06-13-2016 01:52 PM - edited 03-10-2019 11:51 PM
I have been at this all day and am struggling a bit. Does anyone have a very detailed doc on setting up sponsor approved Guest access with ISE 2.x and WLC code version 8.2.110.0.
I have gone through the process of setting up the portals to best of my ability. I have my users authenticating with ISE with PEAP for corp wireless so I know that works.
How do I tell WLC/ISE which SSID i am using for guest access? Also should my client get an IP address then be redirected?
I am getting this error on the WLC:
*apfReceiveTask: Jun 13 20:37:31.136: %APF-3-CLIENT_NO_ACCESS: apf_80211.c:4285 Authentication failed for client: c0:cc:f8:17:de:25. ACL override mismatch from AAA server.
And in splunk I am seeing this:
Jun 13 15:50:28 10.20.0.60 Jun 13 15:50:28 ise01 CISE_Passed_Authentications 0000157854 4 0 2016-06-13 15:50:28.428 -05:00 0006695154 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=90, Device IP Address=10.20.63.14, DestinationIPAddress=10.20.0.60, DestinationPort=1812, UserName=C0-CC-F8-17-DE-25, Protocol=Radius, RequestLatency=12, NetworkDeviceName=BNA-WLC2500-01, User-Name=c0ccf817de25, NAS-IP-Address=10.20.63.14, NAS-Port=1, Service-Type=Call Check, Framed-MTU=1300, Called-Station-ID=d8-b1-90-08-87-b0:TEST_GUEST, Calling-Station-ID=c0-cc-f8-17-de-25, NAS-Identifier=_GUEST, Acct-Session-Id=575f1c94/c0:cc:f8:17:de:25/23, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 142, cisco-av-pair=audit-session-id=0a143f0e0000000f575f1c94, Airespace-Wlan-Id=3, OriginalUserName=c0ccf817de25, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=8ade1f15-aef1-4a9a-8158-d02e835179db, IsThirdPartyDeviceFlow=false,
I cannot join the SSID from my iphone...but it looks like its trying. I assume an ACL is wrong or a policy is wrong. I think I struggling with VLANs that are pushed to the clients.
Any help would be great thanks..
Solved! Go to Solution.
06-16-2016 06:19 AM
Maybe a misconfiguration on authorization rules. If you can send a screenshot I can help to tell you if this correct
06-16-2016 06:27 AM
This is what splunk is telling me:
Jun 16 08:20:50 10.20.0.60 Jun 16 08:20:50 bnapinfise01 CISE_Passed_Authentications 0000240113 4 0 2016-06-16 08:20:50.919 -05:00 0010003406 5236 NOTICE Passed-Authentication: Authorize-Only succeeded, ConfigVersionId=94, Device IP Address=10.20.63.14, DestinationIPAddress=10.20.0.60, DestinationPort=1812, UserName=swilliams, Protocol=Radius, RequestLatency=16, NetworkDeviceName=BNA-WLC2500-01, User-Name=c0ccf817de25, NAS-IP-Address=10.20.63.14, NAS-Port=1, Service-Type=Authorize Only, Framed-MTU=1300, Called-Station-ID=d8-b1-90-08-87-b0:TEST_GUEST, Calling-Station-ID=c0-cc-f8-17-de-25, NAS-Identifier=_GUEST, Acct-Session-Id=5762a6f1/c0:cc:f8:17:de:25/60, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 142, cisco-av-pair=audit-session-id=0a143f0e000000305762a6f1, Airespace-Wlan-Id=3, OriginalUserName=c0ccf817de25, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=8ade1f15-aef1-4a9a-8158-d02e835179db, IsThirdPartyDeviceFlow=false,
06-16-2016 08:11 AM
I can't say a lot because I don't see the conditions exactly what there are referring to.
However, the rule with guest_access must become before the rule giving the redirect. Because you want that authenticated users must access instead of getting a redirect again.
06-16-2016 08:26 AM
06-16-2016 08:32 AM
Now it looks correct. Does it works ?
06-16-2016 08:58 AM
No still doesnt work. BUt something did change. After the login is successful by the client it doesnt redirect to the guest portal again, it just fails and the internet doesnt work, then if i open a browser again the guest page comes up again. so it looks like redirect loop is solved.
06-16-2016 09:00 AM
6/16/16 10:15:51.000 AM |
Jun 16 10:15:51 10.51.100.42 %ASA-6-106015: Deny TCP (no connection) from 10.20.0.60/8443 to 10.20.42.51/49875 flags SYN ACK on interface YELLOW_PROD
|
|
6/16/16 10:15:44.000 AM |
Jun 16 10:15:44 10.51.100.42 %ASA-6-302014: Teardown TCP connection 850199114 for GREEN_PROD:10.20.42.51/49875 to YELLOW_PROD:10.20.0.60/8443 duration 0:00:30 bytes 0 SYN Timeout
|
|
6/16/16 10:15:28.000 AM |
Jun 16 10:15:28 10.51.100.42 %ASA-6-106015: Deny TCP (no connection) from 10.20.0.60/8443 to 10.20.42.51/49874 flags SYN ACK on interface YELLOW_PROD
|
|
6/16/16 10:15:21.000 AM |
Jun 16 10:15:21 10.51.100.42 %ASA-6-302014: Teardown TCP connection 850196026 for GREEN_PROD:10.20.42.51/49874 to YELLOW_PROD:10.20.0.60/8443 duration 0:00:30 bytes 0 SYN Timeout
|
|
6/16/16 10:15:14.000 AM |
Jun 16 10:15:14 10.51.100.42 %ASA-6-302013: Built inbound TCP connection 850199114 for GREEN_PROD:10.20.42.51/49875 (10.20.42.51/49875) to YELLOW_PROD:10.20.0.60/8443 (10.20.0.60/8443)
|
|
6/16/16 10:15:05.000 AM |
Jun 16 10:15:05 10.51.100.42 %ASA-6-106015: Deny TCP (no connection) from 10.20.0.60/8443 to 10.20.42.51/49873 flags SYN ACK on interface YELLOW_PROD
|
06-16-2016 09:02 AM
the client and ISE are trying to communicate over port 8443? Why is the client trying to reach into ISE for this? I cant create a rule in the firewall that states allow ISE on 8443 to any destination....
06-16-2016 10:34 AM
Hi,
I'm on meeting all the day and I'll have a look this evening.
However to answer your question, about port 8443, this is the standard ISE port for Guest, sponsor, device portal
06-16-2016 01:44 PM
Ok i read your last posts. We are moving to the next step.
When user is authenticated, do you see on ISE that it's pushing the right authorization profile?
On the wlc, do you see the right acl placed for this particular guest?
Could you drop a screenshot of your acl internet-only?
06-16-2016 02:02 PM
06-16-2016 02:55 PM
06-17-2016 06:05 AM
Fixed that, it was because when you create the rule its automatically set to deny, so I always forget that. Everything else seems to be ok though no?
06-17-2016 06:31 AM
I don't know your exact design. However I will add as permit the next hop (Gateway IP of the Guest vlan) as inbound.
06-17-2016 07:37 AM
the guest vlan is 142 (10.20.42.0) so wouldnt the last rule accomplish this?
also from the client i can ping the controller IP but not the SVI
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide