Hey there,
I'm on ISE version 3.0.0.458 and virtual WLC version 8.10.151.0. Here's how my authorization policy and the result is set up:
The issue I'm having is I can only reach the Hotspot-Portal on my second attempt connecting to the network. On the first attempt the portal page doesn't load and I can't reach any of the allowed servers on redirect ACLs but it seems to be working when I connect to the same SSID the second time.
Hope any of you guys have some idea about what's going on here.
Thank you,
Accepted Solutions
Are there any indications of what might be happening found in the detailed session logs? It will be difficult to pinpoint the issue without more information.
The only thing I can think of off-hand would be to ensure that your MAB AuthC Policy is configured with the Setting for 'If User not found = Continue'
Hey Greg,
I have the mab auth policy configured the same as you have described:
Here are the logged steps under both attempts:
First Attempt:
Steps
| 11001 | Received RADIUS Access-Request | |
| 11017 | RADIUS created a new session | |
| 11027 | Detected Host Lookup UseCase (Service-Type = Call Check (10)) | |
| 15049 | Evaluating Policy Group | |
| 15008 | Evaluating Service Selection Policy | |
| 15048 | Queried PIP - Normalised Radius.RadiusFlowType | |
| 15048 | Queried PIP - Radius.Called-Station-ID | |
| 15041 | Evaluating Identity Policy | |
| 15013 | Selected Identity Source - Internal Endpoints | |
| 24209 | Looking up Endpoint in Internal Endpoints IDStore - E6:7D:4E:46:2D:63 | |
| 24217 | The host is not found in the internal endpoints identity store | |
| 22056 | Subject not found in the applicable identity store(s) | |
| 22058 | The advanced option that is configured for an unknown user is used | |
| 22060 | The 'Continue' advanced option is configured in case of a failed authentication request | |
| 24715 | ISE has not confirmed locally previous successful machine authentication for user in Active Directory | |
| 15036 | Evaluating Authorization Policy | |
| 24209 | Looking up Endpoint in Internal Endpoints IDStore - E6:7D:4E:46:2D:63 | |
| 24217 | The host is not found in the internal endpoints identity store | |
| 15048 | Queried PIP - Network Access.UserIdentity | |
| 15048 | Queried PIP - Network Access.UserName | |
| 15048 | Queried PIP - IdentityGroup.Name | |
| 15016 | Selected Authorization Profile - Guest-Wireless-Redirect | |
| 11002 | Returned RADIUS Access-Accept |
Second attempt:
Steps
| 11001 | Received RADIUS Access-Request | |
| 11017 | RADIUS created a new session | |
| 11027 | Detected Host Lookup UseCase (Service-Type = Call Check (10)) | |
| 15049 | Evaluating Policy Group | |
| 15008 | Evaluating Service Selection Policy | |
| 15048 | Queried PIP - Normalised Radius.RadiusFlowType | |
| 15048 | Queried PIP - Radius.Called-Station-ID | |
| 15041 | Evaluating Identity Policy | |
| 15013 | Selected Identity Source - Internal Endpoints | |
| 24209 | Looking up Endpoint in Internal Endpoints IDStore - E6:7D:4E:46:2D:63 | |
| 24211 | Found Endpoint in Internal Endpoints IDStore | |
| 22037 | Authentication Passed | |
| 24715 | ISE has not confirmed locally previous successful machine authentication for user in Active Directory | |
| 15036 | Evaluating Authorization Policy | |
| 15016 | Selected Authorization Profile - Guest-Wireless-Redirect | |
| 11002 | Returned RADIUS Access-Accept |
Did you check in your Authentication Allowed Protocols configuration for MAB that ALLOW PAP/ASCII in addition to Process Host Lookup are checked?. MAB requests are treated as PAP authentications by ISE (in some cases CHAP is used so I selected both for my configuration).
Without much information other than the logs, I guess your issue is related to this. Do no select Hotspot, use CWA, see next. I have the same setup CWA + Flexconnect on my WLC and it works for a single PSN as radius entry.
Let me provide you a sequence of screenshots with the working configuration I have. Checked DNS entries for the Guest Portal as well.
