cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

180
Views
5
Helpful
6
Replies
Enthusiast

Cisco ISE Guest Authentication failed - No relevant Information

My set up is foreign-anchor with ISE PSN for Guest in the DMZ. Replication/Sync is ok between the Admin node and Policy node in the DMZ. ISE version is 2.4

 

I am able to self-register and Sponsor approves. Guest then gets an Email, but is unable to login,as message says Authentication Failed. Problem is that not enough information is given as to what Identity Store ISE is checking. 

I have poured through tons of capture and logs, yet nothing to find. The only relevant information I got from a capture was a COAck from the Foreign WLC to PSN, after the Dynamic Authorization from ISE, with Error 101 - Unknown(200).

 

I can see from the CWA that the right Guest Portal was presented during Self-registration and the portal has Guest_Portal_Sequence, which only contains Guest Users, Internal Endpoint and Internal users.

 

This is really baffling, as I have deployed Foreign-Anchor setup before in different organizations and never faced such issue.

 

 

 

 

6 REPLIES 6
VIP Advisor

Re: Cisco ISE Guest Authentication failed - No relevant Information

Hi
Is this a new deployment? Did it worked before?
Can you share the whole authentication log detail please?
Have you checked it's not an issue related to timezone issue, check if the user is enabled within manage accounts and that your guest profile has the correct timezone.

If you want to disclose the name of the user instead of getting invalid:
Administration/Settings/Protocols/RADIUS and check the box Disclose invalid username

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Enthusiast

Re: Cisco ISE Guest Authentication failed - No relevant Information

Hi Francesco,

Thanks for the response. Most definitely, timezone is not the problem, as the failure reason related to Timezone would be "Account not Active". This is a new deployment and the Sponsor approves without issue, and the exact Sponsor portal is checked in the Guest Portal settings.

 

Which Authentication log do you want? The redirect (CWA) or the Dynamic Authorization?

 

The authentication log for the Redirect doesn't show any error. The error is when COA from ISE is issued after the login attempt, even though the result summary shows that Dynamic Authorization Succeeded.

Enthusiast

Re: Cisco ISE Guest Authentication failed - No relevant Information

Hi Francesco,

 

I have enabled "Disclose invalid username", and yet the log still shows INVALID and Guest Type NON_GUEST. Attached are the Redirect Authentication steps and the Guest Login failure. 

I have checked the firewall and there's no drop traffic either between the Foreign WLC and the PSN (hosting only the Guest Portal) or the Admin Node and the PSN. I thought maybe it's something to do with Replication, but the deployment list shows all nodes are Green. The Internal PSN that hosts the Sponsor portal shows the account that was approved.

 

If only the ISE logs were more robust as to point to what ID store is being checked or what INVALID username it sees, I'm sure I would be able to diagnose and fix. As I mentioned earlier, the only anomaly I see from the packet capture between the Foreign WLC and the DMZ PSN is the Accounting Response from the Foreign WLC with Error-Cause:Unknown(200)

Also, the client MAC_Address doesn't show up in the Context Visibility list, but in the Radius Live logs.

Cisco Employee

Re: Cisco ISE Guest Authentication failed - No relevant Information

Please also check ISE prescriptive guide, if all else fails work through TAC

https://community.cisco.com/t5/security-documents/ise-guest-access-prescriptive-deployment-guide/ta-p/3640475
Enthusiast

Re: Cisco ISE Guest Authentication failed - No relevant Information

Thanks Jason,

I've seen the guide before and it's a wonderful piece. I have opened a case with TAC and they're yet to figure out what the problem is and it's baffled them also. They've gone through the config of all devices, ISE and WLC, and confirmed that all looks good. 

I have done CWA with ISE in many deployments in the past and never had a single issue, though this the first I would have a PSN in the DMZ. I typically deploy a standalone node in the DMZ, but the firewall team in this case don't want it, as they wouldn't allow the Sponsor Portal in the DMZ, which would mean access to Internal AD.

 

All the relevant ports between the PSN in the DMZ and the Internal Network Devices(WLC and ISE) are allowed and there isn't a single drop packet in the Firewall log

Highlighted
Cisco Employee

Re: Cisco ISE Guest Authentication failed - No relevant Information

thank you then sorry wish i could help more, tac is the route