Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
707
Views
0
Helpful
5
Replies

Guest WebAuth with ISE and WLC

descalante2007
Level 1
Level 1

‎01-14-2013 02:42 PM - edited ‎03-10-2019 07:58 PM

I have a couple of issues with this solution:

a) Each time a user logs in, the untrusted certificate message appears twice. The first one with the WLC IP address, the second one with the ISE IP address. Is this a bug or some kind of mistake configuration?

b) In the Guest Accounting report every guest session is reported twice. One with the correct log in and log out times, the second indicates the user is still on network even after several days he/she had been disconnected.

I think the second issue is in some way related with the first one.

Thanks in advance

Daniel Escalante

Labels:
0 Helpful
5 Replies 5

Tarik Admani
VIP Alumni
VIP Alumni

‎01-14-2013 06:41 PM

Hi,

What device are you experiencing the certificate related errors? What version of ISE and WLC are presently running? Also can you post a screenshot of the logs that you are referring to and were you able to verify that the client's entry isnt active in the WLC client page?

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

descalante2007
Level 1
Level 1
In response to Tarik Admani

‎01-15-2013 11:19 AM

The certificate message appears on Windows PCs and IPads which are the devices mainly used by the customer.

ISE is running version 1.1.2.145, WLC's are running 7.0.235

0 Helpful

descalante2007
Level 1
Level 1
In response to descalante2007

‎01-15-2013 06:00 PM

I am trying to figure out the protocol sequence:

1) The PC client gets IP address from the DHCP (anchor WLC in this case)

2) When the browser is open and a HTML request is send, the WLC intercepts it and redirect to ISE

3) Before the Guest Authentication Portal is displayed in the browser PC, an untrusted certicate message coming from the ISE should be displayed.

4) Once the untrusted certificate message is accepted (continue), the guest authentication portal is displayed

5) The user type in its credentials

6) the Successful Login message is received with the WLC IP address

7) the user is able to browse the internet

The problem appears in steps 3 and 4. The untrusted certificate message is first showed with the WLC Virtual IP address and then with the ISE IP address.

I think the message with the WLC address should not be sent, only the ISE message.

In Step 6 the successful login message should indicate the ISE IP address, no the WLC IP Virtual address.

I will appreciate your assistance to clarify the event sequence and proper functionality

Thanks in advance.

Daniel Escalante.

0 Helpful

jonmarso_07
Level 1
Level 1
In response to descalante2007

‎01-15-2013 07:34 PM

We are having this problem, we must first accept the certificate of the ISE, and soon after of the WLC, because of that some browsers like google does not work properly.

Another problem is that we look to send the user VLAN change is necessary to apply the visitor posture ie it is mandatory to have the advanced license.

Currently we need a single SSID and according to this guest user will receive an ip of your vlan.

0 Helpful
Customers Also Viewed These Support Documents