07-20-2023 06:05 AM
So i run a hotspot guest portal with it's proper SSID, but WLAN and guest portal are on separate networks.
So guest WLAN is on let's say 10.10.10.0/24 and the guest portal is on 10.20.20.0/24
Have Webauth redirect configured and working fine, together with needed policy on ISE for MAB and all related things.
Testing this on my mobile, connecting to the guest SSID, i get the captive portal popup, can accept the UAP and then you should click on the 'Continue' button.
But here comes the thing, once clicked on the continue button, i'm thrown back to the wifi settings without being connected to the guest wifi and i have to click on it once again, i even have to try a few times again to connect to this guest wifi while getting the message 'Cannot connect to the network', but eventually it will succeed.
Looking at ISE logs, i see my authentication failed with following event
Event | 5422 Authorize-Only failed |
Failure Reason | 15039 Rejected per authorization profile |
wich as a result returns me a Radius DenyAccess response.
A few moments later though, authentication succeeded and i'm connected.
Any idea what's causing this weird behaviour?
07-20-2023 06:16 AM
Change of Authorization (CoA). What is your NAD? Do you have CoA enabled? Do you see any CoA failed logs in ISE?
07-20-2023 06:26 AM
So the NAD for wireless is a WLC-9800 and CoA is configured.
Don't see any failed CoA logs though.
07-20-2023 06:58 AM - edited 07-20-2023 06:59 AM
Do you have CoA success logs? What version of ISE? What version of 9800? AAA override and NAC state enabled on the SSID/WLAN/Tag?
07-20-2023 03:56 PM
Strange enough, i don't see any CoA happening, although WLC is configured for that?
ISE 3.2 - WLC version 17.6.x
Have to check the AAA override and NAC as i'm not sure about that, but it should.
09-19-2023 03:08 AM
Summer holidays went by and didn't had much time to spent on it during this period, but picking it up again.
ISE 3.2 patch 3 and IOS XE17.6.5 on WLC 9800.
CoA success log is visible, AAA override and NAC state ISE is configured on the WLC.
The thing is that is works, but only when you connect to the guest wifi and let it sit for a couple of minutes.
What i'm seeing in the RADIUS logs on ISE is that there are 2 authorizations coming in for the same clients, where the first one is accepted and directly after that, the second auth is rejected.
As explained, this will auto resolve itself after a few minutes, but i want to get rid of it and have it working correctly.
09-19-2023 04:29 AM
Seems to be caused by some delays between the WLC and ISE. Are both setting on the same network? if not, is there any firewall in between that is doing palyload inspection?
05-20-2024 09:06 AM
Hi, Did you figure out this issue? I'm having a very similar experience on 9800 WLCs and ISE 3.1 (patch
07-20-2023 07:01 AM
the condition must be config correctly, the condition must SSID, the guest will select SSID for guest and WLC send this info to ISE which use it to match the correct authz policy apply.
that it
I think you dont need more than that
Thanks
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide