Re: Cisco ISE Guest Portal Redirect

troy.hart · ‎01-23-2019

Hello Team,

Recently I decided to use ISE for my guest access instead of using the wireless controller feature. Setting up a guest username and password to be distributed to our guest. I looked online for process and procedures and found many how to's on how to setup ISE for guest access. Many was with the wizard and very few manually. I went the manual way due to the wizard was not available for me at the time until had upgraded to ISE 2.2 and then 2.3. I was able to set a new guest ssid and configure the policy in ISE and test the portal. However,I am having difficulty with ISE 2.3 Portal Guest Self Reg page not being displayed after being redirected. When i use an windows endpoint or my iPad a test. It starts out look great an will see the login screen for username and password and then it fails. This is happening during the redirect from the user device. I am able to view the page from the test link in ISE: https://ip:8443/portal/PortalSetup.action?portal=450f3ad0-1caf-11e7-974e-64122537131e .

Any Suggestion of the possible cause?

Really appreciate any suggestion!

Thanks,

Troy Hart

michaeloconnell3 · ‎01-23-2019

I would recommend checking two locations to start.

1- In ISE authentications do you see the endpoint passing authentication and being delivered the next authorization correct authorization profile? Always double check the profile order as in the guest flow would hit the bottom auth-z policy place the user in the correct endpoint identity group deliver the profile then move forward. "See attached flow diagram for visual representation."

2- Check your WLC and the access list configuration to make sure they are correct. I would be more than happy to look via webex or assist if you would like to PM me.

troy.hart · ‎01-23-2019

Hi Michael,
I do not see the attached flow diagram you are referring too.

Thanks,

michaeloconnell3 · ‎01-25-2019

Sorry please see attached diagram

juanfaure · ‎06-13-2022

Hi,

I am looking for a solution to redirect wired guest access to an external captive portal (not the ISE captive portal), anyone know if it is supported and could provide some reference about it?

Kind Regards

Juan

Arne Bier · ‎01-24-2019

If I read your comments correctly, you are seeing the Portal page on the client. Is the portal rendered completely, and what exactly "fails" after that? Unable to login?

If the Portal doesn't appear then it could be a multitude of things

- DNS resolution of the client - is client able to resolve the FQDN in the redirect URL?

- Proxy configuration on client - if there is one, then it can get in the way of displaying the portal

- Load balancers - if the load balancer config is wrong, then you will go nowhere - you need to ensure session persistence to the SAME PSN that you sent the initial MAB auth to.

If the Portal is fine, but the logins are failing, then that's a whole other issue

- account created in the wrong time zone? Perhaps account not active yet

- if acount active but still failing then check the Live Logs for clues - perhaps you are failing to send the CoA to the WLC.

let us know how you get on :)

troy.hart · ‎01-24-2019

Hi Arne,

When I select the guest ssid. I am redirected to the self-registration page. I am getting page cannot be displayed, however, if I am connected via LAN and then select the ssid for the guest network it will display the portal page. Do you have any idea what could I be doing wrong? I am working with Cisco TAC too.

Thanks,

Troy

Haydn Andrews · ‎01-24-2019

Do you have a Pre-Auth ACL allowing DNS, DHCP and access to ISE?

If the client does not have an IP and able to resolve the ISE page and access it, it will not display

Are you doing Central Web Auth or passthrough?

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***

troy.hart · ‎01-25-2019

Hi Haydn,

Yes, and I am using Central Web Auth.

Thanks,