Solved: Re: Portal guest dosent show up

athan1234 · ‎02-13-2022

When my customer tries to connect to the guest ssid He gets a message conexion refused and his page is in blank .the portal guest dosen´t show up .

I checked the ise configuration and wlc configuration and everithing seems good.

Ise version 3.0

My clients has a firewall he tells me it is everything opens in guest vlan . He gets the dhcp and dns by the firewall .

I did some test :

The dns name resolve the IP of the ISE .but dns reverse with Ip Ise resolve the forti dns.it is correct?

On the wlc I should permit the ip ise ip . should I permit the firewall ip ?

when the PC put the ISE Ip he can see the ise web administration . I do this proof for to know if the firewall is open .

I have a doubt about how is the flow when a client tries to conect the ssid guest he is redirects to the portal , this process is internal ? isen,`t it . So in this procees dosent important if the DNS are correctly or the certificated it is properly, ise`t it

Aref Alsouqi · ‎02-18-2022

Also please try to apply the latest patch to your ISE 3.0 build which should be patch 5, the issue might be related to a bug that is not allowing ISE to serve the guest portal properly.

View solution in original post

Francesco Molino · ‎02-13-2022

Hi

The process is an acl is configured on your wlc and used for redirecting traffic to ISE.
can you share the ISE authorization profile you’re posting w, the wlc acl and ise radius result when the client authenticates?

The client will use its dns resolution to reach to ise portal url which has been pushed while authenticating.

thanks

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

athan1234 · ‎02-14-2022

Hi @Francesco Molino thanks for your quick reply

Aref Alsouqi · ‎02-14-2022

As @Francesco Molino said, please share your sanitized configs for review. However, in the meantime I would check with the firewall team that port 8443/tcp is allowed towards ISE. This is the default port ISE uses for the guest portal, so it needs to be opened on the firewall. You don't need to open port 443/tcp as the guests won't connect using that port, rather, it is a good practice to close that port to prevent the guests from trying to log into ISE management console.

With regards to DNS and DHCP, they are essential for this flow, the guest endpoints need to have an IP before they can reach out to ISE guest portal, and they also need to be able to resolve ISE URL as @Francesco Molino said.

athan1234 · ‎02-14-2022

@Aref Alsouqi thanks for your reply . How is the best way for to test if the port 8443 is open on the firewall ? . The firewall people tell me everything is open. But if the client does a telnet <ISE IP> 8443 it dosen´t open from ssid guest .

Aref Alsouqi · ‎02-14-2022

Assuming you are using the default port 8443/tcp and it fails to show as an open port from the guest endpoints, then I would assume there would be something wrong on the firewall that is not allowing this traffic. I would double check with the firewall team that they used the right source subnet ID, the right destination IP addresses (ISE PSNs). Also, please make sure that the DNS traffic is allowed, if not the guest endpoints wouldn't be able to resolve ISE URLs when the connectivity issue is fixed.

Aref Alsouqi · ‎02-18-2022

Also please try to apply the latest patch to your ISE 3.0 build which should be patch 5, the issue might be related to a bug that is not allowing ISE to serve the guest portal properly.