10-26-2023 05:52 AM
Hi,
Recently we come across an weird issue where Guest user after successful authentication gets kicked off from internet prompting login page and asking for re-login. It happens repeatedly after re-login.
We have Cisco WLC 5520 Foreign-Anchor setup and all APs are on flex-connect mode. ISE 2.7 patch 9 for authentication.
After initial investigation we observed that this issue happens only with a Guest Type 'Contractor'. 'Sponsor portal' gives 3 option to create 'a guest account' -
Guest type 1 - Contractor
Guest type 2 - Daily
Guest type 3 - Weekly
During testing,
1. Guest account created with Guest Type - Daily and it worked fine. Maximum days allowed (expiry) for such account is 1 day.
2. Guest account created with Guest Type - Weekly and it worked fine. Maximum days allowed (expiry) for such account is 5 days.
3. Guest account created with Guest Type - Contractor and it worked fine. Maximum days allowed (expiry) for such account is 5 days.
4. Guest account created with Guest Type - Contractor and it DID NOT worked. Maximum days allowed (expiry) for such account is 90 days.
5. Guest account created with Guest Type - Contractor and it DID NOT worked. Maximum days allowed (expiry) for such account is 103 days.
To conclude, guest account created with guest type as 'Contractor' and that too with more that 90 day are affected.
Did anyone had such issue and possible solution or workaround. ? Or guide me where is problem exactly? We did not find anything abnormal in client debugs on WLC and on ISE logs.
Note: This was a working setup and no change has been done recently on WLCs or on ISE.
10-26-2023 06:02 AM - edited 10-26-2023 06:03 AM
This can potentially happen after COA if guest is again hitting redirect policy and skipping the endpoint identity lookup to allow guest access for some reason, to start with can you share your ISE Guest policy and also confirm the guest MAC is populated in guest endpoint identity store, after guest went through the guest login process.
10-26-2023 06:33 AM
Hi Ammahend,
Yes. The Guest MAC get populated in guest endpoint identity store. We think it is nothing to do with guest policy as it is same for all regions. This issue happened last year and we got TAC on call. Even after multiple packet captures at each level nothing was found. Eventually issue got resolved automatically !! Now here it is popping up again.
How come it only affects one site and rest of the sites users are doing good? I mean policy is global. And how come we doubt on WLC as IP assignment and Web re-direction is happening. ?
Do you think it can be related to any bug behavior ?
10-26-2023 07:44 AM
>...Do you think it can be related to any bug behavior ?
Consider using latest advisory : https://software.cisco.com/download/home/286284738/type/280926587/release/8.10.190.0 , if not yet done; for the aireos platforms it becomes more recommended (use latest and or last supporting version) as they are gradually phasing out , TAC support diminishing too. This also brings into the picture your EOL-ISE version although probably currently not a direct cause for the original problem,
M.
10-26-2023 08:07 AM - edited 10-26-2023 08:09 AM
are you able to replicate the issue ? for instance take a guest device with mac address in guest endpoint database and when you connect this device, in ISE logs what policy its hitting ?
I know you have taken debugs before but take another client debug and tcp dump from ISE when replication the issue and share. It works in a standard way, may be we can see some deviation from expected behavior from the logs.
it certainly helps to be on recommended code.
10-09-2024 02:43 AM
Hi,
i've the same problem, do you thing the issue can be on wlc side?
even in my case the other guest types are working correctly.
10-09-2024 03:27 AM - edited 10-09-2024 03:27 AM
hi,
After multiple calls with Cisco TAC engineers were not able to find the exact problem from the PCAPs and Debugs. However, we replaced the Foreign WLC from model 5520 (AireOS) to c9800 and issue got resolved. We are still using model 5520 (AireOS) as a Anchor WLC.
There is a strong suspect on Foreign WLC with AireOS model 5520 with version 8.10.190.0 because that's the only thing we changed.
10-09-2024 03:32 AM
You can also try with creating a guest accounts with 121 days validity/Expiry. That was the temporary workaround by TAC.
No disconnections observed when we set the account validity other than default 90 days. I would suggest to try it once.
10-09-2024 05:17 AM
hi,
The guest account type on which i'm having the issue has 999 days of validity...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide