This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
My set up is foreign-anchor with ISE PSN for Guest in the DMZ. Replication/Sync is ok between the Admin node and Policy node in the DMZ. ISE version is 2.4
I am able to self-register and Sponsor approves. Guest then gets an Email, but is unable to login,as message says Authentication Failed. Problem is that not enough information is given as to what Identity Store ISE is checking.
I have poured through tons of capture and logs, yet nothing to find. The only relevant information I got from a capture was a COAck from the Foreign WLC to PSN, after the Dynamic Authorization from ISE, with Error 101 - Unknown(200).
I can see from the CWA that the right Guest Portal was presented during Self-registration and the portal has Guest_Portal_Sequence, which only contains Guest Users, Internal Endpoint and Internal users.
This is really baffling, as I have deployed Foreign-Anchor setup before in different organizations and never faced such issue.
Thanks for the response. Most definitely, timezone is not the problem, as the failure reason related to Timezone would be "Account not Active". This is a new deployment and the Sponsor approves without issue, and the exact Sponsor portal is checked in the Guest Portal settings.
Which Authentication log do you want? The redirect (CWA) or the Dynamic Authorization?
The authentication log for the Redirect doesn't show any error. The error is when COA from ISE is issued after the login attempt, even though the result summary shows that Dynamic Authorization Succeeded.
I have enabled "Disclose invalid username", and yet the log still shows INVALID and Guest Type NON_GUEST. Attached are the Redirect Authentication steps and the Guest Login failure.
I have checked the firewall and there's no drop traffic either between the Foreign WLC and the PSN (hosting only the Guest Portal) or the Admin Node and the PSN. I thought maybe it's something to do with Replication, but the deployment list shows all nodes are Green. The Internal PSN that hosts the Sponsor portal shows the account that was approved.
If only the ISE logs were more robust as to point to what ID store is being checked or what INVALID username it sees, I'm sure I would be able to diagnose and fix. As I mentioned earlier, the only anomaly I see from the packet capture between the Foreign WLC and the DMZ PSN is the Accounting Response from the Foreign WLC with Error-Cause:Unknown(200)
Also, the client MAC_Address doesn't show up in the Context Visibility list, but in the Radius Live logs.
I've seen the guide before and it's a wonderful piece. I have opened a case with TAC and they're yet to figure out what the problem is and it's baffled them also. They've gone through the config of all devices, ISE and WLC, and confirmed that all looks good.
I have done CWA with ISE in many deployments in the past and never had a single issue, though this the first I would have a PSN in the DMZ. I typically deploy a standalone node in the DMZ, but the firewall team in this case don't want it, as they wouldn't allow the Sponsor Portal in the DMZ, which would mean access to Internal AD.
All the relevant ports between the PSN in the DMZ and the Internal Network Devices(WLC and ISE) are allowed and there isn't a single drop packet in the Firewall log