05-11-2016 11:18 PM - edited 03-10-2019 11:45 PM
Hi All,
Can someone help me in segregating two ssid authentication. i) Guest ssid use web authentication (guest sponsor portal) which is working fine.
ii) Mobile phone ssid use mac address authentication which is partially working. I have done some configuration in ISE and mac filtering enable in WLC.
I am able to connect VIP-SSID, if my phone mac is in ISE, but if mac address is not in ISE then it is using guest web redirection policy and getting authenticate using guest credential.
How can we stop this thing that guest web redirection is use only for guest ssid not for mobile.
Thanks
Kamlesh
05-12-2016 01:49 AM
You need to make your CWA redirect rules more specific, like your mobile phone ssid, so add the Called-Station-ID CONTAINS "Guest-SSID" to your redirect rule.
05-12-2016 02:01 AM
Hi Nielsen,
I tried that as follows:
rule name: guest-wireless
condition: wireless_mab & Called-Station-ID CONTAINS or END-WITH Guest-SSID
result: centralize web auth......redirect acl .....sponsor guest portal.
Then I was able to connect guest ssid but not web redirection or not able to connect mobile ssid, it was showing connecting.....
Is there anything I am missing?
Thanks
Kamlesh
05-12-2016 02:09 AM
Try not using two conditions for your Called-Station-ID, just use CONTAINS
05-12-2016 02:28 AM
Hi Nielsen,
I tried one by one both condition in guest rule, one condition at a time.
Whenever, I am configuring the above condition then mobile phone also getting rejected and guest portal is not getting web redirection.
What would be the policy sequence, I put Mobile policies first then guest CWA.
Thanks
Kamlesh
05-12-2016 08:27 AM
Thats odd, the order of the rules should not matter when the conditions are specific to an SSID, because only the correct rule will match.
You should try enabling the guest cwa rule, with just Called-Station-ID CONTAINS "Guest-SSID", and then show take a screenshot of the detail log for the mab requests where you say the mobile gets rejected and guests don't get redirected-
05-13-2016 12:00 AM
05-13-2016 12:29 AM
We need the whole page of the details log not just the top of it, if you cant capture that, then you should look for the Called-Station-Id attribute in the detail log of a denied request, it sounds like your WLC is not sending the SSID name in that av-pair, this is configurable in the WLC. That would explain why it's not matching your auth rule conditions
05-13-2016 12:56 AM
Hi Nielsen,
I think I am done, now I changed CONTAINS to END-WITH Guest ssid. Then I am able to achieve the requirement. Let me do some more testing, will update you.
What would be the WLC configuration for av-pair.
Thanks for your support.
Kamlesh
05-13-2016 03:45 AM
Hi Nielsen,
We have done testing in 10-15 mobiles phone and now it is going as per requirement. I think this was not working in "Contains" due to all 4 ssid starting with same name.
I have done all ssid policy configuration such as:
For guest need to web redirection.
Now everything is working, thanks for your support Nielsen.
Thanks
Kamlesh
05-13-2016 06:39 AM
Hi,
In av-pair there is audit session-id, attached is log file.
Thanks
Kamlesh
05-13-2016 06:39 AM
Hi
Your issue seems to be corrected now.
Just 1 information: When you have multiple SSID and you want to do different authentication methods, you can activate PolicySet feature. It will allow you to have different authentication and authorization rules depending on your SSIDs.
With PolicySet, you can differentiate SSIDs by using WLAN-ID as criteria. This WLAN-ID could be seen on your WLC.
This method is good because you can a better organization view on ISE.
Thanks
05-12-2016 08:38 AM
Hi,
Can you drop us a screenshot of your ISE policy rules?
05-12-2016 02:10 AM
Also, are you sure it's not just your phone that is auto-connecting to the open ssid, when it gets rejected on the VIP SSID, thats a very normal thing for a phone to do ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide