07-25-2012 03:08 PM - edited 03-10-2019 07:20 PM
WLC - 7.2.110.0
ISE - 1.1.1
I'm new to ISE. I want to set up a very basic method for BYOD users to access our wireless network. I've set up an SSID for external Web Auth, where users get redirected to the ISE Guest Portal: https://1.2.3.4:8443/guestportal/Login.action
At that screen, users can enter their Active Directory credentials and login. Although the authentcation shows as successful under Operations -> Authentications, the user is redirected to the device registration page. On that page they see the message "We are unable to determine access privileges in order to access the network. Please contact your administrator." Their device MAC is listed, and they can enter a description but the "Register" button is greyed out.
I'm getting overwhelmed with the amount of documentation available as well as the new terminology. I'm familiar with using Windows RADIUS servers, but ISE is very foreign to me now. Is there any documentation to help me understand how access requests are processed?
07-25-2012 03:11 PM
Are you seeing the coa request being sent from the ISE to the wireless controller? If so, it could be that the guest is hitting another authorization profile which redirects them to the device registration page.
Can you post a screenshot of your authorization rules.
Thanks,
Tarik Admani
*Please rate helpful posts*
07-25-2012 03:28 PM
As far as I can tell there is no Authorization Profile being returned. I only have one authorization profile in addition to the defaults. This profile just checks AD group membership.
07-25-2012 03:34 PM
Sounds good, you will have to create another authorization profile that matches the guest identity group. That result should be permit access. See if that changes your luck.
Tarik Admani
*Please rate helpful posts*
07-25-2012 03:39 PM
Forgive me for sounding obtuse, but how does one do that?
I thought that's what I was doing when I created an auth profile that matched the AD user group that the user I'm loging in with is a member of.
07-26-2012 07:41 AM
Hi,
Did you setup ISE as the radius server for the ssid and then set up the WLC as the radius client on ISE. It seems that you are being redirected properly, but the portal authentication is passing, however there is another transaction which is the radius portion that actually changes your network access. Please set that up and you should be good to go.
Thanks,
Tarik Admani
*Please rate helpful posts*
07-26-2012 07:51 AM
Yes, I set up ISE as the radius server and I've added the WLC to ISE.
07-26-2012 07:55 AM
Which ip address did you use for the wireless lan controller? Did you use the management interface? Also can you check the Security settings make sure that the "Radius Server Overwrite interface Enabled " Is not checked? It seems as if the radius authentication is not making it to the ISE node.
Thanks,
Tarik Admani
*Please rate helpful posts*
03-21-2013 12:11 PM
As you asked the documents related to ISE and Guest Portal. I am sending you two docs which will help you in this case. Please find the below documents:
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_guest_pol.html
http://www.cisco.com/en/US/docs/security/ise/1.0.4/user_guide/ise10_guest_pol.pdf
03-22-2013 10:07 AM
How are you setting up the redirect. I have seen that error when you are being sent without using CWA and it is related to not being able to see the session information.
Since the controller is on 7.2 you should be able to send the redirect through CWA on the ISE appliance. So you basically have an open SSID with mac filtering enabled and Radius NAC enabled. And a policy on ISE to redirect traffic.
Sent from Cisco Technical Support iPad App
03-22-2013 10:42 AM
I forget what problem I was having, but I think I didn't have the authorization profile set up right, or at all. Sorry this thread got necro'd. The issue has long since been solved.
Sorry.
10-09-2013 12:00 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide