cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1940
Views
0
Helpful
11
Replies

ISE 2.4 MAB Authentication issue

Marco Aresu
Level 1
Level 1

Hi all,

i have ISE 2.4 patch 5 deployment. Since 4-5 months i have an issue with Wifi Web portal authentication. From Windows and Android device i need to login twice on portal. After first successfully authentication, MAC address is not present on Endpoint Identity Group but only after second authentication.

From Radius logs i don't see any error and the session ID present on URL is the same in the first and the second Web Portal Redirect.

 

Thanks

Marco

11 Replies 11

paul
Level 10
Level 10

How do you have the DNS names in the redirect?  Are you using the FQDN of the ISE nodes in the redirect or a generic name like guest1.mycompany.com and guest2.mycompany.com?

Arne Bier
VIP
VIP

I assume you are doing redirection on a Cisco NAS? When the user has successfully logged into the Guest Portal do you see the CoA Disconnect being sent out from the PSN (the PSN that hosted the Guest portal)?  Best to run a tcpdump on the PSN you expect to see this happening on.

If the CoA is being sent out and ACKnowledged by the NAS, but the Endpoint is not stored in ISE, then there must be a bug.  I don't see how that can be a config error.

I would then compare the second Portal login with a tcpdump and see what the difference is.

 

I have seen weird stuff like this in earlier releases - but 2.4 has been pretty good for me.

I think I have seen this before as well.

You first connect using MAB and even though default policies for authentication say continue when unknown user it will drop that packet.
Next after added to database mab will be accepted and then redirect continue to hotspot portal for example

I would open a tac case

Normally, during a correct procedure, after Login Authentication a MAC address is present on EndPoint and reauthentication goes through the correct rule for MAB authentication. 

In my case there are no different between first and second portal, the difference is that i will see Username (received from first authentication) but the Endpoint Group is "Profiled:Microsoft" and not the correct Endpoint configured on Authentication Portal for this type of user (WIFI-ENDPOINT). 

That could be part of your problem. Why do you have the Microsoft profile mapped to an endpoint identity group? What could be happening is after they are getting put into the Guest group they are getting profiled as Microsoft and that is overwriting guest group assignment.



Unfortunately the developers (yes I am calling them out) don't check for the static assignment flag when they map profiled groups to identity groups so they overwrite static mappings. That is a flaw in the system, but has been there for a long time. IMO a statically set endpoint group assignment should never be overwritten, that is just basic programming logic.


I don't understand why after first successfully authentication, i see "Endpoint Identity Groups:Profiled:Workstation" and after second successfully authentication "Endpoint Identity Groups:wifi-Endpoint".

Why after first authentication, MAC address is not present on Endpoint Identity group? It will be a bug?

 

Thanks

Marco

It could be a sequence thing.  Does this happen only the very first time ISE sees the MAC address of the client?  If so what could be happening is this:

 

  1. ISE learns your MAC for the very first time from the MAC authentication of the guest SSID.
  2. It doesn't have any information yet other than the MAC so your put in a profile like Dell, HP, etc.
  3. You are redirected to the guest portal page and go through the process.
  4. Your MAC address is moved into the designated Guest Endpoints group.
  5. CoA is sent.
  6. Because you visited the portal ISE now has your User Agent string and can reprofile you as a workstation
  7. You have the workstation profile set to create a matching identity group so your MAC address is moved into that endpoint identity group.
  8. When the reauthenication happens you are not in Guest Endpoints group anymore and you have to go through the portal again.
  9. You go through the portal again and life is good.

So my guess is you are running into a first time sequencing thing.  Uncheck the "Create matching identity group" for the workstation profile.  if this is happening every time not just the first time the MAC is learned then I don't know what the issue could be.

 

effectively option "Create matching identity group" was checked for Android and Workstation. Check has been disable but problem is still present.

Below you can see screenshot after first authentication:

image.pngand below screenshot after second authentication.

image.pngdo you see any big error?

 

Thanks

Marco

I assume the first one is after you have gone through the portal once because the guest user ID is known, but you are right there wasn't a move to the correct endpoint group until after you went through the second time.  Do you only see this the very first time the MAC Address is learned by ISE or can you remove the MAC from the guest endpoint group and simulate the issue every time?

 

Can you post all 3 screen shots?  There should be the first time MAB authentication where you are sent to the portal the first time.  Then the second time when you are sent back to the portal again.  Then finally when it works.  You posted the last two.

Hello Paul,

i am able to simulate this error just removing MAC address from the endpoints group.

This is screenshot about first portal:

image.png

Yeah that is odd. Sounds like a TAC case is in order for sure.