cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
917
Views
3
Helpful
8
Replies

Guest clients getting disconnected after sucessful login

Nieo
Level 1
Level 1

Hi,

Recently we come across an weird issue where Guest user after successful authentication gets kicked off from internet prompting login page and asking for re-login. It happens repeatedly after re-login.

We have Cisco WLC 5520 Foreign-Anchor setup and all APs are on flex-connect mode. ISE 2.7 patch 9 for authentication.

After initial investigation we observed that this issue happens only with a Guest Type 'Contractor'.  'Sponsor portal' gives 3 option to create  'a guest account' -

Guest type 1 - Contractor

Guest type 2 - Daily

Guest type 3 - Weekly

 

During testing,

1. Guest account created with Guest Type - Daily and it worked fine. Maximum days allowed (expiry)  for such account is 1 day.

2. Guest account created with Guest Type - Weekly and it worked fine. Maximum days allowed (expiry)  for such account is 5 days. 

3. Guest account created with Guest Type - Contractor and it worked fine. Maximum days allowed (expiry)  for such account is 5 days.

4. Guest account created with Guest Type - Contractor and it DID NOT worked. Maximum days allowed (expiry)  for such account is 90 days.

5. Guest account created with Guest Type - Contractor and it DID NOT worked. Maximum days allowed (expiry)  for such account is 103 days.

 

To conclude, guest account created with guest type as 'Contractor' and that too with more that 90 day are affected.

Did anyone had such issue and possible solution or workaround. ? Or guide me where is problem exactly? We did not find anything abnormal in client debugs on WLC and on ISE logs.

Note: This was  a working setup and no change has been done recently on WLCs or on ISE.

 

 

8 Replies 8

ammahend
VIP
VIP

This can potentially happen after COA if guest is again hitting redirect policy and skipping the endpoint identity lookup to allow guest access for some reason, to start with can you share your ISE Guest policy and also confirm the guest MAC is populated in guest endpoint identity store, after guest went through the guest login process.

-hope this helps-

Hi Ammahend,

Yes. The Guest MAC get populated in guest endpoint identity store.  We think it is nothing to do with guest policy as it is same for all regions. This issue happened last year and we got TAC on call. Even after multiple packet captures at each level nothing was found.  Eventually issue got resolved automatically !! Now here it is popping up again.  

How come it only affects one site and rest of the sites users are doing good? I mean policy is global. And how come we doubt on WLC as IP assignment and Web re-direction is happening. ?

Do you think it can be related to any bug behavior ? 

 

                              >...Do you think it can be related to any bug behavior ? 
  Consider using latest advisory : https://software.cisco.com/download/home/286284738/type/280926587/release/8.10.190.0  , if not yet done; for the aireos platforms it becomes more recommended (use latest and or last supporting version)  as they are gradually phasing out , TAC support diminishing too. This also brings into the picture your EOL-ISE version although probably currently not a direct cause for the original problem, 

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

are you able to replicate the issue ? for instance take a guest device with mac address in guest endpoint database and when you connect this device, in ISE logs what policy its hitting ?

I know you have taken debugs before but take another client debug and tcp dump from ISE when replication the issue and share. It works in a standard way, may be we can see some deviation from expected behavior from the logs.

it certainly helps to be on recommended code. 

-hope this helps-

Hi,

 

i've the same problem, do you thing the issue can be on wlc side?

even in my case the other guest types are working correctly.

Nieo
Level 1
Level 1

hi, 

After multiple calls with Cisco TAC engineers were not able to find the exact problem from the PCAPs and Debugs. However, we replaced the Foreign WLC from model 5520 (AireOS) to c9800 and issue got resolved. We are still using  model 5520 (AireOS) as a Anchor WLC. 

There is a strong suspect on Foreign WLC with AireOS model 5520 with version 8.10.190.0 because that's the only thing we changed.

 

Nieo
Level 1
Level 1

You can also try with creating a guest accounts with 121 days validity/Expiry. That was the temporary workaround by TAC.

No disconnections observed when we set the account validity other than default 90 days. I would suggest to try it once.

hi,

The guest account type on which i'm having the issue has 999 days of validity...

Review Cisco Networking for a $25 gift card