01-10-2022 10:37 AM
I have successfully configured wired MAB with redirect to an ISE Self-Registered Guest Portal. Along with the redirect ACL, I also send a 15 second reauthentication time out. This way the user transitions to full network access quickly after registering a device.
However, I question if such a low timeout value will be problematic with potentially hundreds of devices at a time that get stuck in redirect state. Is there a best practice for reauthenticating MAB clients quickly and minimize re-auth traffic?
Solved! Go to Solution.
01-10-2022 12:01 PM
@neteng1 if you are doing wired guest, the user will stay in the redirection state until they've registered/authenticated to the guest portal. No need for a 15sec reauthentication timer, once the user has successfully registered/authenticated in the guest portal a Change of Authorisation (CoA) would be initiated and the user would be re-authorised again, the user would be authorised against a different authorisation rule.
01-10-2022 11:21 AM
I question if such a low timeout value will be problematic with potentially hundreds of devices at a time that get stuck in redirect state.
This where we design the system based on the device, so ISE can handle all this stuff. ignore best pracitice and security practice may have different side effect on security and access point of view - this is my personal suggestion.
There is best practice posted by cisco :
There is good presentation help you :
https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/R6BGArNQ/TECSEC-3416.pdf
01-10-2022 12:01 PM
@neteng1 if you are doing wired guest, the user will stay in the redirection state until they've registered/authenticated to the guest portal. No need for a 15sec reauthentication timer, once the user has successfully registered/authenticated in the guest portal a Change of Authorisation (CoA) would be initiated and the user would be re-authorised again, the user would be authorised against a different authorisation rule.
01-10-2022 12:11 PM
Thank you. I think I have problem with my CoA. I see the following error in live logs. I'll have to troubleshoot.
Event 5417 Dynamic Authorization failed
Failure Reason 11213 No response received from Network Access Device after sending a Dynamic Authorization request
01-10-2022 12:16 PM
@neteng1 check your switch config and ensure the following is configured.
aaa server radius dynamic-author
client <ise psn 1> server-key <shared secret>
client <ise psn 2> server-key <shared secret>
01-10-2022 01:20 PM
I did have that config entered. I found out my problem was an F5 rule, working as expected now. Thanks for your help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide