Hello,
i've configured ISE and WLC to use guestportal with CWA but there is a problem with CoA -- it doesn't want to apply airespace alc after auth at guestportal.
1. At authC page i've configured a wireless MAB to continue if user not found and to use a Internal users as a identity store.
2. At authZ page i've configured a WEBAUTH as a default rule with the following:
Access Type = ACCESS_ACCEPT
cisco-av-pair = url-redirect-acl=ACL-WEBAUTH-REDIRECT
cisco-av-pair = url-redirect=https://ip:port/guestportal/gateway?sessionId=SessionIdValue&action=cwa
3. I've also configured this ACL at WLC to permit
permit dns and icmp any-any
permit any-to-ise-8443
permit ise-to-any
This part works fine because i able to redirect to guestportal and use my guest login&pw to authorize myself. The guest account was previously generated through sponsor portal and it's working too.
4. At authC page i've use a wireless dot1x to use Internal users
5. At authZ page i've use a "if internal users:Guest then GUEST permission" rule
6. GUEST rule looks like the following:
Access Type = ACCESS_ACCEPT
Airespace-ACL-Name = GUEST_INTERNET_ONLY
7. This ACL is configured on the WLC permitting any except private networks (ISE is also permitted)
After guest portal auth i see a success message and i able to ping internet but i have no web access to it. It looks like CoA and Airespace acl are don't working and i keep using my ACL-WEBAUTH-REDIRECT access-list and i see a strange error messages in the WLC logs:
*apfReceiveTask: Nov 12 17:32:27.317: %ACL-3-ENTRY_DONOT_EXIST: acl.c:369 Unable to find an ACL by name "".
I swear my ACL name spelling is correct and both ACL-WEBAUTH-REDIRECT and GUEST_INTERNET_ONLY are on the WLC with their counters growing!
I don't have a point what issue it could be...
Any ideas?
P.S. see attach for Live authentication log
