Re: ISE Guest CWA with Smart Phones

r.mohannad · ‎03-31-2013

I've configured the Guest Web Authentication in the ISE and I've tested and every thing is working fine. I got the redirect url, I could authentication and then got an access. However, If I got the redirect url and then disconnect from the guest SSID and connect to another SSID on the same WLC (not associated to the ISE) and then connect back to the guest SSID, I'm not getting the redirect url.

I've checked the ISE and I noticed that the radius session is not terminated if I disconnected from the SSID. I tried to add an attribute in the authorization profile to have radius idle timeout, it did work and the ISE initiate new session ID, but the smartphone is not getting the url.

Anyone have/had this issue ?

Marcin Latosiewicz · ‎04-01-2013

For sake of clarity:

- You do not see the redirect URL sent when you do "show client det " on the WLC either?

- Do you have accounting on the WLC configured pointing to ISE for corresponding SSID?

- I assume you're running something fairly recent on ISE 1.1.x ?

r.mohannad · ‎04-01-2013

Thanks Marcin for your reply.

I have ISE 1.1.3 with WLC 7.2. The accounting on the WLC is configured. I need to check the

"show client det " command.

But I can see it in the GUI of WLC after I associate with guest SSID but without the redirect url working. I guess the issue

that the radius session is not terminated when I disconnect from the SSID

Marcin Latosiewicz · ‎04-01-2013

r.mohannad wrote:

I guess the issue

that the radius session is not terminated when I disconnect from the SSID

Hence my question whether RADIUS accounting was configured (to ISE). :-)

There's really no reason to keep the RADIUS session up, it's just a short exchnage, I guess you mean the authentication session?

I can try a similar session in the lab, but can't promise I will be able to do it in the next few days (with the holidays and whatnot).

M.

r.mohannad · ‎04-01-2013

I can terminate the session manually by going to :

Operations > Reports > Catalog > Session Directory >RADIUS_Active_Sessions

When I did that, the samrtphone is disconnected from the SSID and then connect it again, and I get the redirect URL with no issue.

If you wanna try it in the lab, make sure you disconnect the guest SSID and connect to another SSID not associated to the ISE.

Thanks

Marcin Latosiewicz · ‎04-01-2013

OK that should not be needed. But do you or don't you have accounting configured on WLC?

M.

r.mohannad · ‎04-01-2013

Yes it is configured in the WLC and pointed to the ISE.

Marcin Latosiewicz · ‎04-02-2013

I've done a test with CWA + open SSID and I don't see the problem. (iPod, latest SW update, pretty old HW)

My steps:

1) connected to CWA SSID and it asked me to register, provided my username and password to see if they are correct

2) disconnected (connected to openSSID) without registering.

3) Checked reachablity over openSSID

4) reconnected to the CWA one.

5) Got redirected automatically.

Did I miss anything? Any more steps you've done?

M.

r.mohannad · ‎04-02-2013

Thanks Marcin.

Acually we have an issue in step 5 where I could not be redirected. When have you disconnected from CWA, did the

RADIUS session in the ISE removed ?

Marcin Latosiewicz · ‎04-02-2013

it is removed. I experted it's details to CSV, can you do the same for the session that is "stuck"?

Naveen Kumar · ‎08-27-2013

Please check the guide of Setting Up Cisco ISE in a Distributed Environment:

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_dis_deploy.html