07-16-2014 01:40 AM - edited 03-10-2019 09:52 PM
Hi Support team,
Issue with Guest CWA with ISE.
I can connect to guest SSID and redirection is happening to ISE guest portal page. Username and password (created by sponsor) is accepted in the guest portal. When i open a new browser it is again redirecting to guest portal rather moving to internet. Is it related to COA. Please advise. I am attaching the error what i am getting and the configuration also.
07-16-2014 01:56 AM
07-16-2014 03:01 PM
Hello-
The issue is with your authorization rules. You need to change the conditions for the "Wireless Guest Rule." Remove the current condition about the "guest flow" and add a new condition and instruct ISE to look at the ISE Identity Store group where the guest users are created. Typically, this is the "Guest" internal identity user group. Leave the second "condition" block blank.
Hope this helps!
Thank you for rating helpful posts!
07-16-2014 07:12 PM
Nothing wrong with your authorization rules but Neno's suggestion would make security tighter in the long run. Your WLC configuration that is incorrect for CWA. Don't do layer 3 security- do layer 2 open auth with mac filtering and no layer 3 security.
07-16-2014 07:26 PM
Ops, I did not see the second set of screen shots. Yes, you need to disable L3 security and only use L2 with mac filtering as suggested above. You will also need to enable "radius NAC" under the advanced tab. The link below should walk you through the whole setup:
On a side note, I still think that the current authorization rules are incorrect. If they are left alone, wouldn't the guest users be let on the network as soon as they enter the guest flow, thus never hitting the CWA rule? Or the "guest-flow" does not happen until after redirection has taken place and credentials are entered? I am not at home otherwise I would test it :)
Thank you for rating helpful posts!
07-16-2014 08:06 PM
Guest flow is added after the CWA bit. By not adding the group it means you can't differentiate between different internal groups eg contractor vs guest.
07-16-2014 08:09 PM
Ah, so it is after the CWA. Thanks for confirming. (+5 from me)
07-30-2014 04:57 AM
Hi,
Did u ever get this solved? I rather have the same issue but the users are authenticated but redirected to the login page again. They do not get the "successfull" login screen but are authenticated anyway after the first time adding the credentials. Only after putting the credentials twice the successfull screen is shown.
07-30-2014 12:06 PM
Have you modified Wireless MAB authentication rule to Reject-Continue-Drop?
Select these values from the drop-down list:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide