CWA reauthentication window pop up in ISE

adityaM1234 · ‎06-08-2015

Hi All,

we are facing an issue with CWA in ISE.

Following is the scenario

1) We are using EAP-TLS with machine auth.

2) If an endpoint is not having machine certificate it falls under CWA-wired profile where a ISE guest portal is presented to user.

3) User enters valid domain credentials and gets access using CWA-Employee authorization profile

Now the issue is..

1) After random interval of time; user is automatically re-directed to ISE guest portal (CWA-wired authorization profile) page where the user needs to enter domain credentials again. On entering valid credentials that user gets access (CWA-Employee authorization profile) ; but again after random interval of time (sometimes 19 minutes sometimes 10 minutes) user is presented with ISE guest portal page (CWA-wired authorization profile kicks in). This process goes on and on..

We believe that this is issue related to timers on switch.

We used following approach to resolve the issue

1) on switch

authentication periodic

authentication timer reauthenticate server (here server means ISE)

On ISE

under CWA-Employee authorization profile we checked REAUTHENTICATE tab in which we gave fixed time in seconds

but still we did not get working solution for this issue.. and the issue persists.

Please help us in solving the issue..

Thanking you in advance.....

Aditya

Venkatesh Attuluri · ‎06-11-2015

this mostly can be issue with authorization policy, can you paste a screenshot for authz policy. what are the versions of ISE and NAD

adityaM1234 · ‎06-12-2015

Hi Venkatesh,

Thank you for reply.

after packet capture on endpoint we have observed that its endpoint who is sending EAPOL start msg due to which this is happening. Now we are looking to change eap timings on supplicant through GPO.

Thanks,

Aditya

nspasov · ‎06-12-2015

Also, what are your "idle/inactivity timer' settings?

adityaM1234 · ‎06-13-2015

Hi Neno,

inactivity timer on switch is set to 65535 (authentication timer inactivity 65535)

still disconnections taking place.

Thanks,

Aditya

adityaM1234 · ‎06-13-2015

Hi All,

this is urgent as I am facing issue at client site.

Client is using proxy, I set 8080 in browser and on switch i used ip port-map http port 8080 and ip http port 8080.

For the users who are having proxy on 8080 they are getting NAC agent pop up for posture check, which is correct behaviour.

Now the issue is, there are some users who use different port for proxy (eg.port 1080). For those users NAC AGENT does not pop up; and they get disconnected from network(as posture chek does not take place)

Now, In order to give these users network access, NAC AGENT should get pop up for posture check.

My question is how this can be done??

(I found that on switch we can give only one redirection port eg. ip port-map http 8080)

Thanking in advance

Thanks

Aditya

adityaM1234 · ‎06-13-2015

Hi All,

this is urgent as I am facing issue at client site.

Client is using proxy, I set 8080 in browser and on switch i used ip port-map http port 8080 and ip http port 8080.

For the users who are having proxy on 8080 they are getting NAC agent pop up for posture check, which is correct behaviour.

Now the issue is, there are some users who use different port for proxy (eg.port 1080). For those users NAC AGENT does not pop up; and they get disconnected from network(as posture chek does not take place)

Now, In order to give these users network access, NAC AGENT should get pop up for posture check.

My question is how this can be done??

(I found that on switch we can give only one redirection port eg. ip port-map http 8080)

Thanking in advance

Thanks

Aditya