cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1562
Views
0
Helpful
5
Replies

Cisco ISE CWA issue

Ali Bahnam
Level 1
Level 1

Good Day,

I have Cisco ISE 1.2 with Cisco 2960 NAD.

I configured the authorization for the employee successfully, but my issue is with the guest users the link is not redirected.

Please advise what I have put in the authentication policy default rule?? deny access ?

And on the switch I should put the guest connect to a specific ports or I have to configure specific VLAN in the authorization profile?

 

Appreciate your support,

1 Accepted Solution

Accepted Solutions

In your authorization policy you are giving your Wired-Guest the same result as Wired-Webauth.

First time through you don't know he's a guest so he hits Wired-Webauth and gets redirected. Second time through, you have him in guest flow, so you know he's an authenticated guest, he hits Wired-Guest, but you send him the same permissions "Web_Auth". Create a profile that you want to give to your authenticated guests - Guest_Allowed for instance.

View solution in original post

5 Replies 5

KiloBravo
Level 1
Level 1

it may be best if you give  an idea of the configuration you have on the NAD and the what your relevant authentication/authorization policies and profiles look like. Would be easier to see what the problem is. 

Hi,

Kindly find the attached Authentication and authorization details.

Regards,

Dear,

The problem that I'm facing is when the user without dot1x (Guest) connect to the switch the redirect link appear and I can do the self registration and when put the username and PW the ISE accept then but after it the ISE redirect me again to the client registration (I can't browse).

 

Your help is highly appreciated,

 

In your authorization policy you are giving your Wired-Guest the same result as Wired-Webauth.

First time through you don't know he's a guest so he hits Wired-Webauth and gets redirected. Second time through, you have him in guest flow, so you know he's an authenticated guest, he hits Wired-Guest, but you send him the same permissions "Web_Auth". Create a profile that you want to give to your authenticated guests - Guest_Allowed for instance.

Hi, 

We are also issue with CWA 

ISE ver- 1.4

Machine – windows 10

Phone – Avaya Phone

We are checking for machine auth then user auth 

Below the configuration 

switchport access vlan XX
switchport mode access
switchport voice vlan XX
ip access-group ISE-ALL in
authentication event fail action next-method
authentication event server dead action authorize vlan XX
authentication event server dead action authorize voic XX
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x mac-auth-bypass
dot1x timeout tx-period 2                                                                                                       dot1x max-reauth-req 1

I observed when we shut no shut the port. First user hits to CWA and then after phone authenticate and we do log-off login it goes as expected behavior ( First machine auth then user auth) 

Thanks in advnace

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: