Both of you are running a

rafael.eloi · ‎03-09-2015

Hi,

My end customer reported an issue with ISE 1.1.4-218.

The GUEST user is expired but still can authenticate in the WLAN.

That's an known issue/bug?

Thanks!

Regards,

Rafael Eloi

nspasov · ‎03-09-2015

A couple of questions:

- What is the patch version installed on ISE

- Can you post screen shots of:

1. The authentication policy

2. The authorization policy

Thank you for rating helpful posts!

rafael.eloi · ‎03-10-2015

Neno,

I open a SR with TAC team.

When the problem is resolved, I share the applied solution.

Thank you!

Regards,

Rafael Eloi

irvan.tambunan · ‎06-12-2015

Hi Rafael,

Is any update this case from Cisco TAC?

I am using ISE 1.1.4.218 patch 3. Problem happen same like your.

Thanks.

ajc · ‎06-12-2015

Both of you are running a pretty old version. You should move at least to 1.2 BUT this is a major change that requires TAC support because there are some DB implications in the process. We are actually moving in the future coming to 1.3 (however we need to be careful with the WLC/Prime NCS/ISE compatibility matrix). BTW, You are losing new and helpful features from the new versions.

Irvan, could you post an screenshot of the LIVE AUTH part of ISE with a successful authentication on this guest account and also another screenshot from the sponsor page that contains the status of this guest account?

thanks

ajc · ‎03-12-2015

Check if the option in the configuration part of the Authentication process = CONTINUE.

For example, when you use CWA, the IF AUTHENTICATION FAILED Option = CONTINUE so the MAB Auth always fails but based on that Option your connection continues so you are actually redirected using the AUTHORIZATION Policy.

Problems with Authorization Policy, the USER has expired and the ISE is allowing access.