Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2213
Views
0
Helpful
3
Replies

Wireless LWA and ISE - unable to get past AUP

Brian Schultz
Level 4
Level 4

‎05-24-2012 10:00 AM - edited ‎03-10-2019 07:07 PM

I have a very strange issue with wireless WebAuth where the users get redirected successfully to the WebAuth page and can enter their credentials, but once they accept the AUP they get redirected right back to the login page.  ISE 1.1 and WLC 7.0.235.0. 

On my WLAN, I have L3 web policy Authentication enabled, an ACL-WEBAUTH-REDIRECT preauth ACL, AAA override and external URL redirect to my local policy service node with the following syntax - https://<server FQDN>:8443/guestportal/Login.action

On ISE, my default authorization policy is WebAuth and I have another policy above that to identify my Guest identity group to be given InternetOnly permissions. 

Same results occur for internal guest user identity and sponsor guest identities.  From Operations>Authentications, I see the successful authentication of the guest account, but it is not applying the authorization profile.  When I view the client in the WLC, I see the state is WEBAUTH_REQD.  It appears the redirect is maybe not attaching a session ID to the end users.  Tried from several different devices and getting the same results.  Also tried to build a wired CWA and also having the same results.  User always gets redirected to the webauth page and can login, but acceptance of the AUP just brings the user back to the login page in an endless loop.

I feel like I am missing something simple here.  Anyone have any ideas?

Thanks,

Brian

1 person had this problem
Labels:
0 Helpful
3 Replies 3

edondurguti
Level 4
Level 4

‎06-14-2012 08:25 AM

are you using proxy for users?

Try on the machine to exclude proxy for ISE server

ie on internet explorer where you configure proxy just exlude ISE server from being proxied.

Hope to help.

0 Helpful

jwmolenaar
Level 1
Level 1

‎06-16-2012 12:42 PM

Hi Brian,

I have a TAC case opened for the almost the same issue. The current (temp) solution is to add a authorization rule with condition "Network Access:UseCase EQUALS Guest Flow". Any user authenticated by the ISE guestportal should hit this condition.

Hope that helps.

0 Helpful

Brian Schultz
Level 4
Level 4
In response to jwmolenaar

‎06-19-2012 10:50 AM

I have found that specifying the AAA server under the WLAN appears to fix the issue, although this configuration is not listed as a requirement in the Trustsec DIG 2.0.  The WLC had other AAA servers configured globally and the session was likely defaulting the authentication request to one of those servers.  By statically defining the AAA server under the WLAN, we can ensure the authentication goes to the proper server.

0 Helpful
Customers Also Viewed These Support Documents