This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
i have ISE 2.4 patch 5 deployment. Since 4-5 months i have an issue with Wifi Web portal authentication. From Windows and Android device i need to login twice on portal. After first successfully authentication, MAC address is not present on Endpoint Identity Group but only after second authentication.
From Radius logs i don't see any error and the session ID present on URL is the same in the first and the second Web Portal Redirect.
How do you have the DNS names in the redirect? Are you using the FQDN of the ISE nodes in the redirect or a generic name like guest1.mycompany.com and guest2.mycompany.com?
I assume you are doing redirection on a Cisco NAS? When the user has successfully logged into the Guest Portal do you see the CoA Disconnect being sent out from the PSN (the PSN that hosted the Guest portal)? Best to run a tcpdump on the PSN you expect to see this happening on.
If the CoA is being sent out and ACKnowledged by the NAS, but the Endpoint is not stored in ISE, then there must be a bug. I don't see how that can be a config error.
I would then compare the second Portal login with a tcpdump and see what the difference is.
I have seen weird stuff like this in earlier releases - but 2.4 has been pretty good for me.
Normally, during a correct procedure, after Login Authentication a MAC address is present on EndPoint and reauthentication goes through the correct rule for MAB authentication.
In my case there are no different between first and second portal, the difference is that i will see Username (received from first authentication) but the Endpoint Group is "Profiled:Microsoft" and not the correct Endpoint configured on Authentication Portal for this type of user (WIFI-ENDPOINT).
I don't understand why after first successfully authentication, i see "Endpoint Identity Groups:Profiled:Workstation" and after second successfully authentication "Endpoint Identity Groups:wifi-Endpoint".
Why after first authentication, MAC address is not present on Endpoint Identity group? It will be a bug?
It could be a sequence thing. Does this happen only the very first time ISE sees the MAC address of the client? If so what could be happening is this:
So my guess is you are running into a first time sequencing thing. Uncheck the "Create matching identity group" for the workstation profile. if this is happening every time not just the first time the MAC is learned then I don't know what the issue could be.
effectively option "Create matching identity group" was checked for Android and Workstation. Check has been disable but problem is still present.
Below you can see screenshot after first authentication:
and below screenshot after second authentication.
do you see any big error?
I assume the first one is after you have gone through the portal once because the guest user ID is known, but you are right there wasn't a move to the correct endpoint group until after you went through the second time. Do you only see this the very first time the MAC Address is learned by ISE or can you remove the MAC from the guest endpoint group and simulate the issue every time?
Can you post all 3 screen shots? There should be the first time MAB authentication where you are sent to the portal the first time. Then the second time when you are sent back to the portal again. Then finally when it works. You posted the last two.
i am able to simulate this error just removing MAC address from the endpoints group.
This is screenshot about first portal: