Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1668
Views
0
Helpful
10
Replies

ISE 1.1.1 - User Accept Policy keeps returning

steven.vandyk
Level 1
Level 1

‎09-04-2012 05:54 AM - edited ‎03-10-2019 07:29 PM

Hello there

I have an ISE 1.1.1 setup, with a guest portal. The AD can be used to log onto this portal, and the is on First Login.

However, every time a AD user logs in on the portal, he has to accept the User Accept Policy. Is this a bug? Or is there a configuration error?

Greetings

Labels:
0 Helpful
10 Replies 10

Tarik Admani
VIP Alumni
VIP Alumni

‎09-04-2012 08:23 AM

Hi Steve,

Is the user logging in from different devices or the same device?

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

steven.vandyk
Level 1
Level 1
In response to Tarik Admani

‎09-06-2012 02:08 AM

Same device, thats the weird thing. Does it work with cookies or something?

0 Helpful

sdeeks
Level 1
Level 1

‎09-06-2012 04:23 AM

Is this on wired or wireless ? We see the same on wireless guest with AD auth, everytime the users authenticated session timesout on the WLC. I just guessed it was a feature.

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to sdeeks

‎09-06-2012 06:57 AM

Steve,

It should be able to redirect users based on the username and device that they are authenticating from, if you look at the endpoint there is an attribute that is AUP specific once that is set to yes, the profiling database should have this flag set so it isnt redirected to the AUP after login.

In your authorization profile is the client being redirected to another authorization policy after CoA?

Please post screenshots of the authorization policy, the endpoint attribute, and the authentication events....

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

steven.vandyk
Level 1
Level 1
In response to Tarik Admani

‎09-10-2012 04:46 AM

Hello Tarik

I am not using CoA, so there is no other authorization policy.

I will post screenshots tommorow.

Greetings

Steven

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to steven.vandyk

‎09-10-2012 10:58 AM

Also are you using central web authentication or local web authentication on your WLC? The reason is that you will need CoA in order remove the redirect url attribute once the user accepts the AUP the first time in a CWA scenario. If you are using local web authentication where the webauth is configured as a redirection to an "external server" then the AUP maybe sourced from the controller locally before allowing the user to continue on.

thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

steven.vandyk
Level 1
Level 1
In response to Tarik Admani

‎09-11-2012 12:53 AM

Im using local auth, would it not be possible to use the AUP then?

Screenshots:

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to steven.vandyk

‎09-11-2012 04:25 AM

That is correct, if you only want to show the AUP once, there is a flag that ise uses to track if the user and endpoint together have accepted the AUP. When the reauthenticate then they aren't presented the AUP.

I hope that helps,

Sent from Cisco Technical Support iPad App

0 Helpful

steven.vandyk
Level 1
Level 1
In response to Tarik Admani

‎09-11-2012 04:27 AM

Erm... thats what this topic is about, its not working, even when the setting is correct.

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to steven.vandyk

‎09-11-2012 04:37 AM

You are correct but the AUP page is probably the AUP from the controller since only the authentication is being redirected to the ise node.

When you see the AUP does it ave 1.1.1.1 or the ise ip address?

I can't see the screenshots through my iPad but will check them in a few.

Sent from Cisco Technical Support iPad App

0 Helpful
Customers Also Viewed These Support Documents