Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1359
Views
0
Helpful
11
Replies

Guest wifi on Webportal1 not working - Webportal2 ok - on ISE Psn

MaErre21325
Level 1
Level 1

‎11-30-2023 01:29 AM - edited ‎11-30-2023 02:55 AM

Hello,

i'm facing a problem with client authentication on guest wifi when the request is handled by a specific psn and its relative portal.

The environment consists of two machines both acting as pan/psn/mnt.
When the connection request arrives to psn1, the traffic is intercepted by the wlc with the redirect acl and the web portal 1 is shown to the client; however the webportal1 doesn't work because a splash page with connection refused is displayed.

On the other hand, if the request is handled by psn2, the web portal 2 is shown and the splash page allows the credentials to be entered correctly and the client is allowed to access the network.
Unfortunately, I cannot figure out why this problem is present only on web portal 1 since all configurations are identical to web portal 2 (firewall flows allow the same traffic for both portal1 and 2 and the portals are configured correctly at the dns level as well).

Do you have any advice for me? I don't know what further Tbs i should do, everything seems ok.

Attached you can find screenshots of the whole process: authentication policy -> authorization policy -> authorization profile -> splash page -> and the psn1 log.

Thank you

Preview file
35 KB
Preview file
89 KB
Preview file
113 KB
Preview file
68 KB
Preview file
229 KB
0 Helpful
11 Replies 11

ahollifield
VIP
VIP

‎11-30-2023 05:28 AM

The Static IP/Hostname redirect is your issue.  Why do you have that checked?  This will only allow web redirects to work by whatever PSN is in that field.

0 Helpful

MaErre21325
Level 1
Level 1
In response to ahollifield

‎11-30-2023 05:41 AM

Hello @ahollifield,

i have it checked because:
if you are using psn1 you'll be provided webauth1 portal
if you are using psn2 you'll be provided webauth2 portal.

Am i wrong?
I have two authorization profiles that are the same except for the Static IP/Hostname in which there are the two web portal as stated before.

 

0 Helpful

ahollifield
VIP
VIP
In response to MaErre21325

‎11-30-2023 10:17 AM

Oh ok yeah if you have two profiles then this should work fine then.  The next thing I would look at are DNS and firewall/ACL settings.  Also on the PSN node that's not working does it have the correct Portal certificate on that node?

0 Helpful

MaErre21325
Level 1
Level 1
In response to ahollifield

‎12-01-2023 01:20 AM

Hi,

Portal certificate is the same on both psn, i've also double checked dns/acl/firewall flows and are all the same for both the appliance.

0 Helpful

MHM Cisco World
VIP
VIP

‎11-30-2023 10:32 AM - edited ‎11-30-2023 10:33 AM

Sorry'

Wlan that user use config with two PSN or only one ?

MHM

0 Helpful

MaErre21325
Level 1
Level 1
In response to MHM Cisco World

‎12-01-2023 12:30 AM

Hi @MHM Cisco World ,

the wlan is one, regardless where a user is connecting there's only one wlan and one vlan provided

0 Helpful

ammahend
VIP Alumni
VIP Alumni

‎12-01-2023 01:21 AM

Try few additional steps
In your pre-auth ACL, allow ping to PSN1 and see if you can ping PSN1 and resolve DNS for PSN1, even if the webpage is not loading.
does your portal certificate include SAN for both webauth01 and webauth02 ?

-hope this helps-
0 Helpful

MaErre21325
Level 1
Level 1
In response to ammahend

‎12-01-2023 01:48 AM

Hello @ammahend,

at the moment i can't add ping because a don't directly manage the pre-auth acl in the wlc.
And yes, my portal certificate include SAN for both webauth01 and webauth02.
if i ping them, they are resolved:

Pinging webauth01.mycustomer.com [192.168.1.101] with 32 bytes of data:
Pinging webauth02.mycustomer.com [192.168.1.102] with 32 bytes of data:

This is the SAN configuration:
DNS:*.mycustomer.com,DNS:mycustomer.com

0 Helpful

ammahend
VIP Alumni
VIP Alumni
In response to MaErre21325

‎12-01-2023 01:58 AM

Understood, For now we know that  client sends the TCP SYN to port 80 and WLC intercepts it, Spoofs the destination ip address to reply to client and redirect. So next logical step is to Verify client traffic reaches ISE PSN,  that's why I asked to check that, however you can also verify this with WLC EPC and ISE TCPdump, can you share these outputs..

-hope this helps-
0 Helpful

MaErre21325
Level 1
Level 1
In response to ammahend

‎12-01-2023 02:10 AM

ok, just one thing, i'm noticing that on the psn2 (in which webauth2 is  working) the "ISE messaging Service" certificate is missing, while in psn1 is present, this could related to my problem or not?

0 Helpful

MHM Cisco World
VIP
VIP

‎12-01-2023 02:09 AM

We can make wlc use both psn by config two wlan 

Or we can use both psn with one wlan using f5 loader' this make coa send one ip and f5 loader do job of load between two psn.

This what I know 

But using two different psn for same wlan I dont sure it work.

MHM

0 Helpful
Customers Also Viewed These Support Documents