This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
I'm running a lab setup of ISE2.3 in preparation for a deployment of a guest wireless solution, but I'm having issues with internet access after users are successfully authenticated.
See the attachments for the authorization policy and the profile result.
I'm not applying any ACL or DACL for the authenticated users.
If I remove the web auth I'm finding that the users do have internet access so I feel that this is unlikely to be an issue with the SSID or underlying network. The users do however, have the ability to query DNS successfully via 18.104.22.168.
On the wireless controller I can see that the WebAuth redirection ACL is being removed after successful auth and no new ACLs are being applied.
Does anyone have any ideas on what would be preventing internet access post-authentication?
Some more info.
I'm seeing the client move to the Run state on the WLC, and when running monitoring on the ASA firewall which is the IP gateway for the guest network I only see DNS traffic reaching the firewall.
On the client I can see lots of syn packets in wireshark which are not getting to the firewall.
This is leading me to believe that the AP is filtering traffic like an ACL is applied.
Attached is the client detail on the WLC.
Did you follow the instructions from this link?
You do not need at all an AUTHZ Profile once the Guest Flow policy is matched, try changing it to PERMIT ACCESS
Since I'm using flexconnect i followed this guide:
The reason for the extra Authz is because my end-goal is to have two separate login groups through the webportal.
There will be users that are in the ISE local database that will be installed through API, the other group is based on AD-lookup for long-term contractors with an ACL on the WLC to give them greater access.
I've tried removing the AD lookup and using permit access as the result, but either way, the client is being put into the Run state on the WLC so I'm confused as to why they don't have full access.
If I remove the radius and MAC filtering the users get full access to the internet.
I believe I am hitting this bug, as it matches my experience exactly.
When a wireless client connect to an IOS AP (Like 2700, 3500 and so on) on a wlan with 802.1x + flexconnect local switching and the WLAN has enabled ISE NAC (A.K.A. RADIUS NAC), clients will reach RUN state but after that the only traffic that is allowed to flow through the AP to/from the wireless client is DNS and ARP.