cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12884
Views
5
Helpful
15
Replies

Guest Re-Authentication on ISE

Joseph Oloyede
Level 1
Level 1

Good Afternoon,

Am using ISE 1.2 to authenticate guest users on the WLC.

I created a sponsor account that creates guest credentials (username and password) and a time profile of 8hours, 24hours, 1week, 1month and 3months repectively and it worked fine.

Recently, it accepts the guest credentials and gives access to the network for about 2 to 3 minutes before it terminates the session and asks the user to re-authentication on the guest portal. This continues repeatedly irrespective of the time profile i choose. Moreover, every other users aside from the Guest users authenticate on the ISE without such challenge.

Thanks for ur suggestions in advance.

15 Replies 15

Naresh Ginjupalli
Cisco Employee
Cisco Employee

Hi Joseph,

As shown in below screen shot , For  Authz profile that these guest are hitting there is a default session timeout value set for re-authentication and also there is a attribute to maintain connectivity .

Maintain Connectivity During Reauthentication has two option :

Default :-  If you set this option , it will take the CoA action 'Terminate'

Radius-Request :-  If you set this option , it will take the CoA action 'Re-auth'

Can you please check if these values are intact to your configuration.

Hello nginjupa,

Thanks for the assistance, however, am not using the reauthentication option in the Authz profile. Am using a DACL name of which i have create the access-list on the Downloadable ACLs. This is used to push down the access-list to the switch and the WLC.

It still gives access to the network after authentication by the guest user, but knocks the user off after about 3 - 5 minutes. That is, the user will have to re-authenticate again with the same credentials and the problem re-occur again over and over.

See below the screen shots for both the Authz profile and the Authz policy.

Authz profile.PNGAuthz policy.PNG

Sample autorization policy for guest user

 

Hi Guys,

I am also facing the same issue as we have updated the image to 1.2.1 and usinf cwa ( mac filtering ) on wlc, session time 1800 on wlc.

But still after 5-6 min guest user asking for username and password to guest redirection url.

 

Can anybody gives me the solution for the same.

 

Thanks & Reagrds

Pranav 

It is a software bug on the wireless controller software 7.4MR2.  You need to open a TAC case and request an engineering release from Cisco that contains the fix.  The fix was put in 7.4.121.17

same issue, I have tried to configure both the radius attributes Radius:Idle-Timeout and Radius:Session-Timeout. Bot hhave been set to 1900.

I keep being disconnected around 10 min after the iphone goes to sleep.

Could you show us your authorization profile ?

What version of software are you running on your wireless controllers?

8.0.133 on both the foreign and anchor controllers

I have been told we can configure the user idle time out per SSID on 8.1

Parag Mahajan
Cisco Employee
Cisco Employee

Hi ,

Its worth checking SSID setting in - > advanced - >Enable Session Timeout . Hope the value configured around 1800 ..

Bastien Migette
Cisco Employee
Cisco Employee

You might start by doing a debug client <mac> and see on the WLC what causes client disconnection.

Also make sure you are running a recent version of the WLC as there could be some issues.

Check also what is the Policy state of the client after web auth. It should move from WEBAUTH_REQD to RUN (you can see this in the monitor > Client menu). WLC will expire all clients that are in WEBAUTH_REQD state after 10 mn.

a.dvorak
Level 1
Level 1

Hi!

I have the same problem since yestarday because I have updated the wlc to 7.4.121 and the Ise to patch6-Meanwhile I am thinking that could be a bug or a change in the default properties-I don´t know.

I hope somebody can solve the problem-otherwise I should open a case.... :(

 

regards alex

I have the exact same problem. TAC said it looked like a bug. Have you come up with a work a round? https://tools.cisco.com/bugsearch/bug/CSCul43158 Symptom:Wireless devices are randomly disconnected every 5-10 minutes with unknown policy timeout message in debug client Conditions:Clients using Central Web Authentication (CWA). Workaround:none More Info:

I had the same problem. I have vWLC and 2500 series WLC. The bug  CSCul43158 Was fixed.

I upgrade from 7.6.100 to 7.6.130.0 and the problem was fixed. Now the wireless is working fine.

kaaftab
Level 4
Level 4

check the WLC for time out value if no change has been made on ISE since last deployment.