06-13-2016 01:52 PM - edited 03-10-2019 11:51 PM
I have been at this all day and am struggling a bit. Does anyone have a very detailed doc on setting up sponsor approved Guest access with ISE 2.x and WLC code version 8.2.110.0.
I have gone through the process of setting up the portals to best of my ability. I have my users authenticating with ISE with PEAP for corp wireless so I know that works.
How do I tell WLC/ISE which SSID i am using for guest access? Also should my client get an IP address then be redirected?
I am getting this error on the WLC:
*apfReceiveTask: Jun 13 20:37:31.136: %APF-3-CLIENT_NO_ACCESS: apf_80211.c:4285 Authentication failed for client: c0:cc:f8:17:de:25. ACL override mismatch from AAA server.
And in splunk I am seeing this:
Jun 13 15:50:28 10.20.0.60 Jun 13 15:50:28 ise01 CISE_Passed_Authentications 0000157854 4 0 2016-06-13 15:50:28.428 -05:00 0006695154 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=90, Device IP Address=10.20.63.14, DestinationIPAddress=10.20.0.60, DestinationPort=1812, UserName=C0-CC-F8-17-DE-25, Protocol=Radius, RequestLatency=12, NetworkDeviceName=BNA-WLC2500-01, User-Name=c0ccf817de25, NAS-IP-Address=10.20.63.14, NAS-Port=1, Service-Type=Call Check, Framed-MTU=1300, Called-Station-ID=d8-b1-90-08-87-b0:TEST_GUEST, Calling-Station-ID=c0-cc-f8-17-de-25, NAS-Identifier=_GUEST, Acct-Session-Id=575f1c94/c0:cc:f8:17:de:25/23, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 142, cisco-av-pair=audit-session-id=0a143f0e0000000f575f1c94, Airespace-Wlan-Id=3, OriginalUserName=c0ccf817de25, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=8ade1f15-aef1-4a9a-8158-d02e835179db, IsThirdPartyDeviceFlow=false,
I cannot join the SSID from my iphone...but it looks like its trying. I assume an ACL is wrong or a policy is wrong. I think I struggling with VLANs that are pushed to the clients.
Any help would be great thanks..
Solved! Go to Solution.
06-17-2016 07:57 AM
Yes this the right rule however it needs to be moved before the rule 4 that denying all 10.0.0.0/8 network.
06-17-2016 08:15 AM
No change. It looks like tha CoA is the issue. And I guess without that working I wont get any further. Support for CoA in the radius server settings is enabled. I see the default port 1700 on the network device in ISE. I see the port 1700 being accepted at the firewall...So this should work!
06-17-2016 08:24 AM
Could you send a screenshot of the configuration of radius server in the WLC (the detail page please).
Did you take a look on the wlc/monitor clients if the ACL was pushed to authenticated clients ? What's the result?
Thanks
06-17-2016 08:36 AM
Ok good Call!! The client wasnt getting the "INTERNET_ONLY" ACL. It was because the airespace box in the authorixation profile was not setup! WOW. Thanks for all your help!
06-17-2016 08:45 AM
You're very welcome
06-17-2016 08:46 AM
Is it normal for the endpoint profile to be unknown?
06-17-2016 09:51 AM
Yes it's based on probes
06-16-2016 08:39 AM
I will just do again the guest rules in order to be more precise but yours are looking good enough to make distinction between activated guest and someone who is looking to get redirected.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide