01-24-2019 12:25 PM
We have a Guest hotspot deployment with an AUP page. For some iPhones, after users accepted the AUP page, the CoA fires off correctly. However, the following request is an Authorize-only request, and it hits the default policy set (Basic authenticated access). it does not hit the Guest policy we created. If we remove the end point from the WLC and it comes back and hit the correct Guest policy.
Is there anyway to fix this Authorize-only request? it seems that it is not like wirelessMAB (the authentication method is authorize only) and that is the reason it does not hit the correct Mac filtering policy.
01-24-2019 01:05 PM
What are you using as your policy set admission criteria for the Guest policy set? You should just be using RADIUS Called Station ID contains the name of your Guest SSID.
01-24-2019 01:48 PM
01-24-2019 02:12 PM
02-21-2024 07:58 PM - edited 02-21-2024 07:59 PM
Paul,
Thanks for this pointer. I'm facing the exact same issue detailed by the OP and come to think of it, my Policy Set uses two conditions: Wireless_MAB AND Radius-Called-Station-ID EQUALS <SSID>.
So I removed Wireless_MAB from the top level. Will give this is a try first thing tomorrow and report back.
02-22-2024 08:45 AM
Did you ever fix this? I have the same issue with iPhone devices only. Submitted a TAC case waiting to hear back.
03-18-2024 06:02 AM
In order for ISE to process an Authorize Only Radius request, you can create an authentication policy with the condition “Radius: Service-Type equals Authorize Only” and then for the policy options, make sure that If Auth Fail is set to Continue.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide