cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

ISE session stitching timer for guest flow

ganwang
Cisco Employee
Cisco Employee

Hello experts,

I'm doing ISE guest service test. The symptom is that the user is redirected for second time to guest portal. From ISE Radius Livelog I can see that after COA for second authentication,  Authorization profile with CWA has been selected again. As I  know the ISE session stitching timer for guest flow is 20 seconds by default. I suspect that my issue is caused by the short timer. Does anybody know how to set a longer timer?

Thanks,

GW

1 ACCEPTED SOLUTION

Accepted Solutions

If configured vendor to something other than Cisco in NAD Profile then possible session stitching is not working.  If trigger CoA via admin or if see 2nd auth attempt soon after CWA login success but live log details do not reflect guest flow, then potential regression defect.

The specific defect for matching guest flow is

CSCvh06189-   attributes for the guest flow not match in the authorization policy

but should have been resolved in 2.3 P3.

Recommend open TAC case.

View solution in original post

6 REPLIES 6

ognyan.totev
Contributor
Contributor

I think maybe it not match second rule after redirected and login successful must match guest access

Show some screen shot of policy sets that you created for guest.

Session Stitching is only applicable to a 3rd-party NAD config where native reauth is not supported.  Time is actually longer than 20 sec.  It was increased to 90 sec in ISE 2.1.   There is a known issue in ISE 2.4 (no patch) matching on Guest Flow that was resolved in Patch 1.

Hi chyps,

I'm using Cisco 2960L switch but modified the NAD profile to simulate a 3rd-party NAD. And my ISE is 2.3 with patch version 4. Will this version hit the bug?

Thanks,

GW

If configured vendor to something other than Cisco in NAD Profile then possible session stitching is not working.  If trigger CoA via admin or if see 2nd auth attempt soon after CWA login success but live log details do not reflect guest flow, then potential regression defect.

The specific defect for matching guest flow is

CSCvh06189-   attributes for the guest flow not match in the authorization policy

but should have been resolved in 2.3 P3.

Recommend open TAC case.

Hello , 

 

I have this issue too but with ISE version 2.4 patch 10, 11
and there is no bug related for this version.

 

Can someone help?

Thanks for your reply.

The screen shot of policy sets is as below. You can see that the guest flow rule "Authorization Rule 2"  never be hit.

From the second screen shot you can see that after CoA, the Wired_MAB rule "Authorization Rule 1" is hit again.

Seems that the guest flow never appends to the first MAB session, that's why I hope to adjust the stitching time in the first.

屏幕快照 2018-07-17 13.04.35.png

ISE-Guest-DNS-Redirect.png

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: