We are at initial phase of deploying ISE 1.2 in our environment for Wireless Guest Users.
I have configured ISE and WLC to talk to each other which is working fine. An SSID with MAC-Filtering is also configured on WLC and ACL only allowing ISE and DNS traffice.
I have configured proper authentication and authorization policies on ISE. Now, when I try to connect my device (laptop and android mobile), I see my device gets associated with the SSID (Demo) and gets the right IP Address from DHCP and right VLAN from WLC. The log process on ISE is as follows.
|11001||Received RADIUS Access-Request|
|11017||RADIUS created a new session|
|11027||Detected Host Lookup UseCase (Service-Type = Call Check (10))|
|15049||Evaluating Policy Group|
|15008||Evaluating Service Selection Policy|
|15041||Evaluating Identity Policy|
|15006||Matched Default Rule|
|15013||Selected Identity Source - Internal Endpoints|
|24210||Looking up User in Internal Users IDStore - B8:B4:2E:A6:7D:75|
|24216||The user is not found in the internal users identity store|
|24209||Looking up Endpoint in Internal Endpoints IDStore - B8:B4:2E:A6:7D:75|
|24211||Found Endpoint in Internal Endpoints IDStore|
|15036||Evaluating Authorization Policy|
|15004||Matched rule - Guest Redirection|
|15016||Selected Authorization Profile - Test_Profile|
|11002||Returned RADIUS Access-Accept|
I also see a redirect url in the detailed authentication logs. But the problem is that when I open my browser on my device, it doesn't get redirected to the guest portal url. Now since I can't get there, I can't continue with the rest of the process of authentication, COA and final ACL for internet access.
Can some one please either guide me the correct steps that I need to follow, if I have mis configured something or advise if this is a bug.
Thanks in advance.
v7.5 has been deferred. You should test in v220.127.116.11 MR2 or if you really need features, then v7.6. v7.6 has some issues and you would need to open a TAC case to get an engineer release. Start out with a stable WLC code first.... I would use v18.104.22.168.
Sent from Cisco Technical Support iPhone App
I have Virtual WLC with 7.6.110 e ISE 1.2 for onbording BYOD deployment with the same symptom.
The authorization policy is matched, The ISe sent RADIUS attribute to WLC, in WLC log I can see that the client is in "SUPPLICANT_PROVISIONING", the redirection URL and ACL is OK, but them NOT work! the client continue to have access. This is a BUG sure, ma I can not Know which.
Can you post screenshot from:
1. Your ACL configuration on the WLC
2. The authorization result in ISE
3. Authentication/Authorization policy in ISE
Couple of things:
1. Is this for a FlexConnect deployment or standard?
2. Your first ACL is incorrect. There needs to be a "deny any" rule at the end.
The virtual WLC support only AP deployment in Flexconnect mode, I confirm Flexconnect deployment.
The entry "permit any any" in ACL-REDIRECT is deploy because I don't want to create disservices .I will remove the entry "permit any any" only after that I sure the correct redirection to supplicant portal. The rediction portal should not work for ACL. The ACL should be only to block traffic into internal network. Correct? can you confirm?
The ACL is definitely used to define what traffic is re-directed to ISE and what traffic is not redirected. Having the permit-all statement at the end will break redirection. If you are using flex-connect then you will need to use flex-connect ACLs and apply those to the flex-connect APs. The links below should give you an idea of what needs to be done:
Thank you for rating helpful posts!
The problem was of DNS. The WLC tries to access the IP Address of the webpage before it re-directs. However, I thought it would just redirect once receives any request. We are using this on the internal network with no access on the internet and when users tries to enter Cisco.com to go to web authentication page, the WLC couldn't find the IP Address of Cisco.com becuase its asking the local DNS and the request would eventually fail.
If we type any IP Address directly on the web page then the redirection works fine.
Thanks for the help.
Part of the WLC process when using WebAuth is to hijack the home page or the URL the user is trying to access and determine if DNS can be resolved. If this happens, then the WLC will proceed.
Again... Since your in early testing, you should move away from v7.5.
Sent from Cisco Technical Support iPhone App