Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


Identity PSK Manager + Cisco 9800: Failing to redirect to ISPK Captive Portal



I'm hoping to get Mr. @howon attention here as he's been extraordinarily helpful in the past...


I've successfully integrated the IPSK Manager tool with my older 8510s and ISE 2.6.  Now I'm trying to integrate it with my new 9800s running 17.3.1 and I'm in a weird spot where RADIUS is returning access-accept's, but the WLC isn't letting clients connect when they use the default WLAN password.


My IPSK implementation is as follows:

  • If the client MAC exists in the IPSK Manager database, the client will be put in a specific VLAN. (This is working on the 9800)
  • If not, the client will be sent to the IPSK Manager captive portal. (this is failing on the 9800, but works on the 8510).


My client is connecting to the WLAN using the default PSK - the one that the WLAN is configured with.  When I connect to the SSID being broadcast by the 8510, the client gets redirected to the IPSK Manager captive portal. However, when trying to connect to the SSID being broadcast by the 9800, the client cannot connect.


I enabled AAA authorization debugging on the 9800 and here is what it's saying:


252721: Feb 19 2021 20:13:10.844 UTC: %SESSION_MGR-5-FAIL: Chassis 1 R0/0: wncd: Authorization failed or unapplied for client (xxxx.xxxx.2a28) on Interface capwap_918000b2 AuditSessionID 548EA546000000B3BBEC93A9. Failure Reason: Fail PSK Failure.


Here is what ISE says about the authorization attempt:




And here is how the authorization profile is configured:




I know the IPSK Manager guide says to add the DACL name in the common tasks, but I get the same result with or without it, and as I understand it, the dACL is only used to prevent clients from accessing the internet prior to going through the captive portal.


I'm really not sure what else to check. I don't know why the 9800 is saying "Fail PSK Failure" when ISE is returning access-accept and I entered the key that I built the WLAN with on the client.


Thanks for your time!

Content for Community-Ad