cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

450
Views
0
Helpful
4
Replies
Beginner

ISE 1.4 Identity not seen but MAB passes

Hi Guys,

 

I've just built up an ISE v1.4 server and have successfully configured it to work with a WLC to provide both 802.1x auth for an internal WLAN and Central Web Auth for the Guest WLAN

The issue I have is that one of my test devices passes authentication as shown by the log, but never shows up in the internal endpoints identity store. Other devices authenticate and show up in the identity store, where I can delete them which forces the web auth process to run again. I just have the one device which seems to be in the identity store, but can't be seen and can't be deleted, which means that the device always passes wireless MAB and gets network access.

ISE is version 1.4 with the latest patch applied, WLCs are an 8510 Foreign controller and 5508 guest anchor, both running 8.0.120

Does anyone have any ideas? I assume the MAC address is in a database somewhere which needs to be cleaned up somehow, but I can't find any documentation on how to do this. ISE has been rebooted, but no change.

Thanks

James

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Rising star

Odd, it looks like ISE is

Odd, it looks like ISE is finding the MAC in the endpoint store, which is where it should be, there are no other places where that mac address should be found. You say that it's not in there, but is that client getting redirected to the guest login page ? if so, can you log in with a guest account ?

If it's not in there, you should be able to manually create it, if it's actually in there you should get some error mesage. Could you try that?

View solution in original post

4 REPLIES 4
Rising star

Can you show us the

Can you show us the authentication event in ISE that you believe is giving it access ? Is it doing guest with cwa login, or peap/eap-tls the device that is causing the problem ?

Highlighted
Beginner

Here's the authentication

Here's the authentication steps from the ISE:

1001Received RADIUS Access-Request
 11017RADIUS created a new session
 11027Detected Host Lookup UseCase (Service-Type = Call Check (10))
 15049Evaluating Policy Group
 15008Evaluating Service Selection Policy
 15048Queried PIP - Radius.Service-Type
 15048Queried PIP - Radius.NAS-Port-Type
 15004Matched rule - Wireless-WebAuth
 15041Evaluating Identity Policy
 15006Matched Default Rule
 15013Selected Identity Source - Internal Endpoints
 24209Looking up Endpoint in Internal Endpoints IDStore - 00:23:14:D0:46:98
 24211Found Endpoint in Internal Endpoints IDStore
 22037Authentication Passed
 15036Evaluating Authorization Policy
 15048Queried PIP - EndPoints.LogicalProfile
 15048Queried PIP - Radius.Service-Type
 15048Queried PIP - Radius.NAS-Port-Type
 15004Matched rule - Guest Permit
 15016Selected Authorization Profile - Guest-CWA-Accept
 11002Returned RADIUS Access-Accept 

 

The MAC address is correct, but when I go to Administration > Identities > Endpoints on the ISE I don't see the MAC address listed. I do see the MAC addresses for other devices, just not this one.

Rising star

Odd, it looks like ISE is

Odd, it looks like ISE is finding the MAC in the endpoint store, which is where it should be, there are no other places where that mac address should be found. You say that it's not in there, but is that client getting redirected to the guest login page ? if so, can you log in with a guest account ?

If it's not in there, you should be able to manually create it, if it's actually in there you should get some error mesage. Could you try that?

View solution in original post

Beginner

Thanks for that.I added the

Thanks for that.

I added the MAC address in manually. When I then looked in the identity store, it had populated the endpoint profile and IP address fields, which seems to indicate that it had retrieved some details from the identity store. I then deleted the identity, and now the client is being redirected to the web auth portal as it should.

Looks like it was a bit of a glitch somewhere in the endpoint database.