cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6130
Views
15
Helpful
7
Replies

Problem with Guest Portal ISE

NasTar
Level 1
Level 1

Dear Support,

Please we have a problem with the guest portal, when we connect to the Guest wifi the guest portal doesn't show up, and also the redirection link takes time to redirect into the link of the guest portal.

You find attached the screenshots of the message showing up in the browsers also the link of redirection.

 

Please we need to know the main of this problem and also the verification that we need to do?

 

Thanks in advance.

1 Accepted Solution

Accepted Solutions

Arne Bier
VIP
VIP

Hello @NasTar 

 

Guest has many moving parts. There is the pre-auth stage which you're having problems with, but I don't see enough information. The ACL you have given and the ISE Authorization relates to the post-login auth stage (i.e. user has logged in, now let's apply that ACL and process that Authorization Policy).

You need to tell us more about the pre-auth

- is the WLC a Cisco 9800? If yes, you need the ACL defined on the 9800 that triggers URL redirection (i.e. deny dns, deny ise, permit www) and most critically, there command on the CLI "ip http server" - without this command, the 9800 will never process a URL redirection.

- In ISE you need to catch the MAB request AFTER the Authorization Policy you have shown - it always comes last in the processing, because the "Guest Flow" is FALSE for users who have not logged in - if you have multiple PSN's then you can check the ISE hostname and return the appropriate URL for that PSN -this is a HA concept.

- on the C9800 (or any WLC) ensure that CoA is enabled to allow ISE to send a CoA to re-auth the session when a user logs into the portal.

 

This Cisco guide is also very good.

 

View solution in original post

7 Replies 7

Francesco Molino
VIP Alumni
VIP Alumni

Hi

 

can you please share your authorization profile config and acl?

 

also, from your wifi guest subnet, is the ise portal fqdn resolvable with the dns you have?

 

 Thanks


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hi Francesco,

Thank you for your reply, 

 

You find attached the screenshots of authorization profile config and acl of our guest wifi.
And about your second question, yes all the fqdn resolvable with our dns.

Regards,

Arne Bier
VIP
VIP

Hello @NasTar 

 

Guest has many moving parts. There is the pre-auth stage which you're having problems with, but I don't see enough information. The ACL you have given and the ISE Authorization relates to the post-login auth stage (i.e. user has logged in, now let's apply that ACL and process that Authorization Policy).

You need to tell us more about the pre-auth

- is the WLC a Cisco 9800? If yes, you need the ACL defined on the 9800 that triggers URL redirection (i.e. deny dns, deny ise, permit www) and most critically, there command on the CLI "ip http server" - without this command, the 9800 will never process a URL redirection.

- In ISE you need to catch the MAB request AFTER the Authorization Policy you have shown - it always comes last in the processing, because the "Guest Flow" is FALSE for users who have not logged in - if you have multiple PSN's then you can check the ISE hostname and return the appropriate URL for that PSN -this is a HA concept.

- on the C9800 (or any WLC) ensure that CoA is enabled to allow ISE to send a CoA to re-auth the session when a user logs into the portal.

 

This Cisco guide is also very good.

 

Hello @Arne Bier ,

Thank you for your support and reply,


We have a WLC Cisco 5508, and you find attached the screenshots of ACL defined on it, also the CoA is enabled in the WLC.

About the second point, we have the MAB request in the last you find it in the screenshot attached.

I will wait for your feedback?


Best Regards,

Now that I know this is a AireOS controller, it helps a lot.

You must take one Windows client, and ensure that you can reproduce this issue as follows:

1) Remove the client's MAC address from ISE's Context Visibility (to ensure that the client is 100% redirected to the portal due to the normal guest portal logic)

2) Log into the WLC and see if the client is connected and has a session. If so, delete the session in the WLC.

3) Ensure the client has wifi turned on for that Guest SSID - client should now be connected to the SSID and MUST get an IP address from the expected guest VLAN DHCP scope

4) In the WLC, go to monitor clients and examine the details of this session. Do you see that this client is in "web auth pending", and has the URL and ACL as you expect (sent by ISE) ?  

5) Assuming you see the WLC session as correct, but the portal page is not coming up, then perhaps the ACL details are not correct

6) Can you resolve the ISE FQDN in the URL from the Windows command line (nslookup guest123.company.com ?)

7) I don't know what every line of your pre-auth ACL is for, but I hope one of those is for DNS, and also to allow access to the ISE portal. Normally we try to lock down access as tightly as possible in this ACL - I will give an example:

If you have two PSN nodes (10.10.10.1 and 10.10.20.1), with a guest portal on TCP/8443, then the ACL might look like this

 

allow any any udp dns inbound/outbound (you can do DNS in many ways ... be as strict/flexible as you need)

allow any to 10.10.10.1 port tcp/8443 inbound     <- Traffic from client to PSN1

allow 10.10.10.1 any port/8443 outbound     <- Return traffic from PSN1 back to the client

allow any to 10.10.20.1 port tcp/8443 inbound     <- Traffic from client to PSN2

allow 10.10.20.1 any port/8443 outbound     <- Return traffic from PSN2 back to the client

deny any any

 

In AireOS the DHCP is implicitly allowed - there is no need to create an ACL for it. If the above logic is adapted for your needs, then the only other thing that could be a problem is the TCP routing between the client guest VLAN and the PSN VLANs for 10.10.10.x and 10.10.20.x (there could be routing issues or firewalls blocking) - in these cases I also add an icmp rule in the ACL to test the pings to ISE PSN's  - once I know the ping works then I remove the ICMP. However, this does NOT prove that TCP/8443 is allowed through any potential firewalls. You could try a Windows telnet to each PSN on port 8443 to see if the TCP SYN is established  

 

Other things that could throw a spanner in the works is a web proxy - hopefully there is no wpad or web proxy interfering on this guest network.

 

NasTar
Level 1
Level 1

Hello @Arne Bier ,

I verify everything that you mentioned in the comment, I found all of the information is ok but still not working :-(.


I copied the link of the guest portal from google chrome and I paste it into internet explorer it's worked and I do that in Microsoft edge but the same problem as google chrome. I release maybe the problem from the certificate it's not accepted by Chrome  & Microsoft.

You find attached the screenshots.

Best Regards,

For production use, the ISE Guest portal certificate must be one signed by a public CA (unless you're in a lab environment then you can take such a short-cut). Ensure that the SAN (subject alt name) contains the FQDN(s) of your ISE guest portals.