cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1225
Views
0
Helpful
8
Replies
Highlighted
Beginner

ISE2.3 - Wireless guest CWA - Issues with internet access post-login

I'm running a lab setup of ISE2.3 in preparation for a deployment of a guest wireless solution, but I'm having issues with internet access after users are successfully authenticated.

 

See the attachments for the authorization policy and the profile result.

I'm not applying any ACL or DACL for the authenticated users.

If I remove the web auth I'm finding that the users do have internet access so I feel that this is unlikely to be an issue with the SSID or underlying network. The users do however, have the ability to query DNS successfully via 8.8.8.8.

 

On the wireless controller I can see that the WebAuth redirection ACL is being removed after successful auth and no new ACLs are being applied.

Does anyone have any ideas on what would be preventing internet access post-authentication?

 

 

8 REPLIES 8
Highlighted
Beginner

Some more info.

 

I'm seeing the client move to the Run state on the WLC, and when running monitoring on the ASA firewall which is the IP gateway for the guest network I only see DNS traffic reaching the firewall.

On the client I can see lots of syn packets in wireshark which are not getting to the firewall.

This is leading me to believe that the AP is filtering traffic like an ACL is applied.

 

Attached is the client detail on the WLC.

Highlighted
Frequent Contributor
Frequent Contributor

Did you follow the instructions from this link?

 

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html

 

You do not need at all an AUTHZ Profile once the Guest Flow policy is matched, try changing it to PERMIT ACCESS

Highlighted

Thanks Abraham,

 

Since I'm using flexconnect i followed this guide:

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html

 

The reason for the extra Authz is because my end-goal is to have two separate login groups through the webportal.

There will be users that are in the ISE local database that will be installed through API, the other group is based on AD-lookup for long-term contractors with an ACL on the WLC to give them greater access.

 

I've tried removing the AD lookup and using permit access as the result, but either way, the client is being put into the Run state on the WLC so I'm confused as to why they don't have full access.

If I remove the radius and MAC filtering the users get full access to the internet.

Highlighted
Frequent Contributor
Frequent Contributor

Please provide your Flexconnect ACL, I am analyzing your case.

Highlighted

Attached is the webauth-redirect ACL

Highlighted
Frequent Contributor
Frequent Contributor

 

what do you have configured here?

 

flexconnect.png

 

 

Highlighted

I'm running a flex group, see attached for my settings.

Highlighted

I believe I am hitting this bug, as it matches my experience exactly.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvf52723

 

Symptom:
When a wireless client connect to an IOS AP (Like 2700, 3500 and so on) on a wlan with 802.1x + flexconnect local switching and the WLAN has enabled ISE NAC (A.K.A. RADIUS NAC), clients will reach RUN state but after that the only traffic that is allowed to flow through the AP to/from the wireless client is DNS and ARP.