05-10-2018 11:10 PM
Hello
I am seeing a weird phenomenon that I want to debug - but I cannot wait for the TAC/BU
ISE 2.3 patch 2 - NAD is H3C WX5004 - doing MAB auth for Guest wireless. So far I can get the ISE guest portal displayed on the user's PC when using the H3C. But when I login to the portal with valid guest creds I don't see the CoA being sent out (wireshark on PSN).
I know that this PSN can send CoA to the NAD because I can trigger a manual CoA Disconnect from the Session GUI, and I can see this in Wireshark. SO the question is why ISE is not sending CoA Disconnect when I log the user in? I have tried the following logs
prrt-server.log at default reveals this Warning
sco8834ise054/admin# show logging application prrt-server.log tail
JavaBridge,2018-05-11 15:14:38,708,WARN ,0x7f89a7182700,cntx=0000759076,sesn=sco8834ise054/315202826/86091,CPMSessionID=sco8834ise054:userauth11,user=arne2@email.com,JavaBridge::invoke: exception caught,JavaBridge.cpp:554
When I crank up the debug level then I get a load more data - but it all looks healthy to me - it tells me the password was valid etc and then nothing else.
I suspect that ISE wants a certain attribute from the initial Access-Request in order to build the session table, and if that is missing then it cannot send a CoA during guest auth? Either way, I just want to debug this further.
Solved! Go to Solution.
05-11-2018 03:01 PM
H3C WX is an HP wireless controller, it seems. I have not commented on this until now because I have no personal experience with a HP NAD. I am not clear why you mentioned about "this is not a RADIUS auth flow. ..."
Guest access is actually a special form of RADIUS auth. You could try enabling TRACE on guestaccess, prrt-jni, and portal-web-action, then check the prrt-* and guest.log files. Below is a sample output in guest.log with regular Cisco WLC.
...
2018-05-11 21:52:11,709 DEBUG [https-jsse-nio-10.1.100.21-8443-exec-9][] cpm.guestaccess.flowmanager.step.StepExecutor -:test1:- isLastStep is triggered for step:SUCCESS
2018-05-11 21:52:11,710 DEBUG [https-jsse-nio-10.1.100.21-8443-exec-9][] guestaccess.flowmanager.step.guest.SuccessStepExecutor -:test1:- It is not a upgrated custom portal!
2018-05-11 21:52:11,710 DEBUG [https-jsse-nio-10.1.100.21-8443-exec-9][] guestaccess.flowmanager.step.guest.SuccessStepExecutor -:test1:- Success Transition Result=StepName=SUCCESS, hasError=false, retryEnabled=false, targetUrl=pages/success.jsp, isMobile=true, isContactSettingEnabled=false, errKeys=, dictionaryKeys=ui_tweak_banner_text_color,ui_tweak_banner_color,ui_success_instruction_message,ui_user_last_login_ipaddr_label,ui_apple_icon,ui_contact_link,ui_session_timeout_error,session_username,session_user_last_login_ipaddr,ui_full_background_image,ui_success_page_title,ui_success_message,ui_tweak_page_color,ui_background_image,session_user_last_login_pass_time,ui_success_returning_message,ui_tweak_page_text_color,ui_page_icon,ui_javascript_disabled_message,session_retry_url,ui_footer_label,ui_banner_label,ui_user_last_login_pass_time_label,ui_session_timeout_retry_button,session_coa_type,ui_desktop_logo,ui_success_content_label,ui_mobile_logo,session_redirect_url,ui_success_optional_content_2,ui_theme_css,ui_success_optional_content_1,session_contact_enabled,
doCoa=true, coaType=Reauth
...
05-11-2018 08:17 AM
Are you seeing the MAC address getting correctly moved to the endpoint identity group assigned to the guest type?
05-11-2018 08:27 AM
I would defer to the TAC but to help how about it you try with default NAD profile since it seems you are using a 3rd party switch? How does it compare? For credential guest flows you should get a re-auth not a disconnect. See if you can compare the flows maybe a bug
05-11-2018 02:03 PM
THanks for the replies
@paul - yes the MAC address ends up in the Endpoint Identity Group
@jason - I will give that a try on Monday
@hsing - this is not a radius auth flow. the psn should send the coa itself based on portal authentication success
05-11-2018 03:01 PM
H3C WX is an HP wireless controller, it seems. I have not commented on this until now because I have no personal experience with a HP NAD. I am not clear why you mentioned about "this is not a RADIUS auth flow. ..."
Guest access is actually a special form of RADIUS auth. You could try enabling TRACE on guestaccess, prrt-jni, and portal-web-action, then check the prrt-* and guest.log files. Below is a sample output in guest.log with regular Cisco WLC.
...
2018-05-11 21:52:11,709 DEBUG [https-jsse-nio-10.1.100.21-8443-exec-9][] cpm.guestaccess.flowmanager.step.StepExecutor -:test1:- isLastStep is triggered for step:SUCCESS
2018-05-11 21:52:11,710 DEBUG [https-jsse-nio-10.1.100.21-8443-exec-9][] guestaccess.flowmanager.step.guest.SuccessStepExecutor -:test1:- It is not a upgrated custom portal!
2018-05-11 21:52:11,710 DEBUG [https-jsse-nio-10.1.100.21-8443-exec-9][] guestaccess.flowmanager.step.guest.SuccessStepExecutor -:test1:- Success Transition Result=StepName=SUCCESS, hasError=false, retryEnabled=false, targetUrl=pages/success.jsp, isMobile=true, isContactSettingEnabled=false, errKeys=, dictionaryKeys=ui_tweak_banner_text_color,ui_tweak_banner_color,ui_success_instruction_message,ui_user_last_login_ipaddr_label,ui_apple_icon,ui_contact_link,ui_session_timeout_error,session_username,session_user_last_login_ipaddr,ui_full_background_image,ui_success_page_title,ui_success_message,ui_tweak_page_color,ui_background_image,session_user_last_login_pass_time,ui_success_returning_message,ui_tweak_page_text_color,ui_page_icon,ui_javascript_disabled_message,session_retry_url,ui_footer_label,ui_banner_label,ui_user_last_login_pass_time_label,ui_session_timeout_retry_button,session_coa_type,ui_desktop_logo,ui_success_content_label,ui_mobile_logo,session_redirect_url,ui_success_optional_content_2,ui_theme_css,ui_success_optional_content_1,session_contact_enabled,
doCoa=true, coaType=Reauth
...
05-11-2018 04:08 PM
thanks for the debug ideas. Will try that on Monday. This is just another new NAD type and should fit in with the existing MAB policy set logic where the auth fail continue stuff is already in place. And yes we use the factory default HP Wireless device profile.
What happens next after Portal login success is not user configurable (ie the coa is hard coded into Ise logic). That is what I was alluding to. All I can see is whether or not ise decided to send coa. If portal auth was success and coa not sent then I want to know why. The debugs should help. Endpoint trace didn’t reveal anything at all (no file created as a result). I found that surprising
05-13-2018 07:25 PM
Right. The endpoint debug has some limitations. If you have a TAC, it's good to ask TAC to log a defect on that.
05-15-2018 05:22 PM
The last entry in the PSN guest.log was over a week ago!!
Even when I enable guest debugs, it does not write to this file. The PSN has been creating a lot of historical guest.log files but now it writes nothing.
I also tried changing the device profile to Aruba and also Cisco profile. It made no difference.
I have also noticed now that the endpoint no longer ends up in the Endpoint Identity Group - it was working previously. Very weird.
I will open a TAC case.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide