cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5855
Views
5
Helpful
37
Replies

Sponsor Approved Guest Access

Steven Williams
Level 4
Level 4

I have been at this all day and am struggling a bit. Does anyone have a very detailed doc on setting up sponsor approved Guest access with ISE 2.x and WLC code version 8.2.110.0.

I have gone through the process of setting up the portals to best of my ability. I have my users authenticating with ISE with PEAP for corp wireless so I know that works.

How do I tell WLC/ISE which SSID i am using for guest access? Also should my client get an IP address then be redirected?

I am getting this error on the WLC:

*apfReceiveTask: Jun 13 20:37:31.136: %APF-3-CLIENT_NO_ACCESS: apf_80211.c:4285 Authentication failed for client: c0:cc:f8:17:de:25. ACL override mismatch from AAA server.

And in splunk I am seeing this:

Jun 13 15:50:28 10.20.0.60 Jun 13 15:50:28 ise01 CISE_Passed_Authentications 0000157854 4 0 2016-06-13 15:50:28.428 -05:00 0006695154 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=90, Device IP Address=10.20.63.14, DestinationIPAddress=10.20.0.60, DestinationPort=1812, UserName=C0-CC-F8-17-DE-25, Protocol=Radius, RequestLatency=12, NetworkDeviceName=BNA-WLC2500-01, User-Name=c0ccf817de25, NAS-IP-Address=10.20.63.14, NAS-Port=1, Service-Type=Call Check, Framed-MTU=1300, Called-Station-ID=d8-b1-90-08-87-b0:TEST_GUEST, Calling-Station-ID=c0-cc-f8-17-de-25, NAS-Identifier=_GUEST, Acct-Session-Id=575f1c94/c0:cc:f8:17:de:25/23, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 142, cisco-av-pair=audit-session-id=0a143f0e0000000f575f1c94, Airespace-Wlan-Id=3, OriginalUserName=c0ccf817de25, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=8ade1f15-aef1-4a9a-8158-d02e835179db, IsThirdPartyDeviceFlow=false,

I cannot join the SSID from my iphone...but it looks like its trying. I assume an ACL is wrong or a policy is wrong. I think I struggling with VLANs that are pushed to the clients.

Any help would be great thanks..

1 Accepted Solution

Accepted Solutions

Could you send a screenshot of the configuration of radius server in the WLC (the detail page please).

Did you take a look on the wlc/monitor clients if the ACL was pushed to authenticated clients ? What's the result?

Thanks


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

37 Replies 37

Francesco Molino
VIP Alumni
VIP Alumni

Hi

First of all, if you want to have some documentation from Cisco:

- http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/admin_guide/b_ise_admin_guide_20/b_ise_admin_guide_20_chapter_01110.pdf

- http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/admin_guide/b_ise_admin_guide_20/b_ise_admin_guide_20_chapter_011011.html

If you want to see some videos how to configure it, you can take a look on Labminutes:

- http://www.labminutes.com/sec0197_ise_13_guest_access_sponsored_guest_1

The way you do on ISE 2.0 or ISE 1.3, it's quite the same.

For ACL, you'll need to authorize DHCP, DNS and ISE. All the rest should be denied. If you send a quick drawing with all these informations and your WLC, I can tell you if the ACL is correct or not.

For CoA (authorization acl profile), you need to create ACLs on WLC and just type the EXACT name on your ISE authorization profile.

The other thing that can blocks your Apple iDevices to access webportal (while other standard PC can access) is the certificate. Do you have a valide certificate certified by an Authority or it's a self signed?

On ISE, to do rules on ssid, I'm using policy set feature and create a category based on WLAN_ID (you can found this information on your WLC SSID type, close to the SSID name itself).

I've attached to this post some quick screenshots I done 2 years ago for a colleague to show him how to configure Guest portal. Maybe it could help. Again the way Guest portal works is a little bit different between version (more features) but the minding is quite the same. 

I'm sorry but I don't have a ISE lab right now to take some screenshots

Let me know if you need more help.

Thanks.

PS: please don't forget to rate and mark as correct answer if this answer solved your issue


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Now on my apple device I am getting a login window, nothing on it, but errors and says "Hotspot login cannot open the page because the server cannot be found"

Ok. Is the certificate for guest portal a valid signed certificate by a real authority?

But with Windows and/or Android devices, guest is working fine, isn't it?

