해결됨: Cisco ISE Guest Portal redireciton not working

jhougen · ‎02-28-2022

Hey there,

I'm on ISE version 3.0.0.458 and virtual WLC version 8.10.151.0. Here's how my authorization policy and the result is set up:

The issue I'm having is I can only reach the Hotspot-Portal on my second attempt connecting to the network. On the first attempt the portal page doesn't load and I can't reach any of the allowed servers on redirect ACLs but it seems to be working when I connect to the same SSID the second time.

Hope any of you guys have some idea about what's going on here.

Thank you,

jhougen · ‎03-03-2022

Hey ajc,

Thank you for showing me the details about your configuration unfortunately having the same setup did not help my situation. I ended up upgrading the vWLC from version 8.10.151.0 to 8.10.162.0 which fixed the issue.

Thank you again for your help.

Cheers!!

원본 게시물의 솔루션 보기

Greg Gibbs · ‎02-28-2022

Are there any indications of what might be happening found in the detailed session logs? It will be difficult to pinpoint the issue without more information.
The only thing I can think of off-hand would be to ensure that your MAB AuthC Policy is configured with the Setting for 'If User not found = Continue'

jhougen · ‎03-02-2022

Hey Greg,

I have the mab auth policy configured the same as you have described:

Here are the logged steps under both attempts:

First Attempt:

Steps

	11001	Received RADIUS Access-Request
	11017	RADIUS created a new session
	11027	Detected Host Lookup UseCase (Service-Type = Call Check (10))
	15049	Evaluating Policy Group
	15008	Evaluating Service Selection Policy
	15048	Queried PIP - Normalised Radius.RadiusFlowType
	15048	Queried PIP - Radius.Called-Station-ID
	15041	Evaluating Identity Policy
	15013	Selected Identity Source - Internal Endpoints
	24209	Looking up Endpoint in Internal Endpoints IDStore - E6:7D:4E:46:2D:63
	24217	The host is not found in the internal endpoints identity store
	22056	Subject not found in the applicable identity store(s)
	22058	The advanced option that is configured for an unknown user is used
	22060	The 'Continue' advanced option is configured in case of a failed authentication request
	24715	ISE has not confirmed locally previous successful machine authentication for user in Active Directory
	15036	Evaluating Authorization Policy
	24209	Looking up Endpoint in Internal Endpoints IDStore - E6:7D:4E:46:2D:63
	24217	The host is not found in the internal endpoints identity store
	15048	Queried PIP - Network Access.UserIdentity
	15048	Queried PIP - Network Access.UserName
	15048	Queried PIP - IdentityGroup.Name
	15016	Selected Authorization Profile - Guest-Wireless-Redirect
	11002	Returned RADIUS Access-Accept

Second attempt:

Steps

	11001	Received RADIUS Access-Request
	11017	RADIUS created a new session
	11027	Detected Host Lookup UseCase (Service-Type = Call Check (10))
	15049	Evaluating Policy Group
	15008	Evaluating Service Selection Policy
	15048	Queried PIP - Normalised Radius.RadiusFlowType
	15048	Queried PIP - Radius.Called-Station-ID
	15041	Evaluating Identity Policy
	15013	Selected Identity Source - Internal Endpoints
	24209	Looking up Endpoint in Internal Endpoints IDStore - E6:7D:4E:46:2D:63
	24211	Found Endpoint in Internal Endpoints IDStore
	22037	Authentication Passed
	24715	ISE has not confirmed locally previous successful machine authentication for user in Active Directory
	15036	Evaluating Authorization Policy
	15016	Selected Authorization Profile - Guest-Wireless-Redirect
	11002	Returned RADIUS Access-Accept

ajc · ‎03-01-2022

Do you have NAC enabled on the WLC and AAA override?, the ACL name on ISE must have the same name as the one on the WLC. Are you using capwap or Flexconnect? If you are using load balancing like F5 for PSN's then you need SNAT. If not, then you need to have all the PSN's listed in the WLC as trusted radius servers (global config). Check you have all PSN in a cluster group.

jhougen · ‎03-02-2022

Hey ajc,

I have NAC enabled and AAA override is checked is checked on WLC. The have re-checked the ACL name on the both sides. I know the redirect ACL but only on second attempt. I'm not using load balancing and have only single ISE node which is listed as RADIUS server in WLC. AP is in flex-connect mode. Have similar configurations to this video : https://www.youtube.com/watch?v=Zb6uTmzsSAE&ab_channel=CiscoCommunity

thanks,

ajc · ‎03-02-2022

Did you check in your Authentication Allowed Protocols configuration for MAB that ALLOW PAP/ASCII in addition to Process Host Lookup are checked?. MAB requests are treated as PAP authentications by ISE (in some cases CHAP is used so I selected both for my configuration).

ajc · ‎03-02-2022

The following article explains that part.

https://www.ciscopress.com/articles/article.asp?p=2091952&seqNum=3

ajc · ‎03-02-2022

Without much information other than the logs, I guess your issue is related to this. Do no select Hotspot, use CWA, see next. I have the same setup CWA + Flexconnect on my WLC and it works for a single PSN as radius entry.

jhougen · ‎03-02-2022

Made the changes you have advised but still running into the same issue.

Just to add to this when I try connecting to the SSID with fresh MAC address the WLC logs shows this:

[*03/02/2022 22:29:42.2980] chatter: client_ip_table :: ClientIPTable:Client (92:DD:B7:A3:9F:5C) not found for webauth

On the second attempt when the portal redirection works,It says this:

[*03/02/2022 22:30:23.5450] chatter: client_ip_table :: ClientIPTable no client entry found, dropping packet 92:DD:B7:A3:9F:5C

ajc · ‎03-03-2022

Let me provide you a sequence of screenshots with the working configuration I have. Checked DNS entries for the Guest Portal as well.

ajc · ‎03-03-2022

another picture I forgot,

jhougen · ‎03-03-2022

Hey ajc,

Thank you for showing me the details about your configuration unfortunately having the same setup did not help my situation. I ended up upgrading the vWLC from version 8.10.151.0 to 8.10.162.0 which fixed the issue.

Thank you again for your help.

Cheers!!