Recently I decided to use ISE for my guest access instead of using the wireless controller feature. Setting up a guest username and password to be distributed to our guest. I looked online for process and procedures and found many how to's on how to setup ISE for guest access. Many was with the wizard and very few manually. I went the manual way due to the wizard was not available for me at the time until had upgraded to ISE 2.2 and then 2.3. I was able to set a new guest ssid and configure the policy in ISE and test the portal. However,I am having difficulty with ISE 2.3 Portal Guest Self Reg page not being displayed after being redirected. When i use an windows endpoint or my iPad a test. It starts out look great an will see the login screen for username and password and then it fails. This is happening during the redirect from the user device. I am able to view the page from the test link in ISE: https://ip:8443/portal/PortalSetup.action?portal=450f3ad0-1caf-11e7-974e-64122537131e .
Any Suggestion of the possible cause?
Really appreciate any suggestion!
I would recommend checking two locations to start.
1- In ISE authentications do you see the endpoint passing authentication and being delivered the next authorization correct authorization profile? Always double check the profile order as in the guest flow would hit the bottom auth-z policy place the user in the correct endpoint identity group deliver the profile then move forward. "See attached flow diagram for visual representation."
2- Check your WLC and the access list configuration to make sure they are correct. I would be more than happy to look via webex or assist if you would like to PM me.
If I read your comments correctly, you are seeing the Portal page on the client. Is the portal rendered completely, and what exactly "fails" after that? Unable to login?
If the Portal doesn't appear then it could be a multitude of things
- DNS resolution of the client - is client able to resolve the FQDN in the redirect URL?
- Proxy configuration on client - if there is one, then it can get in the way of displaying the portal
- Load balancers - if the load balancer config is wrong, then you will go nowhere - you need to ensure session persistence to the SAME PSN that you sent the initial MAB auth to.
If the Portal is fine, but the logins are failing, then that's a whole other issue
- account created in the wrong time zone? Perhaps account not active yet
- if acount active but still failing then check the Live Logs for clues - perhaps you are failing to send the CoA to the WLC.
let us know how you get on :)
When I select the guest ssid. I am redirected to the self-registration page. I am getting page cannot be displayed, however, if I am connected via LAN and then select the ssid for the guest network it will display the portal page. Do you have any idea what could I be doing wrong? I am working with Cisco TAC too.
Do you have a Pre-Auth ACL allowing DNS, DHCP and access to ISE?
If the client does not have an IP and able to resolve the ISE page and access it, it will not display
Are you doing Central Web Auth or passthrough?