ISE guest portal weird behaviour

Darkmatter · ‎07-20-2023

So i run a hotspot guest portal with it's proper SSID, but WLAN and guest portal are on separate networks.

So guest WLAN is on let's say 10.10.10.0/24 and the guest portal is on 10.20.20.0/24

Have Webauth redirect configured and working fine, together with needed policy on ISE for MAB and all related things.

Testing this on my mobile, connecting to the guest SSID, i get the captive portal popup, can accept the UAP and then you should click on the 'Continue' button.

But here comes the thing, once clicked on the continue button, i'm thrown back to the wifi settings without being connected to the guest wifi and i have to click on it once again, i even have to try a few times again to connect to this guest wifi while getting the message 'Cannot connect to the network', but eventually it will succeed.

Looking at ISE logs, i see my authentication failed with following event

Event	5422 Authorize-Only failed
Failure Reason	15039 Rejected per authorization profile

wich as a result returns me a Radius DenyAccess response.

A few moments later though, authentication succeeded and i'm connected.

Any idea what's causing this weird behaviour?

ahollifield · ‎07-20-2023

Change of Authorization (CoA). What is your NAD? Do you have CoA enabled? Do you see any CoA failed logs in ISE?

Darkmatter · ‎07-20-2023

So the NAD for wireless is a WLC-9800 and CoA is configured.

Don't see any failed CoA logs though.

ahollifield · ‎07-20-2023

Do you have CoA success logs? What version of ISE? What version of 9800? AAA override and NAC state enabled on the SSID/WLAN/Tag?

Darkmatter · ‎07-20-2023

Strange enough, i don't see any CoA happening, although WLC is configured for that?

ISE 3.2 - WLC version 17.6.x

Have to check the AAA override and NAC as i'm not sure about that, but it should.

Darkmatter · ‎09-19-2023

Summer holidays went by and didn't had much time to spent on it during this period, but picking it up again.

ISE 3.2 patch 3 and IOS XE17.6.5 on WLC 9800.
CoA success log is visible, AAA override and NAC state ISE is configured on the WLC.

The thing is that is works, but only when you connect to the guest wifi and let it sit for a couple of minutes.

What i'm seeing in the RADIUS logs on ISE is that there are 2 authorizations coming in for the same clients, where the first one is accepted and directly after that, the second auth is rejected.
As explained, this will auto resolve itself after a few minutes, but i want to get rid of it and have it working correctly.

Aref Alsouqi · ‎09-19-2023

Seems to be caused by some delays between the WLC and ISE. Are both setting on the same network? if not, is there any firewall in between that is doing palyload inspection?

lornesilkes · ‎05-20-2024

Hi, Did you figure out this issue? I'm having a very similar experience on 9800 WLCs and ISE 3.1 (patch

MHM Cisco World · ‎07-20-2023

https://www.linkedin.com/pulse/central-web-authentication-wlc-ise-understanding-flow-alessandro-don%C3%A0

the condition must be config correctly, the condition must SSID, the guest will select SSID for guest and WLC send this info to ISE which use it to match the correct authz policy apply.
that it
I think you dont need more than that
Thanks
MHM