Solved: In your authorization policy

Ali Bahnam · ‎02-24-2015

Good Day,

I have Cisco ISE 1.2 with Cisco 2960 NAD.

I configured the authorization for the employee successfully, but my issue is with the guest users the link is not redirected.

Please advise what I have put in the authentication policy default rule?? deny access ?

And on the switch I should put the guest connect to a specific ports or I have to configure specific VLAN in the authorization profile?

Appreciate your support,

bikespace · ‎03-03-2015

In your authorization policy you are giving your Wired-Guest the same result as Wired-Webauth.

First time through you don't know he's a guest so he hits Wired-Webauth and gets redirected. Second time through, you have him in guest flow, so you know he's an authenticated guest, he hits Wired-Guest, but you send him the same permissions "Web_Auth". Create a profile that you want to give to your authenticated guests - Guest_Allowed for instance.

View solution in original post

KiloBravo · ‎02-24-2015

it may be best if you give an idea of the configuration you have on the NAD and the what your relevant authentication/authorization policies and profiles look like. Would be easier to see what the problem is.

Ali Bahnam · ‎02-25-2015

Hi,

Kindly find the attached Authentication and authorization details.

Regards,

Ali Bahnam · ‎02-25-2015

Dear,

The problem that I'm facing is when the user without dot1x (Guest) connect to the switch the redirect link appear and I can do the self registration and when put the username and PW the ISE accept then but after it the ISE redirect me again to the client registration (I can't browse).

Your help is highly appreciated,

bikespace · ‎03-03-2015

In your authorization policy you are giving your Wired-Guest the same result as Wired-Webauth.

First time through you don't know he's a guest so he hits Wired-Webauth and gets redirected. Second time through, you have him in guest flow, so you know he's an authenticated guest, he hits Wired-Guest, but you send him the same permissions "Web_Auth". Create a profile that you want to give to your authenticated guests - Guest_Allowed for instance.

Pranav Gade · ‎11-24-2015

Hi,

We are also issue with CWA

ISE ver- 1.4

Machine – windows 10

Phone – Avaya Phone

We are checking for machine auth then user auth

Below the configuration

switchport access vlan XX
switchport mode access
switchport voice vlan XX
ip access-group ISE-ALL in
authentication event fail action next-method
authentication event server dead action authorize vlan XX
authentication event server dead action authorize voic XX
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x mac-auth-bypass
dot1x timeout tx-period 2 dot1x max-reauth-req 1

I observed when we shut no shut the port. First user hits to CWA and then after phone authenticate and we do log-off login it goes as expected behavior ( First machine auth then user auth)

Thanks in advnace

Cisco ISE CWA issue