thanks Craig.

I don't quite follow the last paragraph about the 1.1.1.1 - can you please expand on that ?

How does the browser force you to click a button?

What is meant by "if properly redirected"?  What do I need to look for (or do) here?

As far as I can tell, once the user sees this on their browser, the page persists - there is no 'auto recovery'.  They often re-associate to the SSID before they can login again.

We have Cisco WLC session timeout set to 900 sec (15min).  This is the unauthentcated timeout value while user is redirected to portal.

Customer comments today:" The user entered their details immediately when prompted,  I watched her  enter her details when prompted and [error] was immediately after being prompted.  I have also seen this error prior to this and in this case there was no delay in the user entering their details also.  On the other occasion I had a contractor trying to connect I was with him while trying to connect, I had created his account printed out his details handed it to him and watched him enter details.  He also received the error and there was no delay on this occasion either,  in the end we gave up trying to get him connected."

regards

Separate from RADIUS session timeout, there is also a browser timeout as depicted below (hard-coded for 5 min)...

5 minutes later...

Clicking the Retry button will send request to the Retry URL, NOT the original redirect page.  The Retry URL is configured under Administration > Device Portal Management > Settings > Retry URL.

Checking proper redirection would be validating the policy returned to wireless controller and viewing client session details to verify that 1) Correct Redirect URL applied and 2) Correct Redirect ACL configured on controller and sent in RADIUS to ensure that requests correctly result in getting web portal to correct PSN (the same one servicing RADIUS auth).

If getting a web login page, then very likely redirect is working, but just make sure it is to correct PSN.  Also, make sure that Calling Station ID set to MAC address and not IP address and that CoA properly configured and working.  Look at the URL in the address bar of user's browser.  Does it match the one on ISE?  Disable suppression for the client in ISE and see if another session is getting triggered for same client, thus nullifying the previous session ID for web auth.

Is load balancing in place where requests may be getting sent to different PSNs?  Is this a guest/anchor setup and hitting issue with different sessions IDs from foreign and anchor (disable RADIUS Accounting on anchor).

If still having issues, then please open TAC case to troubleshoot root cause. I would be interested in learning what is discovered if none of the above resolve.

Craig

Good to know about the 5 min hard coded timeout in browser. I have seen the browser timeout with that message.  So my 15min WLC session timeout should be enough to allow them to retry and try again.

The text under the retry URL says "Retry URL for onboarding" which is why I never used it - I don't do BYO.  In a simple Guest Portal case, what URL would I even put in here?  I want the user to retry on the same Guest Portal and was hoping that the ISE-generated redirection URL would still be valid for that user who performs a browser retry.

Calling-Station-Id is MAC and always has been.

I cannot see the PSN name in the client browser because we use the option 'Static IP/Host name/FQDN'  in the Authorization Profile.

F5 load balancing is indeed taking place and I will look into this with more detail.  Our persistence logic may have a flaw.

There is no guest anchor - it's just one WLC talking to an F5 VIP, which has two PSN's as pool members.

This is tricky to troubleshoot because it happens sporadically and I cannot reproduce this in my lab.  If I could reproduce this easily then I'd have something to go on.

thanks for all your advice and suggestions.  I will post here if I make any progress in solving the case

Hi Craig

the jury is still out on that one ... we have implemented persistence logic on the F5 based on the Cisco/F5 document and it's been working well to my knowledge.  Persistence is based on Framed-IP-Address.

I can't reproduce the issue and we're waiting for more feedback from the customer.

Here's the thing that concerns me - why is the error displayed only AFTER the user enters his credentials?  Surely if the client PC lands on the wrong PSN, then that PSN's web server should complain immediately about it, and not wait until the user types in his credentials.

This made me think that perhaps the Sponsor portal was not replicating the guest accounts to all PSN's in time.  But so far my testing has not proven that theory either. Then again, if replication were an issue, then the error message would be the standard 'Authentication failed'.

Do endpoint debug (option from Live Log - Right-click MAC address) and verify which PSN it hits.  Check persistence and validate that RADIUS Server and Web Server are one in same.  Packet capture from server side of F5 could also help verify.

With redirect on static hostname, sticky MUST be configured to track web traffic attribute to RADIUS persistence table.  Otherwise, it will not find the session ID.  If hitting the same PSN, then need to verify the translations occurring at LTM to ensure that what is sent and returned by it is something that PSN will accept.

For one client, do it as called out in guide where it is allowed to pass and validates it works.

I trust that you have since opened a TAC case to help troubleshoot?