ā01-16-2015 05:25 AM - last edited on ā03-25-2019 05:32 PM by ciscomoderator
hi,
I have configured ise with a WLC for two WLANs ( guest vlan 20 and staff vlan 1 ), the staff ssid is working fine but the guest ssid does not go to the
internet. when i do a trace route I discover that my guest clients do not reach my router although the ise server can reach the router. I have attached my access-list which Im not sure if it is the one causing my dilema. I am trying to figure out why traffic is not moving to the router after redirection occurs.
ā01-16-2015 07:06 PM
Hi there. A couple of remarks/questions:
1. Are you trying to perform CWA (Central Web Auth)?
2. The ACL is not getting any hits, this tells me that it most likely not being applied on the guest flow session
3. Keep in mind that WLC ACLs are not reflexive, thus you must explicitly allow traffic in both directions. Your current ACL looks fine but I just wanted to throw this out there :)
4. Can you share screen shots of your:
- Guest authorization policy
- The "Authorization Profile" that you are returning for both the Guest_CWA rule and then authenticated guests?
Thank you for rating helpful posts!
ā01-16-2015 10:40 PM
hi,
thank you for your answer.
I am pretty green in this, any assistant will be highly appreciated.
Thanx
ā01-16-2015 11:01 PM
OK, let fix a couple of things:
- Under "Authentication" change the identity store to "Internal Endpoint"
- Then under "Options" set the "If Authentication Fails" to "Reject"
Also, confirm that:
1. You have configured the ISE server(s) under the AAA configurations in the WLC
2. You have selected the ISE servers under the "AAA Servers" tab on the WLC
3. There are no settings under the "Layer 3 Security" on the SSID
4. In ISE, under the "Live Authentications" screen, can you confirm that you are seeing hits for the "Guest Redirection" authorization rule that you have created
Lastly, check out this doc/link as it provides step by step instructions :)
Let me know how it goes!
Thank you for rating helpful posts!
ā01-19-2015 01:19 AM
hi Neno,
Thank you very much but my problem does not seem to get resolved.I have done all that and even reset ise and followed that document to the latter but still my guests do not get to the internet. Is there anything else you can think of that I an missing?
ā01-19-2015 06:20 AM
Hi,
my access-list is now getting hits in all the rules but still I can not get access to the internet I have tried creating another rule using a permit all access-list but still not working.I have attached the profile and the access-list. please help me identify where I am going wrong.
ā01-22-2015 07:43 AM
OK, so is the redirection at least not working? Just want to make sure that we fixed at least the first issue before moving on to the second one :)
So for the second issue: Have you checked in ISE and confirm that your guest authorization policy is being hit after the guest authenticates?
Also, do you have an upstream device that might have an ACL blocking the connection? Last but not the least, make sure that the guest network has full connectivity to the internet (routing, VLANs, etc)
Thank you for rating helpful posts!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide