Solved: Re: Radius session not found ISE and Guest Portal / Sponsored Portal - Page 3

vaniat · ‎01-22-2024

When client joins network for a first time, we get "Radius session not found. Please contact helpdesk for assistance". After turning WiFi of the device Off and back on, everything works fine. We are running 17.11.1 on WLC9800 and 3.2 patch 4 on ISE

thomas · ‎02-10-2024

You clearly have a lot more going on here than you initially described and did not provide enough troubleshooting details. Please see How to Ask The Community for Help and call TAC so they may take the time to understand all components involved and where it might be wrong.

vaniat · ‎02-10-2024

Just for my understanding, which exact troubleshooting details did I not provide?

vaniat · ‎02-23-2024

For anyone that might get an issue, solution was to change "port-bounce" to "re-auth" in Administration >> System >> Settings >> Profiling

Aref Alsouqi · ‎01-31-2024

How many ISE PSNs you have?

vaniat · ‎01-31-2024

Only one PSN. I have seen the issue with F5 but that does not apply to our case I guess

vaniat · ‎01-31-2024

as you can see 3rd entry is failed one:

Result

Calling-Station-ID	a235.82d1.87be
Error-Cause	200
cisco-command-code	2

vaniat · ‎01-31-2024

Also first time Authorization result is empty:

Overview

Event	5231 Guest Authentication Passed
Username	fdoyle1
Endpoint Id	A2:35:82:D1:87:BE
Endpoint Profile
Authorization Result

compared to second attempt:

Overview

Event	5236 Authorize-Only succeeded
Username	fdoyle1
Endpoint Id	A2:35:82:D1:87:BE
Endpoint Profile	Apple-iPhone
Authentication Policy	Default
Authorization Policy	Default >> Wi-Fi_Guest_Access_AV_Control
Authorization Result	PermitAccess,my681-AV-Control

MHM Cisco World · ‎01-31-2024

Can you make l2 secuirty none and select mac filtering and check'

I Think using psk plus portal is issue here.

MHM

vaniat · ‎01-31-2024

It is a bit of problem as site is in production, but I will give it a try. Can you please explain to me why do you think that PSK is a problem?

MHM Cisco World · ‎01-31-2024

No need adjust wlan and new test wlan and test the config

For psk+ cwa I already check and you can run both in same wlan

But I find bug so let wait your results to see if issue from ISE not from wlc.

Until you try it I will also analyze wireshark you share to see if there is other problem

Thanks

MHM

vaniat · ‎01-31-2024

OK. Got it. I will create a Test WLAN and test with open no PSK and we see..

vaniat · ‎02-01-2024

I have tested with Open SSID and it does seem to be working. However I do see the same issue on ISE Live logs as what is seen when PSK is enabled.

Result

Calling-Station-ID	524e.476d.3e5b
Error-Cause	200
cisco-command-code	2

Also what is different is that username is empty in this request when compared with one with PSK:

Overview

Event	5205 Dynamic Authorization succeeded
Username
Endpoint Id	52:4E:47:6D:3E:5B
Endpoint Profile
Authorization Result

However, not using PSK is not acceptable solution for us, but it might be a good lead to troubleshoot further.

vaniat · ‎02-02-2024

So I did some further troubleshooting, on this newly created TEST SSID, I added PSK and it worked again. Then I added WPA with AES (which I need in order to support some very old devices) and Fast transition and then it stopped working. Removing those back still did not solve the issue. I had to set SSID back to Open and then again to WPA2 and now it seems again to be working fine. So it is inconclusive still if the issue is related to WPA and Fast Transition, or it is just random that it does not work....

MHM Cisco World · ‎02-02-2024

FT and the Client failed to auth is Mac iOS?

MHM

vaniat · ‎02-02-2024

It is IOS Apple iPhone 11