Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3152
Views
0
Helpful
2
Replies

Guest Portal - authentication loop on Guest Portal

AigarsK
Level 1
Level 1

‎10-05-2020 12:24 PM

Hi All,

 

I have following issue. We are running ISE 2.7 Patch 2 and recently one of our distributed PSN's used for Guest portal had its interface configuration update to use Bond 1 instead of its original Gig3 interface. Gig3 was cleared and IP moved to Gig2 and Gig3 setup as backup as per configuration guides. What was not noticed is that ISE services on this node stayed in " not running " state until I was asked to test post change implementation. At this time all endpoint authentication was passed over to another PSN, it did not had any interfaces configured, expected errors stating that were received. Ended up starting services on original node and confirmed that all wireless guest portal authentications are happening against intended PSN node.

 

The issue: Endpoints connect to the SSID and get prompt for login, user types in username and password and on success page it should redirect to companies website, I briefly see the url it tries only to get back to login screen. URL redirect loop in its full glory.

 

9800 WLC is configured with ACL used in redirect AuthZ Profile and URL is correct where it is redirecting to, so new Bond 1 interface config appears to be working.

 

WLC has NAC and aaa-override configured, aaa accounting is in place, CoA configuration is configured correctly, aaa servers shows to be working. Live logs show that CoA after authentication success has been successful.

 

What I am however not seeing is that MAC address of the endpoint gets statically configured with GuestEndpoints endpoint identity group which we have used in portal as Guest Type config where to place the MAC into and gets further used in AuthZ sitting above rule which is doing the redirect. AuthZ rule conditions state if in GuestEndpoints and its is Wireless_MAB for matching.

 

Have already raised TAC case but they stated it will take them days to review and come up with solution. Other posts discussing similar loop do not state issues with endpoint static group membership, other than changes to interface nothing else has been changed.

 

Things done so far:

• WLC has been re-provisioned from DNAC so same config templates have been applied.

• We have performed full resync from deployment section in ISE for the node which had its services in "not running" state after change and node has been rebooted.

• We have tried using new endpoint identity group where MAC gets placed into and had corresponding AuthZ rule for it above the redirect rule

• Have restarted services and node which is current primary PAN as its is its responsibility for guest flows to work.

• I have run endpoint debug at the time of the issue and did see that Attributes stated identity group static assigned as GuestEndpoints, but at the same time I do not see mac in endpoints section at all as all tests are usually carried out by having device forget the network, terminate session from ISE and deleting the MAC from endpoints.

 

What else is left to check? Advice would be appreciated.

 

0 Helpful
2 Replies 2

Colby LeMaire
VIP Alumni
VIP Alumni

‎10-05-2020 07:42 PM

Was the guest flow working before you made the changes to the interfaces on that one PSN?  Have you tried the flow out on another PSN in the same deployment?  When you look at the Live Logs, find the most recent successful authentication after the CoA and open the details.  What do the attributes show for identity group or network access?

If this was working before the interface changes and nothing else in the configuration was changed, then it feels like a bug.  If you don't want to wait for TAC and you want to be sure your PSN system is clean and working, I would recommend removing it from the deployment, rebuild from scratch, and join back to the deployment.  Just to be safe.  You could have all of that done pretty quickly.  Just remember to export any system certificates for that node specifically.

0 Helpful

AigarsK
Level 1
Level 1
In response to Colby LeMaire

‎10-06-2020 01:04 PM - edited ‎10-06-2020 01:58 PM

Thanks Colby for reply.

Worst outcome was encountered today, it started to work. Worst as I am non the wiser as of why and I hate it. It might be that there is internal sync issue on nodes as I ended up restarting PAN yesterday and it could be that it just took time to get back in order and my tests which were carried an hour in after PAN restart were still showing the issue with URL redirect loop.

Yes, guest flow was working before any changes were done. On Live logs all looks OK and there is no other node to test this on.

Cisco TAC have been provided with update on this and will see what they come up with. Have a bad feeling that rebuild might be their next proposed solution.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents