Re: browser won't pop up during cisco guest portal

seanxiao · ‎03-23-2025

GREETINGS all,

We suddenly have an issue that guest user cannot complete the guest portal authentication because the browser cannot pop up.

From the ISE live log:

device authentication successful;
device get the configured IP address (a guest VLAN);
device can communicate with the guest DNS server with the assigned guest IP
device hit the desired authentication policy and authorization policy

but the device cannot access guest portal even we manually input the URL , neither can the device access Internet. Please see the log as below:

Result

User-Name	10-A5-1D-09-30-2B
Class	CACS:0af0c5080006598267e0c924:ZJK-SVAP-PSN01/524332189/308487
cisco-av-pair	url-redirect-acl=ACL_WEBAUTH_REDIRECT
cisco-av-pair	url-redirect=https://guestportal3.int.my-domain.com:8450/portal/gateway?sessionId=0af0c5080006598267e0c924&portal=021ff832-a158-4e12-be34-edf81c2d8efe&action=cwa&token=b9593114317c8774158992fe0c5c9796
cisco-av-pair	profile-name=Intel-Device
LicenseTypes	Essential license consumed.

Session Events

2025-03-24 02:53:30.028	RADIUS Accounting start request
2025-03-24 02:53:24.858	Authentication succeeded

Event	5200 Authentication succeeded
Username	Device-mac-address
Endpoint Id	Device-mac-address
Calling Station Id	Device-mac-address
Endpoint Profile	Intel-Device
Identity Group	Profiled
Audit Session Id	0af0c5080006598267e0c924
Authentication Method	mab
Authentication Protocol	Lookup
Service Type	Call Check
Network Device	wlc-name
Device Type	All Device Types#WLC
Location	All Locations#my-location
NAS IPv4 Address	My-WLC-IP-address
NAS Port Type	Wireless - IEEE 802.11
Authorization Profile	Cisco_WebAuth_ZJK
Response Time	58 milliseconds

Other Attributes

ConfigVersionId	141
DestinationPort	1812
Protocol	Radius
NAS-Port	13
Framed-MTU	1300
Acct-Session-Id	67e0c924/10:a5:1d:09:30:2b/485408
Tunnel-Type	(tag=0) VLAN
Tunnel-Medium-Type	(tag=0) 802
OriginalUserName	10a51d09302b
NetworkDeviceProfileId	b0699505-3150-4215-a80e-6753d45bf56c
IsThirdPartyDeviceFlow	false
AcsSessionID	ZJK-SVAP-PSN01/524332189/308487
SelectedAuthenticationIdentityStores	Internal Users
AuthenticationStatus	UnknownUser
IdentityPolicyMatchedRule	MAB
AuthorizationPolicyMatchedRule	Aurobay-Guest Redirect
EndPointMACAddress	device-mac-address
ISEPolicySetName	policy-set-name
IdentitySelectionMatchedRule	MAB
TotalAuthenLatency	58
ClientLatency	0
DTLSSupport	Unknown
HostIdentityGroup	Endpoint Identity Groups:Profiled
Network Device Profile	Cisco
Location	Location#All Locations#my-location
Device Type	Device Type#All Device Types#WLC
IPSEC	IPSEC#Is IPSEC Device#No
RADIUS Username	Device-mac-address
NAS-Identifier	WLC-Name
Device IP Address	WLC-IP
CPMSessionID	0af0c5080006598267e0c924
Called-Station-ID	2c-33-11-ba-78-00:SSID-NAME
CiscoAVPair	audit-session-id=0af0c5080006598267e0c924
UseCase	Host Lookup

Rich R · ‎03-24-2025

> the device cannot access guest portal even we manually input the URL
What exactly happens? Do you get an error message? Does it timeout?
Did you enable browser network trace to see what that shows?
Did you do a packet capture to see what that shows?
Are you using a valid public certificate for guestportal3.int.my-domain.com which is trusted by the client OS and browser?
Are you sure the certificate has not expired?

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

seanxiao · ‎03-24-2025

thanks for your reply

now the browser pops up, and the DNS works when we do nslookup www.google.com [DNS_For_Guest]

now the issue is that the end device can get IP from the guest VLAN, but cannot access any network resource, even cannot ping its guest VLAN gateway. When I do ping gateway from the device, all is time out. If I ping from where the gateway is residing (fortigate), it just showing icmp echo request, but never got a reply.

Scott Fella · ‎03-24-2025

Just to confirm, This exact configuration was working previously and now "SUDDENLY ALL" guest devices are no longer working? So no matter if its an iPhone, Android, Windows or Mac, you are seeing the same issue? If this is the case, I would think something has changed that broke this.

-Scott
*** Please rate helpful posts ***

seanxiao · ‎03-24-2025

thanks for your reply

now the browser pops up, and the DNS works when we do nslookup www.google.com [DNS_For_Guest]

now the issue is that the end device can get IP from the guest VLAN, but cannot access any network resource, even cannot ping its guest VLAN gateway. When I do ping gateway from the device, all is time out. If I ping from where the gateway is residing (fortigate), it just showing icmp echo request, but never got a reply.

srimal99 · ‎03-25-2025

have you check correct ip given from the dhcp pool and ise authz rules set up correctly ( Any override Vlans configured ) . Check the log on the ise and switch port. If you accessing via Guest SSID why do you need access to network devices ? is you ssid set up for DMZ zone ?Check the Guess portal access-list if you have block icmp .