cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2500
Views
10
Helpful
7
Replies

Guest Portal Access using ISE

Pete Bauer
Level 1
Level 1

I'm reposting over here from the wireless forum since this seems more of an ISE issue.

I’m having an issue setting up the Guest Port Access for our wireless network.

I’m trying to setup an SSID anchored in the DMZ for internet access only. The authentication to this would be granted via the ISE Guest Access Portal.

I’ve got the SSID created and tested working with no authentication.

When I enable the Guest Portal (per these instructions http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bba10d.shtml), I can login and create a guest account. Have the guest go to the portal, login, hit ‘I accept’, but then instead of redirecting them to whatever page they tried to access, it sends them back to the guest login page (with still no access to the network resources).

Attached is what the log in ISE looks like.

tlaptop1 is the guest login that I used for the test machine.  Again, it accepted that login with no issue giving me the usage policy and once I hit 'I agree', it stalls and I get all the failures as I've shown here.

Please ignore the red lines - those are not applicable to this issue.

Am I missing a simple setting somewhere?

Thanks,

Pete

1 Accepted Solution

Accepted Solutions

Pete,

You should be able to edit the shared secret.

Tarik Admani
*Please rate helpful posts*

View solution in original post

7 Replies 7

Pete Bauer
Level 1
Level 1

I'm seeing this in the logs on the Anchor controller (slaptop1 is a test accnt).

Did you configure the authentication from the anchor controller? The error message looks like the shared secret is incorrect. Please make sure that the shared secret from the anchor controller and the ISE node are the same. Even though you see the green this means that the user authentication to the ISE guest page was correct. However the return radius authentication was incorrect.

Here is a brief explanation on how the web authentication feature works, once the user authenticates to the portal, the WLC makes a radius request in order to pull the attributes since that can not be done via https.

Please note step 12 here - http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_guest_pol.html#wp1296954

Thanks and good luck!

Tarik Admani
*Please rate helpful posts*

Thanks for the tips!

I tried to remove the radius server settings and re-add them to the Anchor controller but ran into issue.

When removing I get the following error - 'Authentication Server could not be deleted as it is being used by either a WLAN or Mesh Radius Server Configuration'.

I disabled it under the AAA settings on all the WLAN's without any luck.

Any thoughts?

Thanks again,

Pete

I wouldn't worry about removing it, just set the shared secret to something simple to see if that fixes the issue.

Sent from Cisco Technical Support iPad App

I think the only way I can edit the shared secret on the WLC is to remove and re-add.  I don't see an option to edit.

Pete,

You should be able to edit the shared secret.

Tarik Admani
*Please rate helpful posts*

Got it -   Tested Working!

Thanks for your help, Tarik!