Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1819
Views
0
Helpful
6
Replies

ISE session stitching timer for guest flow

Go to solution
ganwang
Cisco Employee
Cisco Employee

‎07-16-2018 03:55 AM

Hello experts,

I'm doing ISE guest service test. The symptom is that the user is redirected for second time to guest portal. From ISE Radius Livelog I can see that after COA for second authentication,  Authorization profile with CWA has been selected again. As I  know the ISE session stitching timer for guest flow is 20 seconds by default. I suspect that my issue is caused by the short timer. Does anybody know how to set a longer timer?

Thanks,

GW

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10
In response to ganwang

‎07-17-2018 06:18 AM

If configured vendor to something other than Cisco in NAD Profile then possible session stitching is not working.  If trigger CoA via admin or if see 2nd auth attempt soon after CWA login success but live log details do not reflect guest flow, then potential regression defect.

The specific defect for matching guest flow is

CSCvh06189-   attributes for the guest flow not match in the authorization policy

but should have been resolved in 2.3 P3.

Recommend open TAC case.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
ognyan.totev
Level 5
Level 5

‎07-16-2018 05:10 AM

I think maybe it not match second rule after redirected and login successful must match guest access

Show some screen shot of policy sets that you created for guest.

0 Helpful

Go to solution
Craig Hyps
Level 10
Level 10
In response to ognyan.totev

‎07-16-2018 09:18 AM

Session Stitching is only applicable to a 3rd-party NAD config where native reauth is not supported.  Time is actually longer than 20 sec.  It was increased to 90 sec in ISE 2.1.   There is a known issue in ISE 2.4 (no patch) matching on Guest Flow that was resolved in Patch 1.

0 Helpful

Go to solution
ganwang
Cisco Employee
Cisco Employee
In response to Craig Hyps

‎07-16-2018 10:46 PM

Hi chyps,

I'm using Cisco 2960L switch but modified the NAD profile to simulate a 3rd-party NAD. And my ISE is 2.3 with patch version 4. Will this version hit the bug?

Thanks,

GW

0 Helpful

Go to solution
Craig Hyps
Level 10
Level 10
In response to ganwang

‎07-17-2018 06:18 AM

If configured vendor to something other than Cisco in NAD Profile then possible session stitching is not working.  If trigger CoA via admin or if see 2nd auth attempt soon after CWA login success but live log details do not reflect guest flow, then potential regression defect.

The specific defect for matching guest flow is

CSCvh06189-   attributes for the guest flow not match in the authorization policy

but should have been resolved in 2.3 P3.

Recommend open TAC case.

0 Helpful

Go to solution
amsharaf
Cisco Employee
Cisco Employee
In response to Craig Hyps

‎05-14-2020 12:52 AM

Hello , 

 

I have this issue too but with ISE version 2.4 patch 10, 11
and there is no bug related for this version.

 

Can someone help?

0 Helpful

Go to solution
ganwang
Cisco Employee
Cisco Employee
In response to ognyan.totev

‎07-16-2018 10:43 PM

Thanks for your reply.

The screen shot of policy sets is as below. You can see that the guest flow rule "Authorization Rule 2"  never be hit.

From the second screen shot you can see that after CoA, the Wired_MAB rule "Authorization Rule 1" is hit again.

Seems that the guest flow never appends to the first MAB session, that's why I hope to adjust the stitching time in the first.

屏幕快照 2018-07-17 13.04.35.png

ISE-Guest-DNS-Redirect.png

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents