Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
12883
Views
5
Helpful
15
Replies

Guest Re-Authentication on ISE

Joseph Oloyede
Level 1
Level 1

‎03-06-2014 05:32 AM - edited ‎03-10-2019 09:30 PM

Good Afternoon,

Am using ISE 1.2 to authenticate guest users on the WLC.

I created a sponsor account that creates guest credentials (username and password) and a time profile of 8hours, 24hours, 1week, 1month and 3months repectively and it worked fine.

Recently, it accepts the guest credentials and gives access to the network for about 2 to 3 minutes before it terminates the session and asks the user to re-authentication on the guest portal. This continues repeatedly irrespective of the time profile i choose. Moreover, every other users aside from the Guest users authenticate on the ISE without such challenge.

Thanks for ur suggestions in advance.

4 people had this problem
Labels:
0 Helpful
15 Replies 15

Naresh Ginjupalli
Cisco Employee
Cisco Employee

‎03-06-2014 06:38 AM

Hi Joseph,

As shown in below screen shot , For  Authz profile that these guest are hitting there is a default session timeout value set for re-authentication and also there is a attribute to maintain connectivity .

Maintain Connectivity During Reauthentication has two option :

Default :-  If you set this option , it will take the CoA action 'Terminate'

Radius-Request :-  If you set this option , it will take the CoA action 'Re-auth'

Can you please check if these values are intact to your configuration.

Preview file
51 KB
0 Helpful

Joseph Oloyede
Level 1
Level 1
In response to Naresh Ginjupalli

‎03-07-2014 01:06 AM

Hello nginjupa,

Thanks for the assistance, however, am not using the reauthentication option in the Authz profile. Am using a DACL name of which i have create the access-list on the Downloadable ACLs. This is used to push down the access-list to the switch and the WLC.

It still gives access to the network after authentication by the guest user, but knocks the user off after about 3 - 5 minutes. That is, the user will have to re-authenticate again with the same credentials and the problem re-occur again over and over.

See below the screen shots for both the Authz profile and the Authz policy.

Authz profile.PNGAuthz policy.PNG

0 Helpful

Venkatesh Attuluri
Cisco Employee
Cisco Employee
In response to Joseph Oloyede

‎03-11-2014 06:19 AM

Sample autorization policy for guest user

 

Preview file
52 KB
0 Helpful

Pranav Gade
Level 1
Level 1
In response to Venkatesh Attuluri

‎08-12-2014 02:02 AM

Hi Guys,

I am also facing the same issue as we have updated the image to 1.2.1 and usinf cwa ( mac filtering ) on wlc, session time 1800 on wlc.

But still after 5-6 min guest user asking for username and password to guest redirection url.

 

Can anybody gives me the solution for the same.

 

Thanks & Reagrds

Pranav 

0 Helpful

awatson20
Level 4
Level 4
In response to Pranav Gade

‎08-12-2014 02:44 AM

It is a software bug on the wireless controller software 7.4MR2.  You need to open a TAC case and request an engineering release from Cisco that contains the fix.  The fix was put in 7.4.121.17

0 Helpful

egodalisse
Level 1
Level 1
In response to awatson20

‎09-12-2016 05:22 AM

same issue, I have tried to configure both the radius attributes Radius:Idle-Timeout and Radius:Session-Timeout. Bot hhave been set to 1900.

I keep being disconnected around 10 min after the iphone goes to sleep.

Could you show us your authorization profile ?

0 Helpful

awatson20
Level 4
Level 4
In response to egodalisse

‎09-12-2016 05:28 AM

What version of software are you running on your wireless controllers?

0 Helpful

egodalisse
Level 1
Level 1
In response to awatson20

‎09-12-2016 09:44 AM

8.0.133 on both the foreign and anchor controllers

I have been told we can configure the user idle time out per SSID on 8.1

0 Helpful

Parag Mahajan
Cisco Employee
Cisco Employee

‎03-07-2014 08:56 AM

Hi ,

Its worth checking SSID setting in - > advanced - >Enable Session Timeout . Hope the value configured around 1800 ..

0 Helpful

Bastien Migette
Cisco Employee
Cisco Employee

‎03-09-2014 02:22 PM

You might start by doing a debug client <mac> and see on the WLC what causes client disconnection.

Also make sure you are running a recent version of the WLC as there could be some issues.

Check also what is the Policy state of the client after web auth. It should move from WEBAUTH_REQD to RUN (you can see this in the monitor > Client menu). WLC will expire all clients that are in WEBAUTH_REQD state after 10 mn.

0 Helpful

a.dvorak
Level 1
Level 1

‎03-12-2014 03:15 PM

Hi!

I have the same problem since yestarday because I have updated the wlc to 7.4.121 and the Ise to patch6-Meanwhile I am thinking that could be a bug or a change in the default properties-I don´t know.

I hope somebody can solve the problem-otherwise I should open a case.... :(

 

regards alex

0 Helpful

awatson20
Level 4
Level 4
In response to a.dvorak

‎03-20-2014 05:14 PM

I have the exact same problem. TAC said it looked like a bug. Have you come up with a work a round? https://tools.cisco.com/bugsearch/bug/CSCul43158 Symptom:Wireless devices are randomly disconnected every 5-10 minutes with unknown policy timeout message in debug client Conditions:Clients using Central Web Authentication (CWA). Workaround:none More Info:

andres.picos
Level 1
Level 1
In response to awatson20

‎09-26-2014 04:16 PM

I had the same problem. I have vWLC and 2500 series WLC. The bug  CSCul43158 Was fixed.

I upgrade from 7.6.100 to 7.6.130.0 and the problem was fixed. Now the wireless is working fine.

0 Helpful

kaaftab
Level 4
Level 4

‎03-13-2014 11:45 AM

check the WLC for time out value if no change has been made on ISE since last deployment.

0 Helpful
Customers Also Viewed These Support Documents