cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12844
Views
5
Helpful
13
Replies

Looping Authentication Page after Successful Login - Cisco ISE Guest Access with WLC (Anchor+Foreign)

edwardwaithaka
Level 1
Level 1

Hi,

Our setup is as follows;

1) Cisco ISE Policy Nodes within Internal Network

2) Guest controller at DMZ

3) Foreign Controller within Internal Network

4) Guest SSID

Once a user tries to access a website, the user is redirected to the authentication page of the policy node. When the user inderst the credentials, the page shows successful authentication but cannot access internet. When you try access the internet page again, a new login window is displayed. The ISE live authentication page shows successful login. What could be the issue?

13 Replies 13

shekharmore003
Level 1
Level 1

Please attach the Authorization policy

Hi

We too face the same issue with ISE 1.2.1 with patch level 3.Guest is getting looped to the same URL after the successful login.

Matching the rule for cwa in authorization.

We have the controller model 2504 with Software Version 8.0.100.0

Please check the authentication, authorization, Policy_results and the WLC config for the reference.

Please check if after the guest web authentication "Wireless Guest" policy is matched and Able to see new ACL in WLC for particular guest.

Please attach Authentications logs.

It is not hitting "Wireless Guest" policy rather looping in WLC_CWA  authorization policy.

Have you confirmed that if the guest user is part of guest or activated guest identity group?

 

For testing - Remove (Guest or Activated guest) condition.

and keep the rule as follows.

Wireless Guest If Network Access:UseCase EQUALS Guest Flow

And check the result

 

Make sure you have enabled the Radius NAC for the SSID

Thank you

Tried  without Guest or Activated Guest . But same result.

Wireless Guest If Network Access:UseCase EQUALS Guest Flow

 Yes i have enabled Radius NAC, AAA overide and MAC filtering..

Anything else is missing ? Is there any issue with the WLC model??

 

Hi shekharmore003

 

I found Guest is working fine after i disabled and enabled the wireless. It is hitting the right profile. So let me brief the problem again

1. User getting connected to wireless guest SSID and obtained an IP.

2. It is redirecting to guest portal page for authentication.

3. After giving user name and password it gives the Acceptable page and then shows Signed on successfully

"You can now type in the original URL in the browser's address bar"

4.But when we open another url lets say google.com it is redirecting to guest portal page again for authentication. When i checked the live operational log i found the guest username with Guest Authentication Passed but it is not hitting our second rule.

5. Tried disabling/enabling wireless adapter then i found i am able to access internet and it is hitting the second rule correctly. Please find the attached logs.

Can we have a solution without disabling wireless adapter...

 

 

 

same, what's going on here? for that bug, I'm not using "New Mobility (Converged Access)" .

so the workaround is not really useful.

nspasov
Cisco Employee
Cisco Employee

Yep, most likely an issue with your authorization policy, please attach a screenshot.

Venkatesh Attuluri
Cisco Employee
Cisco Employee

WLC Foreign-Anchor setup with CWA ISE keeps in web auth loop
CSCuo65407

Symptom:
Problem:
With WLC 5508 woring in Foreign-Anchor setup with ISE CWA, the client keeps running in Web Portal authentication loop.

Conditions:
Condition:
WLC 5508 with 7.6 version CWA.

Analyze:
ISE correctly configured and sending correct authorization policy information to Foreign WLC, however Anchor WLC keeps web-auth redirect ACL.

Workaround:
This only happens if "New Mobility (Converged Access) : Enabled"
Work around:
"New Mobility (Converged Access) : Disable"

Further Problem Description:

send me the link to this Bug ID.

https://tools.cisco.com/bugsearch/bug/CSCuo65407

alvarezax
Level 1
Level 1

We had a similar issue. The solution: One of the rules in the authorization policy  which had the guest flow as a condition with an authorization policy result common task of using an Airespace ACL was the culprit.  This ACL was not being replicated across all my multiple WLCs in the organization.  We removed it and that fixed the issue.  This Airespace ACl was a legacy ACL used to filter Guest wireless traffic from corporate traffic.  Now that the Guest network has been migrated to an interface in our Firewall(s), that ACL is not longer needed.  In summary , my recommendation is to check to see if the authorization policy is using any authorization policy results with common tasks pointing to an Airespace ACL.  if so , make sure that ACL is replicated in all WLCs.  If not needed then remove the ACL.   I hope this helps.  Thanks.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: