05-24-2012 10:00 AM - edited 03-10-2019 07:07 PM
I have a very strange issue with wireless WebAuth where the users get redirected successfully to the WebAuth page and can enter their credentials, but once they accept the AUP they get redirected right back to the login page. ISE 1.1 and WLC 7.0.235.0.
On my WLAN, I have L3 web policy Authentication enabled, an ACL-WEBAUTH-REDIRECT preauth ACL, AAA override and external URL redirect to my local policy service node with the following syntax - https://<server FQDN>:8443/guestportal/Login.action
On ISE, my default authorization policy is WebAuth and I have another policy above that to identify my Guest identity group to be given InternetOnly permissions.
Same results occur for internal guest user identity and sponsor guest identities. From Operations>Authentications, I see the successful authentication of the guest account, but it is not applying the authorization profile. When I view the client in the WLC, I see the state is WEBAUTH_REQD. It appears the redirect is maybe not attaching a session ID to the end users. Tried from several different devices and getting the same results. Also tried to build a wired CWA and also having the same results. User always gets redirected to the webauth page and can login, but acceptance of the AUP just brings the user back to the login page in an endless loop.
I feel like I am missing something simple here. Anyone have any ideas?
Thanks,
Brian
06-14-2012 08:25 AM
are you using proxy for users?
Try on the machine to exclude proxy for ISE server
ie on internet explorer where you configure proxy just exlude ISE server from being proxied.
Hope to help.
06-16-2012 12:42 PM
Hi Brian,
I have a TAC case opened for the almost the same issue. The current (temp) solution is to add a authorization rule with condition "Network Access:UseCase EQUALS Guest Flow". Any user authenticated by the ISE guestportal should hit this condition.
Hope that helps.
06-19-2012 10:50 AM
I have found that specifying the AAA server under the WLAN appears to fix the issue, although this configuration is not listed as a requirement in the Trustsec DIG 2.0. The WLC had other AAA servers configured globally and the session was likely defaulting the authentication request to one of those servers. By statically defining the AAA server under the WLAN, we can ensure the authentication goes to the proper server.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide