Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4222
Views
5
Helpful
6
Replies

ISE Guest webauth error

Go to solution
David Niemann
Level 3
Level 3

‎01-02-2013 06:18 AM - edited ‎03-10-2019 07:55 PM

Using central web auth 802.1x on a 3560 to ISE.  I get to the web portal fine and was able to login with the guest account and change the password.  Now when I get redirected to the portal everytime I login I get "Your session has expired.  Please login again".  The error in ISE is show up as Guest authentication failed: 86017: Session cache entry missing.

From the ISE log

Other Attributes:

ConfigVersionId=56,PortalName=DefaultGuestPortal,CPMSessionID=0A0A084E0000001B4CCB2B1B

From the switch show authentication sessions

ISE-test#sh authentication sessions int fa0/1
            Interface:  FastEthernet0/1
          MAC Address:  5c26.0a38.a800
           IP Address:  172.31.255.15
            User-Name:  5C-26-0A-38-A8-00
               Status:  Authz Success
               Domain:  DATA
      Security Policy:  Should Secure
      Security Status:  Unsecure
       Oper host mode:  multi-domain
     Oper control dir:  both
        Authorized By:  Authentication Server
           Vlan Group:  N/A
     URL Redirect ACL:  ACL-WEBAUTH-REDIRECT
         URL Redirect:  https://oranetise01.naismc.com:8443/guestportal/gateway?sessionId=0A0A084E0000001B4CCB2B1B&action=cwa
      Session timeout:  3600s (local), Remaining: 1324s
       Timeout action:  Reauthenticate
         Idle timeout:  900s (local), Remaining: 418s
    Common Session ID:  0A0A084E0000001B4CCB2B1B
      Acct Session ID:  0x000001C8
               Handle:  0xC400001C

Runnable methods list:
       Method   State
       mab      Authc Success
       dot1x    Not run

----------------------------------------
            Interface:  FastEthernet0/1
          MAC Address:  0004.f21c.66a9
           IP Address:  10.20.0.177
            User-Name:  00-04-F2-1C-66-A9
               Status:  Authz Success
               Domain:  VOICE
      Security Policy:  Should Secure
      Security Status:  Unsecure
       Oper host mode:  multi-domain
     Oper control dir:  both
        Authorized By:  Authentication Server
              ACS ACL:  xACSACLx-IP-PERMIT_ALL_TRAFFIC-4f57e406
      Session timeout:  3600s (local), Remaining: 1253s
       Timeout action:  Reauthenticate
         Idle timeout:  N/A
    Common Session ID:  0A0A084E000000161ED6CBD9
      Acct Session ID:  0x000000F2
               Handle:  0x19000017

Runnable methods list:
       Method   State
       mab      Authc Success
       dot1x    Not run

The session ID from the browser of the PC seems to match the above session IDs.  I'm at a loss.

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to David Niemann

‎01-02-2013 03:19 PM

David,

The sessionid is generated by the switch and is sent over to ISE in the access-request packet. What version of ISE are you on? You may want to consider upgrading to ise 1.1.2 since this has a few fixes related to session entries. I am fighting a simliar issue that you have pointed out but on the posturing side. Hope the upgrade fixes this for you. If you want to set a new session id, you can go into ISE and issue a COA (session termination) or just bounce the port.

Thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

6 Replies 6

Go to solution
David Niemann
Level 3
Level 3

‎01-02-2013 09:14 AM

And now it works and I didn't change anything.  How is the session ID generated and for how long does it last? Maybe it finally timed out and generated a new one.  The PC stayed connected to the port the entire time and was not rebooted either.

From ISE

Other Attributes:

ConfigVersionId=56,EndPointMACAddress=5C-26-0A-38-A8-00,PortalName=DefaultGuestPortal,CPMSessionID=0A0A084E0000001B4CCB2B1B

sh authentication sessions int fa0/1
            Interface:  FastEthernet0/1
          MAC Address:  5c26.0a38.a800
           IP Address:  172.31.255.15
            User-Name: 
               Status:  Authz Success
               Domain:  DATA
      Security Policy:  Should Secure
      Security Status:  Unsecure
       Oper host mode:  multi-domain
     Oper control dir:  both
        Authorized By:  Authentication Server
          Vlan Policy:  46
              ACS ACL:  xACSACLx-IP-PERMIT_ALL_TRAFFIC-4f57e406
      Session timeout:  3600s (local), Remaining: 3357s
       Timeout action:  Reauthenticate
         Idle timeout:  900s (local), Remaining: 657s
    Common Session ID:  0A0A084E0000001B4CCB2B1B
      Acct Session ID:  0x000001C8
               Handle:  0xC400001C

Runnable methods list:
       Method   State
       mab      Authc Success
       dot1x    Not run

----------------------------------------
            Interface:  FastEthernet0/1
          MAC Address:  0004.f21c.66a9
           IP Address:  10.20.0.177
            User-Name:  00-04-F2-1C-66-A9
               Status:  Authz Success
               Domain:  VOICE
      Security Policy:  Should Secure
      Security Status:  Unsecure
       Oper host mode:  multi-domain
     Oper control dir:  both
        Authorized By:  Authentication Server
              ACS ACL:  xACSACLx-IP-PERMIT_ALL_TRAFFIC-4f57e406
      Session timeout:  3600s (local), Remaining: 1644s
       Timeout action:  Reauthenticate
         Idle timeout:  N/A
    Common Session ID:  0A0A084E000000161ED6CBD9
      Acct Session ID:  0x000000F2
               Handle:  0x19000017

Runnable methods list:
       Method   State
       mab      Authc Success
       dot1x    Not run

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to David Niemann

‎01-02-2013 03:19 PM

David,

The sessionid is generated by the switch and is sent over to ISE in the access-request packet. What version of ISE are you on? You may want to consider upgrading to ise 1.1.2 since this has a few fixes related to session entries. I am fighting a simliar issue that you have pointed out but on the posturing side. Hope the upgrade fixes this for you. If you want to set a new session id, you can go into ISE and issue a COA (session termination) or just bounce the port.

Thanks,

Tarik Admani
*Please rate helpful posts*

Go to solution
David Niemann
Level 3
Level 3
In response to Tarik Admani

‎01-02-2013 06:21 PM

Yeah, I'm running 1.1.1.268.  I was looking at that upgrade.  Guess I'll try that this week and report back.

0 Helpful

Go to solution
fashour
Level 1
Level 1
In response to David Niemann

‎01-25-2013 09:34 AM

I am facing the same issue as well while running 1.1.2.145. Please let me know if you find the fix. I will update from my side if I determine anything faulty.

0 Helpful

Go to solution
David Niemann
Level 3
Level 3
In response to Tarik Admani

‎02-18-2013 01:05 PM

I upgraded to 1.1.2.145 and have not seen the issue again so far.

0 Helpful

Go to solution
eugenio desideri
Level 1
Level 1
In response to David Niemann

‎10-10-2013 07:31 AM

Regarding the error below:

"Guest authentication failed: 86017: Session cache entry missing"

i stepped in the same situation , and solved it adjusting the UTC timezone during the guest creation in the sponsor portal.

i hope this helps.

Eugenio Desideri

0 Helpful
Customers Also Viewed These Support Documents