Trying to help a customer who has a legacy Extreme wireless controller.
The MAB / Webauth setup doesn't work as expected with ISE.
ISE delivers guest credentials then authenticates correctly the guest user on the guest portal, but the end user's MAC isn't stored as expected into the device identity group.
Does the registration of the MAC dependent on the wireless controller ability to manage an audit-session-id or to support CoA ?
Any paper explaining the way ISE works with a third party switch / wireless controller for webauth ?
Lots of questions here
You’re trying to do this with LWA or CWA?
If you’re receiving the MAC address via MAB I would expect it to work. You see the MAC address on ISE?
RADIUS accounting packets are being sent to ISE?
Do you have the credentialed portal guest device registration setup to automatically register?
If doing CWA you will need COA to change state from webauth to permit access. Have you considered that there would be no support of that without COA? Perhaps it supports SNMP COA but not RADIUS?
If you’re trying CWA have you considered LWA (even though we won’t register the device)
What version of ISE? Perhaps with 2.1 there might be better integration for this scenario?
The problem lies in the fact the device MAC isn't stored in the End Point identity Registered device group, and the next MAB authentication request from the Extreme controller fails, so the user is redirected to the portal registration page again.
The TAC (#681330077) is a little bit lost and suggests it may be linked to the CoA missing capability.
However, I do not see any CoA issue there ; do you know if CoA success is mandatory to get the MAC stored in the Registered device group ?
I got word back from engineering that the registration doesn't depend on a successful CoA. I have asked for more info but it would be good to pursue through the TAC for further debug at this point. I will update if I have any more info
Is same setup working fine with a Cisco WLC?
Another comment from a team member