In your authorization rules,

farazsiddiqui20101 · ‎10-24-2016

I have configured Cisco ISE 2.1 with WLC 8.2. When i logged in first time with any self registration account it logged in successfully via web authentication, but on next login it didn't redirect to web authentication it directly logged in.

i want that its redirect to web authentication on every login, please guide me as i am new to Cisco identity service engine.

farazsiddiqui20101 · ‎11-01-2016

Please help me to sort out this.

Lars Christensen · ‎11-01-2016

In your authorization rules, are you validating user identity groups along with endpoint identity groups and letting users register their device? Automatically registration is on by default in a self-registration portal, at least in ISE 2.0.

Because if you allow users to register their device and you validate both user groups along with endpoint groups you would end up with: A user creates their account and logs in for the first time, the device gets registered to an endpoint group, and afterwards it gets validated through the endpoint group instead, which would mean it doesn't get redirected to web portal.

Either that or the session on the wlc hasn't timed out yet.

farazsiddiqui20101 · ‎11-01-2016

Lars thanks for you reply.

Actually i have followed attached document for configuration. you said that, Cisco ISE 2.1 by default saves automatically registered device information in endpoints groups. if i want to change this settings so what should i do?

One more thing, i was trying to do it myself after R&D so i disturbed some settings in authorization profiles and authentication policies. Then i was trying to connect via web redirection, its connect but internet was not worked. so i was trying again and again but failed. Finally i reconfigured it via CiscoISE2.0WirelessGuestSetupWizard_1.0.1W. it is not working more. it is not redirect to web page page as well. Configuration is same as per attached document.

Environment = Cisco WLC 8.2

ISE-2.1.0.474-mini

Cisco AP3502I - C - K9

Would you please help me to sort out this.

Lars Christensen · ‎11-02-2016

The endpoint registration settings are portal specific and can be changed under "Guest Device Registration Settings" for a specific portal via Guest Access -> Guest Portals -> name of your portal.

I have no experience with the Cisco ISE 2.0 Wireless Guest Setup Wizard. But if the redirection, or anything else in ISE for that matter, isn't working any more the first thing I would do would be to go to the Radius Livelog. The livelog can tell you precisely which authentication and authorization policies your client hits. If it isn't hit by the policy you expect it to, your redirection policy for instance, then there must be something wrong with the conditions of that policy, or a policy higher up if it never reaches the expected policy. If it hits the correct authorization policy it must be the permissions policy in that rule which is the problem since the permission policy contains the radius reply the WLC gets from ISE, the redirect url to the web portal and acl being the most important in this case.

But if it hits the correct authorization policy and the WLC gets the correct radius reply with all the correct settings, when the issue must be on the WLC. Best bet here would be the acl, I ran into this with our guest portal since I had forgotten to permit access in the acl to the ISE servers through the port the portal uses, default is port 8443. Either that or the NAC setting under Advanced in the WLAN profile, it should be set to ISE NAC.

Cisco ISE User Authentication