Solved: Re: Radius session not found ISE and Guest Portal / Sponsored Portal - Page 2

vaniat · ‎01-22-2024

When client joins network for a first time, we get "Radius session not found. Please contact helpdesk for assistance". After turning WiFi of the device Off and back on, everything works fine. We are running 17.11.1 on WLC9800 and 3.2 patch 4 on ISE

Arne Bier · ‎01-24-2024

I had this phenomenon many years ago with ISE 2.2/2.3 but there were F5 load balancers involved. Sadly I can't recall what the resolution was. Perhaps you already have, but my checklist would check the following

Check that 9800 Integration Guide that Adam posted and compare your IOS-XE configuration and ISE configuration as close as possible. Adam makes a good point about the CoA - check that on the 9800 the IP address of ISE is listed as a client and if need be, re-enter the RADIUS pre-shared key exactly as it appears in ISE for that 9800 (rule that out just to preserve your own sanity!)

show run | sec radius
show run | in aaa
show run | in http
show run | sec access-list

Enable a tcpdump on the ISE interface and then delete MAC from WLC/ISE and try to catch the issue - analyse in Wireshark for clues

Analyse your RADIUS Policy Set to mimic how the Wireless MAB traffic must flow - post it in the Community if you want and we can also have a look.

By the sounds of it, you have done everything right.

Last resort things:

Restart the 9800
Restart ISE (in my experience, restarting ISE doesn't fix authentication issues ... it's usually something else ...)

MHM Cisco World · ‎01-29-2024

Hi friend

Sorry for late reply

There are two authc and authz

1- open and mac filter (before portal)

2- open and mac filter (after portal)

These two stages happened because of CoA

So please

In wlc do (before and after)

Show client detail

In ISE

In live log

Share here

Thanks

MHM

vaniat · ‎01-30-2024

Attached is radioactive trace of client that first fails and then wifi is turned off and back on and then it all works fine. On WLC cli I am not able to find "show client detail"

I will try today to make wireshark capture and analyse it.

MHM Cisco World · ‎01-31-2024

thanks a lot
waiting the wireshark files
MHM

Aref Alsouqi · ‎01-31-2024

In 9800 WLCs you go to Monitoring > Wireless > Clients and then you click on the client which will open a new tab with all the details.

I think this issue could potentially be caused by having a split session between the PSNs. If you have multiple PSNs, did you create multiple authorization rules for guest traffic redirection?

vaniat · ‎01-31-2024

Client State Servers

None

Client ACLs

None

Client Entry Create Time

222 seconds

Policy Type

WPA2

Encryption Cipher

CCMP (AES)

Authentication Key Management

FT-PSK

EAP Type

Not Applicable

Session Timeout

86400

Authen Status

Success

Session Manager

Point of Attachment

capwap_9000038c

IIF ID

0x9000038C

Authorized

TRUE

Common Session ID

0A030A0A000095E65F0C5FE2

Acct Session ID

0x000063bf

Auth Method Status List

Method

MAB

SM State

TERMINATE

Local Policies

Service Template

wlan_svc_ALMIRQAB_local (priority 254)

VLAN

GUEST

Absolute Timer

86400

Server Policies

Preauth URL Filter

URL_FILTER

Preauth URL Filter

GUEST_URL

URL Redirect ACL

REDIRECT

URL Redirect

https://portal.myalmirqab.com:8443/portal/gateway?sessionId=0A030A0A000095E65F0C5FE2&portal=a18f8300-ec46-4104-b28b-4d3f64a746ab&action=cwa&token=15e16c8a23c5fc354e378d1dba99ab02

Resultant Policies

Preauth URL Filter

URL_FILTER

Preauth URL Filter

GUEST_URL

URL Redirect ACL

REDIRECT

URL Redirect

https://portal.myalmirqab.com:8443/portal/gateway?sessionId=0A030A0A000095E65F0C5FE2&portal=a18f8300-ec46-4104-b28b-4d3f64a746ab&action=cwa&token=15e16c8a23c5fc354e378d1dba99ab02

VLAN Name

GUEST

VLAN

102

Absolute Timer

86400

DNS Snooped IPv4 Addresses

None

DNS Snooped IPv6 Addresses

None

MHM Cisco World · ‎01-31-2024

This before portal

And it totally correct for redirect acl and url.

MHM

vaniat · ‎01-31-2024

and this is after, when it works correctly:

Client State Servers

None

Client ACLs

None

Client Entry Create Time

402 seconds

Policy Type

WPA2

Encryption Cipher

CCMP (AES)

Authentication Key Management

FT-PSK

EAP Type

Not Applicable

Session Timeout

5714853

Authen Status

Success

Session Manager

Point of Attachment

capwap_9000038c

IIF ID

0x9000038C

Authorized

TRUE

Common Session ID

0A030A0A000095E65F0C5FE2

Acct Session ID

0x000063bf

Auth Method Status List

Method

MAB

SM State

TERMINATE

Local Policies

Service Template

wlan_svc_ALMIRQAB_local (priority 254)

Server Policies

Absolute Timer

5714853

VLAN

99

Resultant Policies

VLAN Name

CONTROL

VLAN

99

Absolute Timer

5714853

DNS Snooped IPv4 Addresses

None

DNS Snooped IPv6 Addresses

None

MHM Cisco World · ‎01-31-2024

This wrong' the user authz using PSK not MAB even if it pass portal auth.

And vlan 102 and then 99!!!!

It not same wlan I think.

Can I see l2 and l3 secuirty for this wlan again

Thanks

MHM

vaniat · ‎01-31-2024

Indeed, after log in, client gets to its specific VLAN. 102 is portal VLAN and 99 is designated VLAN for that specific user (see below).
What do you mean by "user authz using POSK not MAB"?

Result

User-Name	fdoyle1
Class	CACS:0A030A0A000095E65F0C5FE2:my681-ise001/495381330/456274
Session-Timeout	5714853 seconds
Termination-Action	Default
Tunnel-Type	(tag=1) VLAN
Tunnel-Medium-Type	(tag=1) 802
Tunnel-Private-Group-ID	(tag=1) 99

MHM Cisco World · ‎01-31-2024

We need to focus to issue and solve it one by one

Guest must not use PSK (it guest how it have key) so it use l2 secuirty none and mac filtering select' so can you confirm you use this l2 secuirty or not?

MHM

vaniat · ‎01-31-2024

Client requested to have extra security layer (PSK) so not everyone can try to connect to that SSID. Next to that, client gets account and is redirected to portal. And this works fine, just not the first time.

vaniat · ‎01-31-2024

Wireshark capture. Calling station is a2-35-82-d1-87-be. It can be found with 10.10.102.161 IP address.

MHM Cisco World · ‎01-31-2024

I will check Guest WPA + portal in CWA if it support or not
MHM

vaniat · ‎01-31-2024

Please.. It kind of works (only second time) and I was told of deployments that work fine and use PSK. Also in my understanding, PSK is more on authentication/encryption side while MAB is authorisation side, hence PSK is starting point, but one you get to hte portal you already have IP level of communication in place. (please correct me if I am wrong)