Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
701
Views
0
Helpful
4
Replies

ISE CWA not working properly

Cheezus01
Level 1
Level 1

‎05-12-2015 05:47 AM - edited ‎03-10-2019 10:43 PM

Hello!

So I've setup a wireless CWA guest SSID using a ISE 1.3 and I've followed this guide, http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html

The problem now is that the first authorization policy, "networkaccess:usecase EQUALS Guest Flow", never seems to kick in, because users recieve the login successful message and you can see the redirect link to the set website for a second and then it goes back to the login portal and prompts for login again. After reviewing the logs it seems like the ISE sets the profile to the redirect profile after successful login attempts, when it should be setting the Permit_Access profile. I read a note somewhere that in ISE 1.3 the "Guest Flow" flag might not work, but then again I've read many guides and manuals that says it should work. Of all the threads and posts I've read where people have had the same issue with the "redirect loop" no answer fixes it, because most of the time it's that they forgot a MAB rule or maybe to enable RFC 3576, but that's not the case here.

Labels:
0 Helpful
4 Replies 4

jj27
Spotlight
Spotlight

‎05-12-2015 07:39 AM

Another thing to check is that AAA override is enabled on the Guest WLAN under the Advanced tab.  Also make sure that your Guest Flow Authz rule is above the rule for CWA.

If that does not fix it, what controller and code are you running?

0 Helpful

Cheezus01
Level 1
Level 1
In response to jj27

‎05-12-2015 11:44 PM

I've checked that.

5508, 8.0.110.0

0 Helpful

Tim Steele
Level 1
Level 1
In response to Cheezus01

‎08-22-2015 05:18 PM

Do you have an anchor controller in the mix for your guest traffic?  If so, be sure you do NOT have radius accounting enabled on the anchor WLC.  That will cause a redirect loop.  When looking at Live Logs, does the SessionID change when this happens?


Tim

0 Helpful

Andre Neethling
Level 4
Level 4
In response to Tim Steele

‎08-24-2015 12:36 AM

Can you try this for the AuthZ policy you are trying to apply to the authenticated user? Under Identity groups  select "GuestType_YOUR GUEST IDENTITY GROUP". This will catch the authenticated user and apply the new AuthZ policy. This worked for me.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents