11-05-2017 05:58 PM - edited 02-21-2020 10:38 AM
I'm running a lab setup of ISE2.3 in preparation for a deployment of a guest wireless solution, but I'm having issues with internet access after users are successfully authenticated.
See the attachments for the authorization policy and the profile result.
I'm not applying any ACL or DACL for the authenticated users.
If I remove the web auth I'm finding that the users do have internet access so I feel that this is unlikely to be an issue with the SSID or underlying network. The users do however, have the ability to query DNS successfully via 8.8.8.8.
On the wireless controller I can see that the WebAuth redirection ACL is being removed after successful auth and no new ACLs are being applied.
Does anyone have any ideas on what would be preventing internet access post-authentication?
11-05-2017 10:15 PM
Some more info.
I'm seeing the client move to the Run state on the WLC, and when running monitoring on the ASA firewall which is the IP gateway for the guest network I only see DNS traffic reaching the firewall.
On the client I can see lots of syn packets in wireshark which are not getting to the firewall.
This is leading me to believe that the AP is filtering traffic like an ACL is applied.
Attached is the client detail on the WLC.
11-06-2017 12:27 PM - edited 11-06-2017 12:28 PM
Did you follow the instructions from this link?
You do not need at all an AUTHZ Profile once the Guest Flow policy is matched, try changing it to PERMIT ACCESS
11-07-2017 04:53 PM
Thanks Abraham,
Since I'm using flexconnect i followed this guide:
The reason for the extra Authz is because my end-goal is to have two separate login groups through the webportal.
There will be users that are in the ISE local database that will be installed through API, the other group is based on AD-lookup for long-term contractors with an ACL on the WLC to give them greater access.
I've tried removing the AD lookup and using permit access as the result, but either way, the client is being put into the Run state on the WLC so I'm confused as to why they don't have full access.
If I remove the radius and MAC filtering the users get full access to the internet.
11-08-2017 12:58 PM
Please provide your Flexconnect ACL, I am analyzing your case.
11-08-2017 01:51 PM
11-08-2017 02:14 PM
what do you have configured here?
11-08-2017 03:50 PM
11-12-2017 03:09 PM
I believe I am hitting this bug, as it matches my experience exactly.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvf52723
Symptom:
When a wireless client connect to an IOS AP (Like 2700, 3500 and so on) on a wlan with 802.1x + flexconnect local switching and the WLAN has enabled ISE NAC (A.K.A. RADIUS NAC), clients will reach RUN state but after that the only traffic that is allowed to flow through the AP to/from the wireless client is DNS and ARP.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide