Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1642
Views
0
Helpful
2
Replies

Self register guest access (MAB) configuration troubles

Go to solution
Axel Boersma
Level 1
Level 1

‎02-05-2018 06:55 AM

Hello,

Been trying to get a test Guest SSID (Portal) up and running, but it isn't going as expected. I already have a few SSID's running with dot1x for employees, but for guest we wanted to migrate from Packet Fence to Cisco ISE.

Used the following to create the setup: (Tweaked for ISE 2.3 Patch 2)

Central Web Authentication on the WLC and ISE Configuration Example - Cisco

But I'm unable to connect to the WiFi the errors I get in ISE are as follow's.

Event     5434 Endpoint conducted several failed authentications of the same scenario

Failure Reason     22040 Wrong password or invalid shared secret

11001     Received RADIUS Access-Request

11017     RADIUS created a new session

11027     Detected Host Lookup UseCase (Service-Type = Call Check (10))

15049     Evaluating Policy Group

15008     Evaluating Service Selection Policy

15048     Queried PIP

11034     Process Host Lookup is disabled. (Service-Type = Call Check (10) cannot be applied)

15041     Evaluating Identity Policy

15048     Queried PIP

15013     Selected Identity Source - Internal Endpoints

24209     Looking up Endpoint in Internal Endpoints IDStore - 80:58:F8:XX:XX:XX

24211     Found Endpoint in Internal Endpoints IDStore

22040     Wrong password or invalid shared secret

22057     The advanced option that is configured for a failed authentication request is used

22061     The 'Reject' advanced option is configured in case of a failed authentication request

11003     Returned RADIUS Access-Reject

5434     Endpoint conducted several failed authentications of the same scenario

I can't find any reference to an solution. I have found people that fixed this problem but they never told what they did to solve it. I have profiling enabled, but can't figure out why I get the 22040 error. For normal WiFi SSID's RADIUS has no problems, so the radius secret shouldn't be the problem.

But why do I get this error and how to fix....

With kind regards,

Axel Boersma

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Oliver Laue
Level 4
Level 4

‎02-05-2018 09:45 AM

Hi Axel,

looks like multiple problems.

First check your Allowed Authentication Protocols for your Authentication Policy Process Host Lookup should be enabled.

The definition can be found in Policy -> Policy Elements -> Results -> Authentication -> Allowed Protocols which is mapped to the MAB Rule in your Auth Policy.

After this check your Auth Policy to match to the Article you linked. The Option "If User not found Continue" must be enabled to allow CWA Redirection.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Oliver Laue
Level 4
Level 4

‎02-05-2018 09:45 AM

Hi Axel,

looks like multiple problems.

First check your Allowed Authentication Protocols for your Authentication Policy Process Host Lookup should be enabled.

The definition can be found in Policy -> Policy Elements -> Results -> Authentication -> Allowed Protocols which is mapped to the MAB Rule in your Auth Policy.

After this check your Auth Policy to match to the Article you linked. The Option "If User not found Continue" must be enabled to allow CWA Redirection.

0 Helpful

Go to solution
Axel Boersma
Level 1
Level 1
In response to Oliver Laue

‎02-06-2018 02:51 AM

Thank you so much, the one thing I didn't look at "Allowed Protocols" Been staring at it so long that I missed that.

Hopefully others can find the answer now if they have the same issue.

With kind regards,

Axel Boersma.

0 Helpful
Customers Also Viewed These Support Documents