive portal keeps prompting the user to enter the credentials again.

I do have a TAC case opened and they want me to run some debugs.  But by the time I get a call, log into ISE and set up the debugs to capture the information.  The issue is automatically resolved. This appears to only last about 15 minutes.  Everything is then working as it should be.

One local office has ISE-Server-1 as their first AAA server in the WLC and another local office has ISE-Server-2 as their first AAA server.

Now with the sites that connect to the WLC in the datacenter, they are set to flex. I have not gotten any calls about this.  It could be that no one has noticed this issue or they are not having the problem.

Has anyone come across this?

 

 

0 Helpful
2 Replies 2

Arne Bier
VIP
VIP

‎03-06-2024 01:56 PM

Frustrating for sure.  If it works once, then it should work consistently. 

Does this happen on any particular type of operating system? (iOS versus Windows?)

Might be useful to see your Wireless MAB Authorization logic (screenshot) - and the details of the Authorization Profiles that you return to the WLC. In addition, can you share the ACL/dACLs that are used for pre-auth and post-auth ?

The looping (prompting user to enter credentials again) indicates either

  • that the previous successful login did not store the Endpoint MAC in the assigned Endpoint Identity Group ... or
  • the PSN processing the most recent MAB request failed to match the Endpoint's MAC address and hence, failed through to the portal redirection.

We need to see your ISE Authorization Rules and Results etc.

 

0 Helpful

JohnC3
Level 1
Level 1
In response to Arne Bier

‎03-13-2024 01:30 PM

I sent the ISE support bundle TAC, waiting to hear back from them. In the meantime.

We have a set of controllers and the WAPs are local to those WLC's.  We have another set of WLCs.  9 sites connect to these WLCs and the WAPs are all flex.  Both sets of WLCs use the same PSN.  Guest SSID and Corporate SSID are all the same.  I have not gotten any reports from the flex sites that have the captive portal looping

0 Helpful
Customers Also Viewed These Support Documents