Solved: Sponsor Approved Guest Access - Page 2

Steven Williams · ‎06-13-2016

I have been at this all day and am struggling a bit. Does anyone have a very detailed doc on setting up sponsor approved Guest access with ISE 2.x and WLC code version 8.2.110.0.

I have gone through the process of setting up the portals to best of my ability. I have my users authenticating with ISE with PEAP for corp wireless so I know that works.

How do I tell WLC/ISE which SSID i am using for guest access? Also should my client get an IP address then be redirected?

I am getting this error on the WLC:

*apfReceiveTask: Jun 13 20:37:31.136: %APF-3-CLIENT_NO_ACCESS: apf_80211.c:4285 Authentication failed for client: c0:cc:f8:17:de:25. ACL override mismatch from AAA server.

And in splunk I am seeing this:

Jun 13 15:50:28 10.20.0.60 Jun 13 15:50:28 ise01 CISE_Passed_Authentications 0000157854 4 0 2016-06-13 15:50:28.428 -05:00 0006695154 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=90, Device IP Address=10.20.63.14, DestinationIPAddress=10.20.0.60, DestinationPort=1812, UserName=C0-CC-F8-17-DE-25, Protocol=Radius, RequestLatency=12, NetworkDeviceName=BNA-WLC2500-01, User-Name=c0ccf817de25, NAS-IP-Address=10.20.63.14, NAS-Port=1, Service-Type=Call Check, Framed-MTU=1300, Called-Station-ID=d8-b1-90-08-87-b0:TEST_GUEST, Calling-Station-ID=c0-cc-f8-17-de-25, NAS-Identifier=_GUEST, Acct-Session-Id=575f1c94/c0:cc:f8:17:de:25/23, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 142, cisco-av-pair=audit-session-id=0a143f0e0000000f575f1c94, Airespace-Wlan-Id=3, OriginalUserName=c0ccf817de25, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=8ade1f15-aef1-4a9a-8158-d02e835179db, IsThirdPartyDeviceFlow=false,

I cannot join the SSID from my iphone...but it looks like its trying. I assume an ACL is wrong or a policy is wrong. I think I struggling with VLANs that are pushed to the clients.

Any help would be great thanks..

Francesco Molino · ‎06-16-2016

Maybe a misconfiguration on authorization rules. If you can send a screenshot I can help to tell you if this correct

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Steven Williams · ‎06-16-2016

This is what splunk is telling me:

Jun 16 08:20:50 10.20.0.60 Jun 16 08:20:50 bnapinfise01 CISE_Passed_Authentications 0000240113 4 0 2016-06-16 08:20:50.919 -05:00 0010003406 5236 NOTICE Passed-Authentication: Authorize-Only succeeded, ConfigVersionId=94, Device IP Address=10.20.63.14, DestinationIPAddress=10.20.0.60, DestinationPort=1812, UserName=swilliams, Protocol=Radius, RequestLatency=16, NetworkDeviceName=BNA-WLC2500-01, User-Name=c0ccf817de25, NAS-IP-Address=10.20.63.14, NAS-Port=1, Service-Type=Authorize Only, Framed-MTU=1300, Called-Station-ID=d8-b1-90-08-87-b0:TEST_GUEST, Calling-Station-ID=c0-cc-f8-17-de-25, NAS-Identifier=_GUEST, Acct-Session-Id=5762a6f1/c0:cc:f8:17:de:25/60, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 142, cisco-av-pair=audit-session-id=0a143f0e000000305762a6f1, Airespace-Wlan-Id=3, OriginalUserName=c0ccf817de25, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=8ade1f15-aef1-4a9a-8158-d02e835179db, IsThirdPartyDeviceFlow=false,

Francesco Molino · ‎06-16-2016

I can't say a lot because I don't see the conditions exactly what there are referring to.

However, the rule with guest_access must become before the rule giving the redirect. Because you want that authenticated users must access instead of getting a redirect again.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Steven Williams · ‎06-16-2016

correct and I just fixed that. Also I have two ACLs on the controller now. One for internet only and one for ISE communication.

