cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3065
Views
1
Helpful
13
Replies

Self Registration of Guest User Portal is not coming while connecting

King_1988
Level 1
Level 1

Hi Good People,

We have deployed WLC-9800 and ISE in our network. We have created a Guest SSID and made it open means no security key. Also set ISE as RADIUS server in WLC. 

 

In ISE, we have created necessary Authentication and Authorization policy (MAB) in order to have Self-Registration portal for guest while login. But client can connect SSID and browse internet but no Login page is generated from ISE. What could be the issue? 

13 Replies 13

ammahend
VIP
VIP

make sure your Guest ACL and redirect ACL are as per this documentation

During authorization along with redirect url you ideally also want to force a guest dacl which allows access to ISE, DNS only, so the only thing user can do is go to ISE and resolve FQDN. Once the user has gone through self registration then your Internet only or Guest ACL comes into play.

-hope this helps-

Colby LeMaire
VIP Alumni
VIP Alumni

There could be a number of issues.  The first step is to check ISE Live Logs to see if the MAB authentication hit the correct policy and correct authorization rule.  If so, then on the 9800 GUI, go to Monitoring->Wireless->Clients and filter for the MAC address of the device you are testing with.  If the state is "RUN", then it is not going to redirect anywhere and will just allow the device to communicate on the network.  If the state is "Web Auth Pending", then click on the MAC address and check under General->Security.  I may have the names of the tabs off a little.  But you should be able to scroll down and see what the redirect ACL name is and also the URL that the client would be redirected to.  If those items are there and correct, then check the redirect ACL itself.  Remember that the 9800 is essentially an IOS-XE switch and not AireOS so the redirect ACL should have "deny" statements for the traffic that you DO NOT want to redirect.  This is typically DNS and the traffic to the ISE PSNs.  Then you have a "permit tcp any any eq 80" and a "permit ip any any" at the end.  I prefer to be specific with HTTP before a blanket permit ip any any.  Habit from issues in the past.

If all those things are good, try to manually open a browser and navigate to http://1.2.3.4 .  If you see the redirect attempting, then the problem may be that DNS is not working for the client.  Maybe the DHCP scope doesn't have DNS defined or the IP's are wrong.  When a network connection happens, Apple devices will attempt to connect to http://captive.apple.com and Windows devices try to connect to http://msftconnecttest.com.  If DNS is not working, then the HTTP request will never hit the AP/WLC and redirection could never work.  Manually trying to navigate to any IP address over HTTP would take DNS out of the picture.  If DNS is not working, the guest portal will not load but you should at least see the attempt to redirect.

HTH,

Colby

Hi Colby/Ammahend,

We have already configured Authentication and Authorization in policy sets of ISE as per documentation. But found hits are coming for default instead of newly created one.

 

In your authentication policy, your MAB rule condition is wireless mab AND wired mab.  That logic doesn't work so it will never match that rule.

So what we can do? Actually we have followed the documentation only for the self-registration of guest wifi using ISE: https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213920-central-web-authentication-cwa-on-cata.html

 

 

Hi Colby,

What we can do to make it work, i mean self registration for guest?

You need to make two changes and try:

If you’re dealing with wireless client only,  then you can just remove the wired mab in authentication policy, if you’re dealing with wired and wireless guest both, then just change it from AND to OR. 

If user not found should be “continue”

-hope this helps-

Ok, we will do and let you know. Another thing mac filtering need to be enable or not from WLC L2 security?

Hi,

Got some improvement, but the issue is not fully solved. Now we are getting successful logs (Attached) in ISE but client can't connect Guest  SSID. But when we are disabling MAC filtering from WLC then client gets connected with the SSID but no redirection page is coming for self portal registration, that means is Authenticated, and Authorized from WLC. What can be the issue?

 

Hi,

Now we are getting below logs from ISE for the Guest user. From log it is showing Authentication passed but Client is not getting SSID connected also not getting any Registration portal for Self-sign.

 

King_1988_0-1697368728090.png

 

Arne Bier
VIP
VIP

If this is 9800, then also check that you have the IOS-XE command configured

ip http server

This is required to enable the http interception on the 9800 to make redirection work.

King_1988
Level 1
Level 1

Hi,

HTTP is already enabled.

Arne Bier
VIP
VIP

Ok. Have you tried debugging with a Windows/MAC once you have associated to the Wi-Fi, to see if

- DNS resolution of the ISE Portal URL(s) are resolving in the expected IP address of the PSN(s) ?

- telnet to port 8443 on each IP address to see if the connection is "Open" (TCP SYN/ACK test)

- is the behaviour any different for Windows/MAC than for iOS or Android? (recall iOS Captive Networking Assistant - the WLC should not interfere with that if you want to the portal to auto pop-up - that's a setting to check on the WLC)