07-24-2015 10:04 AM - edited 03-10-2019 10:56 PM
We need to use the NEW AUP feature that comes on ISE version 1.4 for our soon 802.1x implementation so I would like to get feedback about that version because is a relatively new release. We are currently running 1.2.1.198
thanks
AC
07-24-2015 12:47 PM
I hit a bug just this week with ISE 1.4 using Hotspot with an AUP. The symptom was the AUP acceptance was not registered and thus the endpoint was never put in the desired device group to allow CoA to work properly and so they loop back to the AUP over and over.
I thought I was missing something stupid and wrestled with it for over an hour before I called the TAC.
Here's a link to the BugID CSCuu22410
The workaround is to disable the AUP page. :(
07-24-2015 12:58 PM
Thanks a lot Marvin for your note. In fact, AUP Page is the main reason because we would upgrade from 1.2.1 to 1.4. So based on your note, I am proceeding to talk to Cisco about this.
I will keep this post active because I would like to get more information about this version. Looks like is not only what you mentioned.
regards
AC
07-24-2015 01:07 PM
You're welcome.
For what it's worth, AUP appears to work OK for the BYOD portal and Device Registration. It's only when using it with Hotspot portal that the issue manifested.
Is it periodic AUP re-acceptance by guests that you need? I think that's the only AUP-related enhancement in 1.4 that's not already in 1.3
07-27-2015 07:52 AM
Hi Marvin,
Thanks for your note.
We currently have 4 SSIDs for student, staff, guest and WLAN (certificate based). The first 3 use web-authentication so the AUP is presented and those clients have to accept it. Like you said, this is a periodic AUP reacceptance (user has to reauthenticate if the session timeout is surpassed).
Now we are moving those 3 SSID's to 802.1X so when the user would authenticate using the login page built-in on their own device but the AUP must be presented. This feature is only present on 1.4 version.
So looks like we should not have any issue because our scenario is different to the one you mentioned at the beginning of this post.
Any other comment from you is appreciated.
regards
08-30-2015 08:36 AM
Hi Marvin,
I just installed 1.4 patch 3 and started doing my tests. Looks like I hit another bug which is pretty similar to the one you found. The situation is the following and I am working now with the TAC. Based on a requirement for the wireless network I need all the BYOD clients not using EAP-TLS to accept the AUP Page before getting access to internet and I am using PEAP.
Peap works straighforward on the AUTHC part so my AUTHZ Policy detects those PEAP connections and makes a redirect to the ISE DefaultHotSpot Portal which provides the AUP option we need and once you accept it, it sends you to the success page.
When I checked the HotSpot Portal it says: "GUEST FLOW PAGE" but looks like it does not work because when I get the success page and I try to open another browser window or type in in the success page the URL I want to go, it stays in a loop sending me back to the success page. However, the IPAD is registered on the Guest ISE Endpoint group automatically as expected. I think this is pretty much like DRW.
Knowing that this AUTHZ redirects to the HotSpot Portal works in a similar way to CWA, I added the corresponding AUTHZ Policy to avoid the loop, I mean I added a AUTHZ policy that IF GUESTFLOW then Permit Access (internet access right away) but looks like ISE does not recognize the flow coming from the Hot Spot Portal AUP acceptance/Success Page like GUEST FLOW even though is indicated in the work-flow diagram on the right side of the ISE page for that Hot Spot Portal.
I tried using the default ISE guest portal option that includes the AUP acceptance and duration on that AUP register and it works but we do not want double authentication taking into account we are using PEAP for AUTHC.
If you have a more recent information please let me know, I will be posting the final results on this case here.
regards
08-30-2015 08:37 AM
BTW, the answer to your question is yes. I need re-acceptance periodically.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide