Solved: No change. It looks like tha - Page 3

Steven Williams · ‎06-13-2016

I have been at this all day and am struggling a bit. Does anyone have a very detailed doc on setting up sponsor approved Guest access with ISE 2.x and WLC code version 8.2.110.0.

I have gone through the process of setting up the portals to best of my ability. I have my users authenticating with ISE with PEAP for corp wireless so I know that works.

How do I tell WLC/ISE which SSID i am using for guest access? Also should my client get an IP address then be redirected?

I am getting this error on the WLC:

*apfReceiveTask: Jun 13 20:37:31.136: %APF-3-CLIENT_NO_ACCESS: apf_80211.c:4285 Authentication failed for client: c0:cc:f8:17:de:25. ACL override mismatch from AAA server.

And in splunk I am seeing this:

Jun 13 15:50:28 10.20.0.60 Jun 13 15:50:28 ise01 CISE_Passed_Authentications 0000157854 4 0 2016-06-13 15:50:28.428 -05:00 0006695154 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=90, Device IP Address=10.20.63.14, DestinationIPAddress=10.20.0.60, DestinationPort=1812, UserName=C0-CC-F8-17-DE-25, Protocol=Radius, RequestLatency=12, NetworkDeviceName=BNA-WLC2500-01, User-Name=c0ccf817de25, NAS-IP-Address=10.20.63.14, NAS-Port=1, Service-Type=Call Check, Framed-MTU=1300, Called-Station-ID=d8-b1-90-08-87-b0:TEST_GUEST, Calling-Station-ID=c0-cc-f8-17-de-25, NAS-Identifier=_GUEST, Acct-Session-Id=575f1c94/c0:cc:f8:17:de:25/23, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 142, cisco-av-pair=audit-session-id=0a143f0e0000000f575f1c94, Airespace-Wlan-Id=3, OriginalUserName=c0ccf817de25, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=8ade1f15-aef1-4a9a-8158-d02e835179db, IsThirdPartyDeviceFlow=false,

I cannot join the SSID from my iphone...but it looks like its trying. I assume an ACL is wrong or a policy is wrong. I think I struggling with VLANs that are pushed to the clients.

Any help would be great thanks..

Francesco Molino · ‎06-17-2016

Yes this the right rule however it needs to be moved before the rule 4 that denying all 10.0.0.0/8 network.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Steven Williams · ‎06-17-2016

No change. It looks like tha CoA is the issue. And I guess without that working I wont get any further. Support for CoA in the radius server settings is enabled. I see the default port 1700 on the network device in ISE. I see the port 1700 being accepted at the firewall...So this should work!

Francesco Molino · ‎06-17-2016

Could you send a screenshot of the configuration of radius server in the WLC (the detail page please).

Did you take a look on the wlc/monitor clients if the ACL was pushed to authenticated clients ? What's the result?

Thanks

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Steven Williams · ‎06-17-2016

Ok good Call!! The client wasnt getting the "INTERNET_ONLY" ACL. It was because the airespace box in the authorixation profile was not setup! WOW. Thanks for all your help!

Francesco Molino · ‎06-17-2016

You're very welcome

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Steven Williams · ‎06-17-2016

Is it normal for the endpoint profile to be unknown?

Francesco Molino · ‎06-17-2016

Yes it's based on probes

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Francesco Molino · ‎06-16-2016

I will just do again the guest rules in order to be more precise but yours are looking good enough to make distinction between activated guest and someone who is looking to get redirected.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Sponsor Approved Guest Access