Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
763
Views
0
Helpful
4
Replies

Issues Post-Login on ISE Portal Integrated with Cisco Controller

Go to solution
s1nsp4wn
Level 1
Level 1

‎07-26-2019 10:42 AM - edited ‎07-26-2019 12:34 PM

Trying to set up sponsored guest portal access between ise 2.4 and our cisco wireless controllers per directions I found here and while I'm able to authenticate successfully, nothing appears after "You now have internet access" on my iPhone.  I get absolutely nothing on Android.  If I change the Authentication Success Status in ISE to point to a specific URL, I just looped back to the login for the portal endlessly.  I've checked my acl on the controller and it explicitly allows traffic to and from the ise psn to anywhere in addition to udp dns being allowed anywhere.  Am I supposed to create a another policy with a different less-restrictive acl?  Adding permit statements to the redirect acl (even if I deny rfc 1918) just bypasses the portal altogether. 

 

Can someone help?  If I use the directions below this just bypasses the portal altogether:

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎07-26-2019 08:37 PM

Please follow the instructions at ISE Guest Access Prescriptive Deployment Guide, instead. The guide you cited is rather old.

We do need two different authorization policy rules; one for URL redirect and the other to grant access after passing authentication, AUP, etc.

Below shows a screenshot RADIUS LiveLogs from our lab, with an endpoint redirect to Web Auth portal, an AD user logged-in guest portal, and granted Employees access. I rearranged the columns and filtered on Session ID so easier to see all the events for the same Session.

Screen Shot 2019-07-26 at 8.35.05 PM.png

View solution in original post

0 Helpful
4 Replies 4

Go to solution
hslai
Cisco Employee
Cisco Employee

‎07-26-2019 08:37 PM

Please follow the instructions at ISE Guest Access Prescriptive Deployment Guide, instead. The guide you cited is rather old.

We do need two different authorization policy rules; one for URL redirect and the other to grant access after passing authentication, AUP, etc.

Below shows a screenshot RADIUS LiveLogs from our lab, with an endpoint redirect to Web Auth portal, an AD user logged-in guest portal, and granted Employees access. I rearranged the columns and filtered on Session ID so easier to see all the events for the same Session.

Screen Shot 2019-07-26 at 8.35.05 PM.png

0 Helpful

Go to solution
s1nsp4wn
Level 1
Level 1
In response to hslai

‎07-29-2019 08:40 AM

Are switch configs still necessary if I'm only testing phone > wireless controller > ISE?

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to s1nsp4wn

‎07-29-2019 10:05 AM

Are switch configs still necessary if I'm only testing phone > wireless controller > ISE?

No, only WLC.

Also take a look at ISE Secure Access Wizard (SAW) > Guest

0 Helpful

Go to solution
s1nsp4wn
Level 1
Level 1
In response to hslai

‎07-30-2019 09:22 AM

Thanks. A TAC rep gave me the doc below, but we determined it to be an acl issue. Also a difference in the way iphone and android send you to ports.
https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-21/200565-Configure-ISE-Wireless-CWA-and-Hotspot-F.html#anc10
0 Helpful
Customers Also Viewed These Support Documents