09-03-2015 02:34 AM - edited 03-10-2019 11:01 PM
Hi Guys,
I've just built up an ISE v1.4 server and have successfully configured it to work with a WLC to provide both 802.1x auth for an internal WLAN and Central Web Auth for the Guest WLAN
The issue I have is that one of my test devices passes authentication as shown by the log, but never shows up in the internal endpoints identity store. Other devices authenticate and show up in the identity store, where I can delete them which forces the web auth process to run again. I just have the one device which seems to be in the identity store, but can't be seen and can't be deleted, which means that the device always passes wireless MAB and gets network access.
ISE is version 1.4 with the latest patch applied, WLCs are an 8510 Foreign controller and 5508 guest anchor, both running 8.0.120
Does anyone have any ideas? I assume the MAC address is in a database somewhere which needs to be cleaned up somehow, but I can't find any documentation on how to do this. ISE has been rebooted, but no change.
Thanks
James
Solved! Go to Solution.
09-04-2015 03:21 AM
Odd, it looks like ISE is finding the MAC in the endpoint store, which is where it should be, there are no other places where that mac address should be found. You say that it's not in there, but is that client getting redirected to the guest login page ? if so, can you log in with a guest account ?
If it's not in there, you should be able to manually create it, if it's actually in there you should get some error mesage. Could you try that?
09-03-2015 10:44 AM
Can you show us the authentication event in ISE that you believe is giving it access ? Is it doing guest with cwa login, or peap/eap-tls the device that is causing the problem ?
09-03-2015 09:59 PM
Here's the authentication steps from the ISE:
1001 | Received RADIUS Access-Request | |
11017 | RADIUS created a new session | |
11027 | Detected Host Lookup UseCase (Service-Type = Call Check (10)) | |
15049 | Evaluating Policy Group | |
15008 | Evaluating Service Selection Policy | |
15048 | Queried PIP - Radius.Service-Type | |
15048 | Queried PIP - Radius.NAS-Port-Type | |
15004 | Matched rule - Wireless-WebAuth | |
15041 | Evaluating Identity Policy | |
15006 | Matched Default Rule | |
15013 | Selected Identity Source - Internal Endpoints | |
24209 | Looking up Endpoint in Internal Endpoints IDStore - 00:23:14:D0:46:98 | |
24211 | Found Endpoint in Internal Endpoints IDStore | |
22037 | Authentication Passed | |
15036 | Evaluating Authorization Policy | |
15048 | Queried PIP - EndPoints.LogicalProfile | |
15048 | Queried PIP - Radius.Service-Type | |
15048 | Queried PIP - Radius.NAS-Port-Type | |
15004 | Matched rule - Guest Permit | |
15016 | Selected Authorization Profile - Guest-CWA-Accept | |
11002 | Returned RADIUS Access-Accept |
The MAC address is correct, but when I go to Administration > Identities > Endpoints on the ISE I don't see the MAC address listed. I do see the MAC addresses for other devices, just not this one.
09-04-2015 03:21 AM
Odd, it looks like ISE is finding the MAC in the endpoint store, which is where it should be, there are no other places where that mac address should be found. You say that it's not in there, but is that client getting redirected to the guest login page ? if so, can you log in with a guest account ?
If it's not in there, you should be able to manually create it, if it's actually in there you should get some error mesage. Could you try that?
09-08-2015 07:10 PM
Thanks for that.
I added the MAC address in manually. When I then looked in the identity store, it had populated the endpoint profile and IP address fields, which seems to indicate that it had retrieved some details from the identity store. I then deleted the identity, and now the client is being redirected to the web auth portal as it should.
Looks like it was a bit of a glitch somewhere in the endpoint database.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide