03-31-2013 11:38 PM - edited 03-10-2019 08:15 PM
I've configured the Guest Web Authentication in the ISE and I've tested and every thing is working fine. I got the redirect url, I could authentication and then got an access. However, If I got the redirect url and then disconnect from the guest SSID and connect to another SSID on the same WLC (not associated to the ISE) and then connect back to the guest SSID, I'm not getting the redirect url.
I've checked the ISE and I noticed that the radius session is not terminated if I disconnected from the SSID. I tried to add an attribute in the authorization profile to have radius idle timeout, it did work and the ISE initiate new session ID, but the smartphone is not getting the url.
Anyone have/had this issue ?
04-01-2013 01:41 AM
For sake of clarity:
- You do not see the redirect URL sent when you do "show client det
- Do you have accounting on the WLC configured pointing to ISE for corresponding SSID?
- I assume you're running something fairly recent on ISE 1.1.x ?
04-01-2013 02:18 AM
Thanks Marcin for your reply.
I have ISE 1.1.3 with WLC 7.2. The accounting on the WLC is configured. I need to check the
"show client det
But I can see it in the GUI of WLC after I associate with guest SSID but without the redirect url working. I guess the issue
that the radius session is not terminated when I disconnect from the SSID
04-01-2013 02:38 AM
r.mohannad wrote:
I guess the issue
that the radius session is not terminated when I disconnect from the SSID
Hence my question whether RADIUS accounting was configured (to ISE). :-)
There's really no reason to keep the RADIUS session up, it's just a short exchnage, I guess you mean the authentication session?
I can try a similar session in the lab, but can't promise I will be able to do it in the next few days (with the holidays and whatnot).
M.
04-01-2013 03:00 AM
I can terminate the session manually by going to :
Operations > Reports > Catalog > Session Directory >RADIUS_Active_Sessions
When I did that, the samrtphone is disconnected from the SSID and then connect it again, and I get the redirect URL with no issue.
If you wanna try it in the lab, make sure you disconnect the guest SSID and connect to another SSID not associated to the ISE.
Thanks
04-01-2013 03:04 AM
OK that should not be needed. But do you or don't you have accounting configured on WLC?
M.
04-01-2013 03:09 AM
Yes it is configured in the WLC and pointed to the ISE.
04-02-2013 07:23 AM
I've done a test with CWA + open SSID and I don't see the problem. (iPod, latest SW update, pretty old HW)
My steps:
1) connected to CWA SSID and it asked me to register, provided my username and password to see if they are correct
2) disconnected (connected to openSSID) without registering.
3) Checked reachablity over openSSID
4) reconnected to the CWA one.
5) Got redirected automatically.
Did I miss anything? Any more steps you've done?
M.
04-02-2013 07:40 AM
Thanks Marcin.
Acually we have an issue in step 5 where I could not be redirected. When have you disconnected from CWA, did the
RADIUS session in the ISE removed ?
04-02-2013 08:04 AM
it is removed. I experted it's details to CSV, can you do the same for the session that is "stuck"?
08-27-2013 05:02 AM
Please check the guide of Setting Up Cisco ISE in a Distributed Environment:
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_dis_deploy.html
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide