Solved: Radius session not found ISE and Guest Portal / Sponsored Portal

vaniat · ‎01-22-2024

When client joins network for a first time, we get "Radius session not found. Please contact helpdesk for assistance". After turning WiFi of the device Off and back on, everything works fine. We are running 17.11.1 on WLC9800 and 3.2 patch 4 on ISE

thomas · ‎02-10-2024

You clearly have a lot more going on here than you initially described and did not provide enough troubleshooting details. Please see How to Ask The Community for Help and call TAC so they may take the time to understand all components involved and where it might be wrong.

View solution in original post

vaniat · ‎02-23-2024

For anyone that might get an issue, solution was to change "port-bounce" to "re-auth" in Administration >> System >> Settings >> Profiling

View solution in original post

ahollifield · ‎01-22-2024

Sounds like CoA is not properly configured on ISE and/or the controller.

Also why 17.11.1? Why not 17.12.X?

vaniat · ‎01-22-2024

At the times when I tried 17.12.x, all WAP's were constantly disconnecting and were causing issues on network. However I can give it another go indeed.
As for the CoA, I am not sure what is there to be misconfigured? Some stations do work from the first attempt, but some not. It used to be all the time that first time attempt ended in the error but then we realised that RADIUS server in WLC was not configured in correct RADIUS group, and after that, situation improved a lot, however it still happens every new client. When testing, I remove MAC address from WLC and ISE to reproduce but that does not always produce the error

ahollifield · ‎01-22-2024

https://community.cisco.com/t5/security-knowledge-base/ise-and-catalyst-9800-series-integration-guide/ta-p/3753060

MHM Cisco World · ‎01-22-2024

debug packet logging acl ip 1 permit <ISE IP>

Can you share the debug between WLC and ISE

MHM

vaniat · ‎01-22-2024

Don't have that option...

MY681-WLC001#debug packet ?
  <cr>  <cr>

MHM Cisco World · ‎01-22-2024

Debug not in enable mode in user mode

MHM

vaniat · ‎01-22-2024

MY681-WLC001>debug ?
% Unrecognized command

MHM Cisco World · ‎01-22-2024

We need to make sure the issue is from wlc or ise.

Can you check IP of client and excluded list in wlc' it can client add to exclude list. When trun down and up the client get new IP and hence can auth via ISE.

MHM

vaniat · ‎01-23-2024

Clients do not end in Excluded list at all (unless they made mistake in PSK). They get address in same IP range both times, first when it fails and second when it works. And they can reach ISE web portal both time, however that authentication part is not working (always) first time. I am still struggling to reproduce the issue but it happens mostly on newly added devices.

Aref Alsouqi · ‎01-22-2024

Not sure, but the issue could be caused by having the RADIUS session split across multiple PSNs. If you have multiple PSNs, did you configure one authorization rule for each one to redirect guest traffic?

vaniat · ‎01-22-2024

There is only one PSN configured. I have seen the post with F5 load balancing but that does not solves my issue I am afraid. We run everything on a single VM.

ahollifield · ‎01-22-2024

Single standalone VM? I would highly suggest adding an additional 1-2 VMs. Note that a single VM is only supported for evaluation use-cases: https://www.cisco.com/c/en/us/td/docs/security/ise/performance_and_scalability/b_ise_perf_and_scale.html

vaniat · ‎01-22-2024

Is a small environment and VM is running in on VMWare cluster (redundant servers). What benefits would be of multiple VM's? Offloading?

ahollifield · ‎01-22-2024

High Availability