Solved: Cisco WLC 8.2.100

maarten_dhooghe · ‎02-15-2016

Cisco ISE 1.4 patch 6

Cisco WLC 8.0.121

setup

the WLC has an SSID called Hotspot. it uses mac auth with radius nac to redirect to the Hotspot guest portal on an ISE.

initially the flexconnect drops the users in vlan 401 (with preAuthAcl), after the UAP there is a COA to move the users to vlan 413 with permitInternetAcl

Problem description:

users connect to the Hotspot SSID, and get a valid IP address in vlan 401

get redirected to the hotspot page on the ISE with a UAP and pin code request.

if they disconnect from the network and reconnect, the ISE sends a COA to move to 413 without passing the Hotspot portal.

what I noticed is that as soon as the users get the inital webpage redirect they are moved to the endpoint group that is defined in the hotspot portal.

What I've been reading on this behaviour makes me understand that this is default behaviour, but if that is the case then I'm not sure on how I can make my policy to check whether the UAP has been accepted.

thanks,

Maarten

zoltan.varga0217 · ‎02-26-2016

Cisco WLC 8.2.100

ISE 1.4 patch 6

Similar ISE Hotspot setup, similar rules except the VLAN change. I observed the same behaviour.

This setup was working on patch 5.

Update:

I found a workaround based on the following bug. Use the attribute below in the authorization rule. The Success page remains but no instant Internet access is available using this workaround.

https://tools.cisco.com/bugsearch/bug/CSCux22558/?referring_site=bugquickviewredir

"Workaround:
use EndPoints:LastAUPAcceptanceHours LESS 24 for example (means AUP were accepted less than 24 hours ago)"

View solution in original post

zoltan.varga0217 · ‎02-26-2016