Thanks


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

I am getting closer and closer here. The issue for the guest login page not coming up was DNS. Is there a way to change the URL for the guest portal?

So now I am on a laptop, I get the guest portal, I say I dont have an account. I register as a user, get my request in the sponsor portal, approve it, login and it seems to be successful.

I get to AUP page and click accept. Then the client is redirected to the guest portal again for re-auth. Here is the log event:

Event 5417 Dynamic Authorization failed 

Failure Reason 11213 No response received from Network Access Device after sending a Dynamic Authorization request 

Resolution

Check the connectivity between ISE and Network Access Device. Ensure that ISE is defined as Dynamic Authorization Client on Network Access Device and that CoA is supported on device.
Root cause No response received from Network Access Device after sending a Dynamic Authorization request

Steps
11204 Received reauthenticate request
11220 Prepared the reauthenticate request
11100 RADIUS-Client about to send request - ( port = 1700 , type = Cisco CoA )
11104 RADIUS-Client request timeout expired ( [step latency=10016 ms] Step latency=10016 ms)
11213 No response received from Network Access Device after sending a Dynamic Authorization request

the url is based on what it's set on interface with DNS suffix. You can, on your authorization profile, set the IP address instead of taking dynamically the dns name. It's just for test purpose, I don't recommend going with fix IP for guest redirection.

You are talking about laptop only. Put the IP and test it again with mobile.

The error you're getting is related with CoA and seems that there is an issue between your NAD and ISE:

- your WLC is normally ok as you running a recent aireos version

- How did you configured your SSID?

- could you give the output of radius configuration from your WLC?

If you can't give any screenshots, could you ensure that your SSID configuration looks like this step by step documentation: http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html

Thanks


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

It was a deny from my ISE server to the WLC for port 1700. Not sure what thats for.

No I am having an issue with my windows PC that is like caching the username and session. 

I have removed the registered user from the sponsor portal and removed the client session from the WLC. It still connects to the SSID and is able to access the internet and doesnt require username and password. I was working fine awhile ago.

now this.

Event 5417 Dynamic Authorization failed
Failure Reason 11103 RADIUS-Client encountered error during processing flow
Resolution Do the following: 1) Verify shared secret matches on the ISE Server and corresponding AAA Client, External AAA Server or External RADIUS Token Server. 2) Check the AAA Client or External Server for hardware problems. 3) Check the network devices that connect the AAA peer to ISE for hardware problems. 4) Check whether the network device or AAA Client has any known RADIUS compatibility issues.
Root cause RADIUS-Client encountered an error during processing flow

the port 1700 is a UDP port and used for CoA.

You have a firewall in between ISE and WLC? Where this port was blocked?

The error message is due to CoA failure.

- How did you configure WLC for radius?

- What's SSID configuration ?

- If there is a firewall do you have still blocking ports?


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Yes there was a firewall and I opened that port and see allows now in splunk. 

What specifics are you looking for about the configuration of the WLC and SSID?

Splunk doesnt show any denys at this point between ISE and WLC and ISE and Client.

There are some ports to open on your firewall in order to make a full working ISE solution:

http://www.cisco.com/c/en/us/td/docs/security/ise/1-1-1/installation_guide/ise_install_guide/ise_app_e-ports.html

I would like to have advanced tab configuration of your SSID and Security tab/Authentication and Authorization screenshots.

Thanks


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

The screen on these tabs scroll so difficult to screen shot. But the things that I changed were "Allow AAA Override" and "ISE NAC" for NAC state on the advanced tab.

Security AAA Servers is what i assume you mean, that is just the ISE server in the drop box on ports 1812 and 1813. Nothing else was touched.

It connects to the SSID, I get an IP, and the sponsor portion works great. But after logging into the portal it looks like its going to redirect, but then just brings up the guest portal again and even if i open another browser or tab it goes to the same page, so almost like its not authenticating me.

Ok. Did you tried to force ISE to use IP address? You can change it on the CWA authorization profile. When selecting CWA, you have a field named IP address.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

DNS is working now. There wasnt an entry in DNS for the ISE server. so thats working. THis really has my stumped and splunk isnt telling me anything is being blocked.

Ok I think I have an idea of whats going on here. But how to fix it. When i look at the radius logs on ISE i see the success on the authorization profile called GUEST_REDIRECT...then the next log comes in (the one that has the error) and its also using the GUEST_REDIRECT....so that might explain why the webpage keeps going back to the guest portal. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: