Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5335
Views
10
Helpful
10
Replies

Cisco ISE Guest Authentication failed - No relevant Information

Go to solution
grabonlee
Level 4
Level 4

‎12-02-2019 02:15 PM

My set up is foreign-anchor with ISE PSN for Guest in the DMZ. Replication/Sync is ok between the Admin node and Policy node in the DMZ. ISE version is 2.4

 

I am able to self-register and Sponsor approves. Guest then gets an Email, but is unable to login,as message says Authentication Failed. Problem is that not enough information is given as to what Identity Store ISE is checking. 

I have poured through tons of capture and logs, yet nothing to find. The only relevant information I got from a capture was a COAck from the Foreign WLC to PSN, after the Dynamic Authorization from ISE, with Error 101 - Unknown(200).

 

I can see from the CWA that the right Guest Portal was presented during Self-registration and the portal has Guest_Portal_Sequence, which only contains Guest Users, Internal Endpoint and Internal users.

 

This is really baffling, as I have deployed Foreign-Anchor setup before in different organizations and never faced such issue.

 

 

 

 

1 person had this problem
Preview file
31 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to grabonlee

‎12-08-2019 11:53 AM

CSCvr08083 is an enhancement request as ISE Guest services are not disclosing the username based on the configuration.

As Jason already said, this really needs TAC and, if needed, escalate to ISE ESC team.

Perhaps you took the wrong capture but the Redirect_Auth_Steps.JPG was on the MAC address and it returned Access-Accept. Also, you should be able to verify whether the guest user able to login at the test portal URL.

View solution in original post

0 Helpful
10 Replies 10

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎12-02-2019 07:33 PM

Hi
Is this a new deployment? Did it worked before?
Can you share the whole authentication log detail please?
Have you checked it's not an issue related to timezone issue, check if the user is enabled within manage accounts and that your guest profile has the correct timezone.

If you want to disclose the name of the user instead of getting invalid:
Administration/Settings/Protocols/RADIUS and check the box Disclose invalid username

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
grabonlee
Level 4
Level 4
In response to Francesco Molino

‎12-02-2019 08:03 PM

Hi Francesco,

Thanks for the response. Most definitely, timezone is not the problem, as the failure reason related to Timezone would be "Account not Active". This is a new deployment and the Sponsor approves without issue, and the exact Sponsor portal is checked in the Guest Portal settings.

 

Which Authentication log do you want? The redirect (CWA) or the Dynamic Authorization?

 

The authentication log for the Redirect doesn't show any error. The error is when COA from ISE is issued after the login attempt, even though the result summary shows that Dynamic Authorization Succeeded.

0 Helpful

Go to solution
grabonlee
Level 4
Level 4
In response to Francesco Molino

‎12-03-2019 07:56 AM - edited ‎12-03-2019 08:03 AM

Hi Francesco,

 

I have enabled "Disclose invalid username", and yet the log still shows INVALID and Guest Type NON_GUEST. Attached are the Redirect Authentication steps and the Guest Login failure. 

I have checked the firewall and there's no drop traffic either between the Foreign WLC and the PSN (hosting only the Guest Portal) or the Admin Node and the PSN. I thought maybe it's something to do with Replication, but the deployment list shows all nodes are Green. The Internal PSN that hosts the Sponsor portal shows the account that was approved.

 

If only the ISE logs were more robust as to point to what ID store is being checked or what INVALID username it sees, I'm sure I would be able to diagnose and fix. As I mentioned earlier, the only anomaly I see from the packet capture between the Foreign WLC and the DMZ PSN is the Accounting Response from the Foreign WLC with Error-Cause:Unknown(200)

Also, the client MAC_Address doesn't show up in the Context Visibility list, but in the Radius Live logs.

Preview file
54 KB
Preview file
63 KB
0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎12-03-2019 09:39 AM

Please also check ISE prescriptive guide, if all else fails work through TAC

https://community.cisco.com/t5/security-documents/ise-guest-access-prescriptive-deployment-guide/ta-p/3640475
0 Helpful

Go to solution
grabonlee
Level 4
Level 4
In response to Jason Kunst

‎12-03-2019 09:47 AM - edited ‎12-03-2019 09:55 AM

Thanks Jason,

I've seen the guide before and it's a wonderful piece. I have opened a case with TAC and they're yet to figure out what the problem is and it's baffled them also. They've gone through the config of all devices, ISE and WLC, and confirmed that all looks good. 

I have done CWA with ISE in many deployments in the past and never had a single issue, though this the first I would have a PSN in the DMZ. I typically deploy a standalone node in the DMZ, but the firewall team in this case don't want it, as they wouldn't allow the Sponsor Portal in the DMZ, which would mean access to Internal AD.

 

All the relevant ports between the PSN in the DMZ and the Internal Network Devices(WLC and ISE) are allowed and there isn't a single drop packet in the Firewall log

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to grabonlee

‎12-03-2019 09:57 AM

thank you then sorry wish i could help more, tac is the route
0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to grabonlee

‎12-08-2019 11:53 AM

CSCvr08083 is an enhancement request as ISE Guest services are not disclosing the username based on the configuration.

As Jason already said, this really needs TAC and, if needed, escalate to ISE ESC team.

Perhaps you took the wrong capture but the Redirect_Auth_Steps.JPG was on the MAC address and it returned Access-Accept. Also, you should be able to verify whether the guest user able to login at the test portal URL.

0 Helpful

Go to solution
grabonlee
Level 4
Level 4
In response to hslai

‎12-08-2019 02:55 PM

Thanks Hslai,

I have already opened a TAC case and no resolution yet. I'll ask TAC to escalate to the ISE ESC team, as you suggested. Meanwhile, the Redirect_Auth_Steps.JPG capture is the CWA step and not the CoA, which failed.

 

0 Helpful

Go to solution
jegan_rajappa
Level 1
Level 1
In response to grabonlee

‎02-17-2022 02:16 AM - edited ‎02-17-2022 02:16 AM

Did you get fix from TAC? what was the issue? How did TAC fixed it? I am seeing same issue in ISE 3.0 Patch 4.

Go to solution
omerfaruk
Level 1
Level 1

‎11-06-2024 07:52 AM

Hi all, 

I have similar problem. Sponsor can create an account for a guest, and it will be visible in manage accounts, but guests are not able to authenticate with the credential. Error pops up 'Invalid username or password'. It seems ISE can authenticate existing users which created yesterday, but cannot authenticate newly registered guests. It was working yesterday. Keep in mind we deleted one PSN which was not in use. 

We added the PSN again now, but still same issue.

0 Helpful
Customers Also Viewed These Support Documents