Here is what i have gathered.

Francesco Molino · ‎06-16-2016

Now it looks correct. Does it works ?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Steven Williams · ‎06-16-2016

No still doesnt work. BUt something did change. After the login is successful by the client it doesnt redirect to the guest portal again, it just fails and the internet doesnt work, then if i open a browser again the guest page comes up again. so it looks like redirect loop is solved.

Steven Williams · ‎06-16-2016

6/16/16 10:15:51.000 AM	Jun 16 10:15:51 10.51.100.42 %ASA-6-106015: Deny TCP (no connection) from 10.20.0.60/8443 to 10.20.42.51/49875 flags SYN ACK on interface YELLOW_PROD host = 10.51.100.42 source = udp:514 sourcetype = cisco:asa
	6/16/16 10:15:44.000 AM	Jun 16 10:15:44 10.51.100.42 %ASA-6-302014: Teardown TCP connection 850199114 for GREEN_PROD:10.20.42.51/49875 to YELLOW_PROD:10.20.0.60/8443 duration 0:00:30 bytes 0 SYN Timeout host = 10.51.100.42 source = udp:514 sourcetype = cisco:asa
	6/16/16 10:15:28.000 AM	Jun 16 10:15:28 10.51.100.42 %ASA-6-106015: Deny TCP (no connection) from 10.20.0.60/8443 to 10.20.42.51/49874 flags SYN ACK on interface YELLOW_PROD host = 10.51.100.42 source = udp:514 sourcetype = cisco:asa
	6/16/16 10:15:21.000 AM	Jun 16 10:15:21 10.51.100.42 %ASA-6-302014: Teardown TCP connection 850196026 for GREEN_PROD:10.20.42.51/49874 to YELLOW_PROD:10.20.0.60/8443 duration 0:00:30 bytes 0 SYN Timeout host = 10.51.100.42 source = udp:514 sourcetype = cisco:asa
	6/16/16 10:15:14.000 AM	Jun 16 10:15:14 10.51.100.42 %ASA-6-302013: Built inbound TCP connection 850199114 for GREEN_PROD:10.20.42.51/49875 (10.20.42.51/49875) to YELLOW_PROD:10.20.0.60/8443 (10.20.0.60/8443) host = 10.51.100.42 source = udp:514 sourcetype = cisco:asa
	6/16/16 10:15:05.000 AM	Jun 16 10:15:05 10.51.100.42 %ASA-6-106015: Deny TCP (no connection) from 10.20.0.60/8443 to 10.20.42.51/49873 flags SYN ACK on interface YELLOW_PROD

Steven Williams · ‎06-16-2016

the client and ISE are trying to communicate over port 8443? Why is the client trying to reach into ISE for this? I cant create a rule in the firewall that states allow ISE on 8443 to any destination....

Francesco Molino · ‎06-16-2016

Hi,

I'm on meeting all the day and I'll have a look this evening.

However to answer your question, about port 8443, this is the standard ISE port for Guest, sponsor, device portal

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Francesco Molino · ‎06-16-2016

Ok i read your last posts. We are moving to the next step.

When user is authenticated, do you see on ISE that it's pushing the right authorization profile?

On the wlc, do you see the right acl placed for this particular guest?

Could you drop a screenshot of your acl internet-only?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Steven Williams · ‎06-16-2016

Here is the internet only acl

Francesco Molino · ‎06-16-2016

Why are you denying dns and dhcp?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Steven Williams · ‎06-17-2016

Fixed that, it was because when you create the rule its automatically set to deny, so I always forget that. Everything else seems to be ok though no?

Francesco Molino · ‎06-17-2016

I don't know your exact design. However I will add as permit the next hop (Gateway IP of the Guest vlan) as inbound.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Steven Williams · ‎06-17-2016

the guest vlan is 142 (10.20.42.0) so wouldnt the last rule accomplish this?

also from the client i can ping the controller IP but not the SVI