09-25-2014 08:22 PM - edited 07-05-2021 01:35 AM
hi
I have a problem relating to the authentication and authorization of wireless users (WPA Personal + Web Authentication) using captive portal, the problem is because users belong to more than one group of the active directory is the repository for policies settings authorization, user gets the password (WPA) in unauthorized SSID and authenticates to the portal with their valid but corresponding to another profile and takes on another level of access because the ISE detected as a valid user, someone I you can give a suggestion as to solve this problem
Thank you
09-25-2014 10:31 PM
Cisco ISE Node Not Authenticating with Active Directory
Symptoms or Issue
The administrator receives "authentication failure" messages in the Authentication Failure Report on the Administration ISE node.
Conditions
This issue applies to Cisco ISE policy enforcement nodes added to an existing AD domain.
Possible Causes
•The administrator may not have changed the AD password on after joining the Cisco ISE node to the AD domain.
•The account used to join Cisco ISE to the Active Directory domain may have an expired password.
Resolution
Change the account password that was used to join the AD domain after adding Cisco ISE to Active Directory.
09-25-2014 10:36 PM
Hi
Thanks for you response
but, the problem is not change to password
I'm going to tell you in detail our problem.
We are using web authentication with ISE 1.2 default guest portal using active directory users
We have 5 SSID and we have 5 active directory groups. We want to associate each SSID to each active directory group, so we have created one authorization rule for each SSID using the attribute "external group" to define the user's active directory membership; and we have used the atributte "airspace-wlan-id" to define SSID.
The problem is: Sometimes it works and sometimes not.
We have review the logs and we have seen that the user is successfully authenticate by the web authentication portal but do not match any authorization rule, so we think ISE is not reading the "external group" attribute.
In addition we have to say that users could be members to more than one group within this 5 groups that we are using.
09-29-2014 11:54 AM
Please provide the authorization rule which you have defined on ISE.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide