11-07-2014 02:21 AM - edited 03-12-2019 05:44 PM
Hi,
Our setup is as follows;
1) Cisco ISE Policy Nodes within Internal Network
2) Guest controller at DMZ
3) Foreign Controller within Internal Network
4) Guest SSID
Once a user tries to access a website, the user is redirected to the authentication page of the policy node. When the user inderst the credentials, the page shows successful authentication but cannot access internet. When you try access the internet page again, a new login window is displayed. The ISE live authentication page shows successful login. What could be the issue?
11-07-2014 04:46 AM
Please attach the Authorization policy
01-21-2015 04:08 AM
Hi
We too face the same issue with ISE 1.2.1 with patch level 3.Guest is getting looped to the same URL after the successful login.
Matching the rule for cwa in authorization.
We have the controller model 2504 with Software Version 8.0.100.0
Please check the authentication, authorization, Policy_results and the WLC config for the reference.
01-21-2015 04:47 AM
Please check if after the guest web authentication "Wireless Guest" policy is matched and Able to see new ACL in WLC for particular guest.
Please attach Authentications logs.
01-21-2015 08:05 AM
It is not hitting "Wireless Guest" policy rather looping in WLC_CWA authorization policy.
01-21-2015 08:22 AM
Have you confirmed that if the guest user is part of guest or activated guest identity group?
For testing - Remove (Guest or Activated guest) condition.
and keep the rule as follows.
Wireless Guest If Network Access:UseCase EQUALS Guest Flow
And check the result
Make sure you have enabled the Radius NAC for the SSID
01-21-2015 09:19 AM
Thank you
Tried without Guest or Activated Guest . But same result.
Wireless Guest If Network Access:UseCase EQUALS Guest Flow
Yes i have enabled Radius NAC, AAA overide and MAC filtering..
Anything else is missing ? Is there any issue with the WLC model??
01-25-2015 01:24 AM
I found Guest is working fine after i disabled and enabled the wireless. It is hitting the right profile. So let me brief the problem again
1. User getting connected to wireless guest SSID and obtained an IP.
2. It is redirecting to guest portal page for authentication.
3. After giving user name and password it gives the Acceptable page and then shows Signed on successfully
"You can now type in the original URL in the browser's address bar"
4.But when we open another url lets say google.com it is redirecting to guest portal page again for authentication. When i checked the live operational log i found the guest username with Guest Authentication Passed but it is not hitting our second rule.
5. Tried disabling/enabling wireless adapter then i found i am able to access internet and it is hitting the second rule correctly. Please find the attached logs.
Can we have a solution without disabling wireless adapter...
06-18-2017 06:49 PM
same, what's going on here? for that bug, I'm not using "New Mobility (Converged Access)" .
so the workaround is not really useful.
11-07-2014 10:48 AM
Yep, most likely an issue with your authorization policy, please attach a screenshot.
11-14-2014 02:53 AM
WLC Foreign-Anchor setup with CWA ISE keeps in web auth loop
CSCuo65407
Symptom:
Problem:
With WLC 5508 woring in Foreign-Anchor setup with ISE CWA, the client keeps running in Web Portal authentication loop.
Conditions:
Condition:
WLC 5508 with 7.6 version CWA.
Analyze:
ISE correctly configured and sending correct authorization policy information to Foreign WLC, however Anchor WLC keeps web-auth redirect ACL.
Workaround:
This only happens if "New Mobility (Converged Access) : Enabled"
Work around:
"New Mobility (Converged Access) : Disable"
Further Problem Description:
11-14-2014 03:42 AM
send me the link to this Bug ID.
11-21-2014 08:03 AM
https://tools.cisco.com/bugsearch/bug/CSCuo65407
10-01-2020 12:56 PM
We had a similar issue. The solution: One of the rules in the authorization policy which had the guest flow as a condition with an authorization policy result common task of using an Airespace ACL was the culprit. This ACL was not being replicated across all my multiple WLCs in the organization. We removed it and that fixed the issue. This Airespace ACl was a legacy ACL used to filter Guest wireless traffic from corporate traffic. Now that the Guest network has been migrated to an interface in our Firewall(s), that ACL is not longer needed. In summary , my recommendation is to check to see if the authorization policy is using any authorization policy results with common tasks pointing to an Airespace ACL. if so , make sure that ACL is replicated in all WLCs. If not needed then remove the ACL. I hope this helps. Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide