cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4109
Views
10
Helpful
9
Replies

Cisco ISE Guest Authentication failed - No relevant Information

grabonlee
Level 4
Level 4

My set up is foreign-anchor with ISE PSN for Guest in the DMZ. Replication/Sync is ok between the Admin node and Policy node in the DMZ. ISE version is 2.4

 

I am able to self-register and Sponsor approves. Guest then gets an Email, but is unable to login,as message says Authentication Failed. Problem is that not enough information is given as to what Identity Store ISE is checking. 

I have poured through tons of capture and logs, yet nothing to find. The only relevant information I got from a capture was a COAck from the Foreign WLC to PSN, after the Dynamic Authorization from ISE, with Error 101 - Unknown(200).

 

I can see from the CWA that the right Guest Portal was presented during Self-registration and the portal has Guest_Portal_Sequence, which only contains Guest Users, Internal Endpoint and Internal users.

 

This is really baffling, as I have deployed Foreign-Anchor setup before in different organizations and never faced such issue.

 

 

 

 

1 Accepted Solution

Accepted Solutions

CSCvr08083 is an enhancement request as ISE Guest services are not disclosing the username based on the configuration.

As Jason already said, this really needs TAC and, if needed, escalate to ISE ESC team.

Perhaps you took the wrong capture but the Redirect_Auth_Steps.JPG was on the MAC address and it returned Access-Accept. Also, you should be able to verify whether the guest user able to login at the test portal URL.

View solution in original post

9 Replies 9

Francesco Molino
VIP Alumni
VIP Alumni
Hi
Is this a new deployment? Did it worked before?
Can you share the whole authentication log detail please?
Have you checked it's not an issue related to timezone issue, check if the user is enabled within manage accounts and that your guest profile has the correct timezone.

If you want to disclose the name of the user instead of getting invalid:
Administration/Settings/Protocols/RADIUS and check the box Disclose invalid username

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hi Francesco,

Thanks for the response. Most definitely, timezone is not the problem, as the failure reason related to Timezone would be "Account not Active". This is a new deployment and the Sponsor approves without issue, and the exact Sponsor portal is checked in the Guest Portal settings.

 

Which Authentication log do you want? The redirect (CWA) or the Dynamic Authorization?

 

The authentication log for the Redirect doesn't show any error. The error is when COA from ISE is issued after the login attempt, even though the result summary shows that Dynamic Authorization Succeeded.

Hi Francesco,

 

I have enabled "Disclose invalid username", and yet the log still shows INVALID and Guest Type NON_GUEST. Attached are the Redirect Authentication steps and the Guest Login failure. 

I have checked the firewall and there's no drop traffic either between the Foreign WLC and the PSN (hosting only the Guest Portal) or the Admin Node and the PSN. I thought maybe it's something to do with Replication, but the deployment list shows all nodes are Green. The Internal PSN that hosts the Sponsor portal shows the account that was approved.

 

If only the ISE logs were more robust as to point to what ID store is being checked or what INVALID username it sees, I'm sure I would be able to diagnose and fix. As I mentioned earlier, the only anomaly I see from the packet capture between the Foreign WLC and the DMZ PSN is the Accounting Response from the Foreign WLC with Error-Cause:Unknown(200)

Also, the client MAC_Address doesn't show up in the Context Visibility list, but in the Radius Live logs.

Jason Kunst
Cisco Employee
Cisco Employee
Please also check ISE prescriptive guide, if all else fails work through TAC

https://community.cisco.com/t5/security-documents/ise-guest-access-prescriptive-deployment-guide/ta-p/3640475

Thanks Jason,

I've seen the guide before and it's a wonderful piece. I have opened a case with TAC and they're yet to figure out what the problem is and it's baffled them also. They've gone through the config of all devices, ISE and WLC, and confirmed that all looks good. 

I have done CWA with ISE in many deployments in the past and never had a single issue, though this the first I would have a PSN in the DMZ. I typically deploy a standalone node in the DMZ, but the firewall team in this case don't want it, as they wouldn't allow the Sponsor Portal in the DMZ, which would mean access to Internal AD.

 

All the relevant ports between the PSN in the DMZ and the Internal Network Devices(WLC and ISE) are allowed and there isn't a single drop packet in the Firewall log

thank you then sorry wish i could help more, tac is the route

CSCvr08083 is an enhancement request as ISE Guest services are not disclosing the username based on the configuration.

As Jason already said, this really needs TAC and, if needed, escalate to ISE ESC team.

Perhaps you took the wrong capture but the Redirect_Auth_Steps.JPG was on the MAC address and it returned Access-Accept. Also, you should be able to verify whether the guest user able to login at the test portal URL.

Thanks Hslai,

I have already opened a TAC case and no resolution yet. I'll ask TAC to escalate to the ISE ESC team, as you suggested. Meanwhile, the Redirect_Auth_Steps.JPG capture is the CWA step and not the CoA, which failed.

 

Did you get fix from TAC? what was the issue? How did TAC fixed it? I am seeing same issue in ISE 3.0 Patch 4.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: