cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1909
Views
1
Helpful
7
Replies

How to debug a Guest Portal login?

Arne Bier
VIP
VIP

Hello

I am seeing a weird phenomenon that I want to debug - but I cannot wait for the TAC/BU

ISE 2.3 patch 2 - NAD is H3C WX5004 - doing MAB auth for Guest wireless.  So far I can get the ISE guest portal displayed on the user's PC when using the H3C.  But when I login to the portal with valid guest creds I don't see the CoA being sent out (wireshark on PSN).

I know that this PSN can send CoA to the NAD because I can trigger a manual CoA Disconnect from the Session GUI, and I can see this in Wireshark.  SO the question is why ISE is not sending CoA Disconnect when I log the user in?  I have tried the following logs

prrt-server.log at default reveals this Warning

sco8834ise054/admin# show logging application prrt-server.log tail

JavaBridge,2018-05-11 15:14:38,708,WARN ,0x7f89a7182700,cntx=0000759076,sesn=sco8834ise054/315202826/86091,CPMSessionID=sco8834ise054:userauth11,user=arne2@email.com,JavaBridge::invoke: exception caught,JavaBridge.cpp:554

When I crank up the debug level then I get a load more data - but it all looks healthy to me - it tells me the password was valid etc and then nothing else.

I suspect that ISE wants a certain attribute from the initial Access-Request in order to build the session table, and if that is missing then it cannot send a CoA during guest auth?  Either way, I just want to debug this further.

1 Accepted Solution

Accepted Solutions

H3C WX is an HP wireless controller, it seems. I have not commented on this until now because I have no personal experience with a HP NAD. I am not clear why you mentioned about "this is not a RADIUS auth flow. ..."

Guest access is actually a special form of RADIUS auth. You could try enabling TRACE on guestaccess, prrt-jni, and portal-web-action, then check the prrt-* and guest.log files. Below is a sample output in guest.log with regular Cisco WLC.

...

2018-05-11 21:52:11,709 DEBUG  [https-jsse-nio-10.1.100.21-8443-exec-9][] cpm.guestaccess.flowmanager.step.StepExecutor -:test1:- isLastStep is triggered for step:SUCCESS

2018-05-11 21:52:11,710 DEBUG  [https-jsse-nio-10.1.100.21-8443-exec-9][] guestaccess.flowmanager.step.guest.SuccessStepExecutor -:test1:- It is not a upgrated custom portal!

2018-05-11 21:52:11,710 DEBUG  [https-jsse-nio-10.1.100.21-8443-exec-9][] guestaccess.flowmanager.step.guest.SuccessStepExecutor -:test1:- Success Transition Result=StepName=SUCCESS, hasError=false, retryEnabled=false, targetUrl=pages/success.jsp, isMobile=true, isContactSettingEnabled=false, errKeys=, dictionaryKeys=ui_tweak_banner_text_color,ui_tweak_banner_color,ui_success_instruction_message,ui_user_last_login_ipaddr_label,ui_apple_icon,ui_contact_link,ui_session_timeout_error,session_username,session_user_last_login_ipaddr,ui_full_background_image,ui_success_page_title,ui_success_message,ui_tweak_page_color,ui_background_image,session_user_last_login_pass_time,ui_success_returning_message,ui_tweak_page_text_color,ui_page_icon,ui_javascript_disabled_message,session_retry_url,ui_footer_label,ui_banner_label,ui_user_last_login_pass_time_label,ui_session_timeout_retry_button,session_coa_type,ui_desktop_logo,ui_success_content_label,ui_mobile_logo,session_redirect_url,ui_success_optional_content_2,ui_theme_css,ui_success_optional_content_1,session_contact_enabled,

doCoa=true, coaType=Reauth

...

View solution in original post

7 Replies 7

paul
Level 10
Level 10

Are you seeing the MAC address getting correctly moved to the endpoint identity group assigned to the guest type?

I would defer to the TAC but to help how about it you try with default NAD profile since it seems you are using a 3rd party switch? How does it compare? For credential guest flows you should get a re-auth not a disconnect. See if you can compare the flows maybe a bug

THanks for the replies

@paul - yes the MAC address ends up in the Endpoint Identity Group

@jason - I will give that a try on Monday

@hsing - this is not a radius auth flow. the psn should send the coa itself based on portal authentication success

H3C WX is an HP wireless controller, it seems. I have not commented on this until now because I have no personal experience with a HP NAD. I am not clear why you mentioned about "this is not a RADIUS auth flow. ..."

Guest access is actually a special form of RADIUS auth. You could try enabling TRACE on guestaccess, prrt-jni, and portal-web-action, then check the prrt-* and guest.log files. Below is a sample output in guest.log with regular Cisco WLC.

...

2018-05-11 21:52:11,709 DEBUG  [https-jsse-nio-10.1.100.21-8443-exec-9][] cpm.guestaccess.flowmanager.step.StepExecutor -:test1:- isLastStep is triggered for step:SUCCESS

2018-05-11 21:52:11,710 DEBUG  [https-jsse-nio-10.1.100.21-8443-exec-9][] guestaccess.flowmanager.step.guest.SuccessStepExecutor -:test1:- It is not a upgrated custom portal!

2018-05-11 21:52:11,710 DEBUG  [https-jsse-nio-10.1.100.21-8443-exec-9][] guestaccess.flowmanager.step.guest.SuccessStepExecutor -:test1:- Success Transition Result=StepName=SUCCESS, hasError=false, retryEnabled=false, targetUrl=pages/success.jsp, isMobile=true, isContactSettingEnabled=false, errKeys=, dictionaryKeys=ui_tweak_banner_text_color,ui_tweak_banner_color,ui_success_instruction_message,ui_user_last_login_ipaddr_label,ui_apple_icon,ui_contact_link,ui_session_timeout_error,session_username,session_user_last_login_ipaddr,ui_full_background_image,ui_success_page_title,ui_success_message,ui_tweak_page_color,ui_background_image,session_user_last_login_pass_time,ui_success_returning_message,ui_tweak_page_text_color,ui_page_icon,ui_javascript_disabled_message,session_retry_url,ui_footer_label,ui_banner_label,ui_user_last_login_pass_time_label,ui_session_timeout_retry_button,session_coa_type,ui_desktop_logo,ui_success_content_label,ui_mobile_logo,session_redirect_url,ui_success_optional_content_2,ui_theme_css,ui_success_optional_content_1,session_contact_enabled,

doCoa=true, coaType=Reauth

...

thanks for the debug ideas. Will try that on Monday. This is just another new NAD type and should fit in with the existing MAB policy set logic where the auth fail continue stuff is already in place. And yes we use the factory default HP Wireless device profile.

What happens next after Portal login success is not user configurable (ie the coa is hard coded into Ise logic). That is what I was alluding to. All I can see is whether or not ise decided to send coa. If portal auth was success and coa not sent then I want to know why. The debugs should help. Endpoint trace didn’t reveal anything at all (no file created as a result). I found that surprising

Right. The endpoint debug has some limitations. If you have a TAC, it's good to ask TAC to log a defect on that.

The last entry in the PSN guest.log was over a week ago!!

Even when I enable guest debugs, it does not write to this file.  The PSN has been creating a lot of historical guest.log files but now it writes nothing.

I also tried changing the device profile to Aruba and also Cisco profile. It made no difference.

I have also noticed now that the endpoint no longer ends up in the Endpoint Identity Group - it was working previously.  Very weird.

I will open a TAC case.