cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

557
Views
0
Helpful
5
Replies
Beginner

Cisco ISE CWA issue

Good Day,

I have Cisco ISE 1.2 with Cisco 2960 NAD.

I configured the authorization for the employee successfully, but my issue is with the guest users the link is not redirected.

Please advise what I have put in the authentication policy default rule?? deny access ?

And on the switch I should put the guest connect to a specific ports or I have to configure specific VLAN in the authorization profile?

 

Appreciate your support,

1 ACCEPTED SOLUTION

Accepted Solutions
Beginner

In your authorization policy

In your authorization policy you are giving your Wired-Guest the same result as Wired-Webauth.

First time through you don't know he's a guest so he hits Wired-Webauth and gets redirected. Second time through, you have him in guest flow, so you know he's an authenticated guest, he hits Wired-Guest, but you send him the same permissions "Web_Auth". Create a profile that you want to give to your authenticated guests - Guest_Allowed for instance.

View solution in original post

5 REPLIES 5
Beginner

it may be best if you give

it may be best if you give  an idea of the configuration you have on the NAD and the what your relevant authentication/authorization policies and profiles look like. Would be easier to see what the problem is. 

Beginner

Hi,Kindly find the attached

Hi,

Kindly find the attached Authentication and authorization details.

Regards,

Highlighted
Beginner

Dear,The problem that I'm

Dear,

The problem that I'm facing is when the user without dot1x (Guest) connect to the switch the redirect link appear and I can do the self registration and when put the username and PW the ISE accept then but after it the ISE redirect me again to the client registration (I can't browse).

 

Your help is highly appreciated,

 

Beginner

In your authorization policy

In your authorization policy you are giving your Wired-Guest the same result as Wired-Webauth.

First time through you don't know he's a guest so he hits Wired-Webauth and gets redirected. Second time through, you have him in guest flow, so you know he's an authenticated guest, he hits Wired-Guest, but you send him the same permissions "Web_Auth". Create a profile that you want to give to your authenticated guests - Guest_Allowed for instance.

View solution in original post

Beginner

Hi, 

Hi, 

We are also issue with CWA 

ISE ver- 1.4

Machine – windows 10

Phone – Avaya Phone

We are checking for machine auth then user auth 

Below the configuration 

switchport access vlan XX
switchport mode access
switchport voice vlan XX
ip access-group ISE-ALL in
authentication event fail action next-method
authentication event server dead action authorize vlan XX
authentication event server dead action authorize voic XX
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x mac-auth-bypass
dot1x timeout tx-period 2                                                                                                       dot1x max-reauth-req 1

I observed when we shut no shut the port. First user hits to CWA and then after phone authenticate and we do log-off login it goes as expected behavior ( First machine auth then user auth) 

Thanks in advnace