07-31-2012 05:08 AM - edited 03-10-2019 07:21 PM
I'm reposting over here from the wireless forum since this seems more of an ISE issue.
I’m having an issue setting up the Guest Port Access for our wireless network.
I’m trying to setup an SSID anchored in the DMZ for internet access only. The authentication to this would be granted via the ISE Guest Access Portal.
I’ve got the SSID created and tested working with no authentication.
When I enable the Guest Portal (per these instructions http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bba10d.shtml), I can login and create a guest account. Have the guest go to the portal, login, hit ‘I accept’, but then instead of redirecting them to whatever page they tried to access, it sends them back to the guest login page (with still no access to the network resources).
Attached is what the log in ISE looks like.
tlaptop1 is the guest login that I used for the test machine. Again, it accepted that login with no issue giving me the usage policy and once I hit 'I agree', it stalls and I get all the failures as I've shown here.
Please ignore the red lines - those are not applicable to this issue.
Am I missing a simple setting somewhere?
Thanks,
Pete
Solved! Go to Solution.
08-01-2012 08:06 AM
Pete,
You should be able to edit the shared secret.
Tarik Admani
*Please rate helpful posts*
07-31-2012 07:57 AM
07-31-2012 09:33 AM
Did you configure the authentication from the anchor controller? The error message looks like the shared secret is incorrect. Please make sure that the shared secret from the anchor controller and the ISE node are the same. Even though you see the green this means that the user authentication to the ISE guest page was correct. However the return radius authentication was incorrect.
Here is a brief explanation on how the web authentication feature works, once the user authenticates to the portal, the WLC makes a radius request in order to pull the attributes since that can not be done via https.
Please note step 12 here - http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_guest_pol.html#wp1296954
Thanks and good luck!
Tarik Admani
*Please rate helpful posts*
08-01-2012 05:06 AM
Thanks for the tips!
I tried to remove the radius server settings and re-add them to the Anchor controller but ran into issue.
When removing I get the following error - 'Authentication Server could not be deleted as it is being used by either a WLAN or Mesh Radius Server Configuration'.
I disabled it under the AAA settings on all the WLAN's without any luck.
Any thoughts?
Thanks again,
Pete
08-01-2012 05:09 AM
I wouldn't worry about removing it, just set the shared secret to something simple to see if that fixes the issue.
Sent from Cisco Technical Support iPad App
08-01-2012 05:13 AM
I think the only way I can edit the shared secret on the WLC is to remove and re-add. I don't see an option to edit.
08-01-2012 08:06 AM
Pete,
You should be able to edit the shared secret.
Tarik Admani
*Please rate helpful posts*
08-01-2012 08:41 AM
Got it - Tested Working!
Thanks for your help, Tarik!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide