Re: ISE2.3 - Wireless guest CWA - Issues with internet access post-login

Mitchell.Drage · ‎11-05-2017

I'm running a lab setup of ISE2.3 in preparation for a deployment of a guest wireless solution, but I'm having issues with internet access after users are successfully authenticated.

See the attachments for the authorization policy and the profile result.

I'm not applying any ACL or DACL for the authenticated users.

If I remove the web auth I'm finding that the users do have internet access so I feel that this is unlikely to be an issue with the SSID or underlying network. The users do however, have the ability to query DNS successfully via 8.8.8.8.

On the wireless controller I can see that the WebAuth redirection ACL is being removed after successful auth and no new ACLs are being applied.

Does anyone have any ideas on what would be preventing internet access post-authentication?

Mitchell.Drage · ‎11-05-2017

Some more info.

I'm seeing the client move to the Run state on the WLC, and when running monitoring on the ASA firewall which is the IP gateway for the guest network I only see DNS traffic reaching the firewall.

On the client I can see lots of syn packets in wireshark which are not getting to the firewall.

This is leading me to believe that the AP is filtering traffic like an ACL is applied.

Attached is the client detail on the WLC.

ajc · ‎11-06-2017

Did you follow the instructions from this link?

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html

You do not need at all an AUTHZ Profile once the Guest Flow policy is matched, try changing it to PERMIT ACCESS

Mitchell.Drage · ‎11-07-2017

Thanks Abraham,

Since I'm using flexconnect i followed this guide:

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html

The reason for the extra Authz is because my end-goal is to have two separate login groups through the webportal.

There will be users that are in the ISE local database that will be installed through API, the other group is based on AD-lookup for long-term contractors with an ACL on the WLC to give them greater access.

I've tried removing the AD lookup and using permit access as the result, but either way, the client is being put into the Run state on the WLC so I'm confused as to why they don't have full access.

If I remove the radius and MAC filtering the users get full access to the internet.

ajc · ‎11-08-2017

Please provide your Flexconnect ACL, I am analyzing your case.

Mitchell.Drage · ‎11-08-2017

Attached is the webauth-redirect ACL

ajc · ‎11-08-2017

what do you have configured here?

Mitchell.Drage · ‎11-08-2017

I'm running a flex group, see attached for my settings.

Mitchell.Drage · ‎11-12-2017

I believe I am hitting this bug, as it matches my experience exactly.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvf52723

Symptom:
When a wireless client connect to an IOS AP (Like 2700, 3500 and so on) on a wlan with 802.1x + flexconnect local switching and the WLAN has enabled ISE NAC (A.K.A. RADIUS NAC), clients will reach RUN state but after that the only traffic that is allowed to flow through the AP to/from the wireless client is DNS and ARP.