cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3837
Views
25
Helpful
18
Replies

ISE 2.4 and 9800 WLC: Wireless guest issue

ittechk4u1
Level 1
Level 1

Hello Experts,

 

I am facing a issue with guest access authentication. Old AIROS wlcs are working but now I have a installed a new 9800 wlc and its creating an issue.

 

Requesting help to troubleshoot below authentication fail error messages seen for wireless guest users.

 

Event5400 Authentication failed
Failure Reason15039 Rejected per authorization profile
ResolutionAuthorization Profile with ACCESS_REJECT attribute was selected as a result of the matching authorization rule. Check the appropriate Authorization policy rule-results.
Root causeSelected Authorization Profile contains ACCESS_REJECT attribute
UsernameUSERNAME

 

Its not hitting the right Authentication policy.

 

Auth policies:

 

AuthZ.png

 

authentication.png

 

1.png

 

Steps

 11001Received RADIUS Access-Request
 11017RADIUS created a new session
 15049Evaluating Policy Group
 15008Evaluating Service Selection Policy
 15048Queried PIP
 15041Evaluating Identity Policy
 15013Selected Identity Source -
 22043Current Identity Store does not support the authentication method; Skipping it
 22064Authentication method is not supported by any applicable identity store(s)
 22058The advanced option that is configured for an unknown user is used
 22060The 'Continue' advanced option is configured in case of a failed authentication request
 24715ISE has not confirmed locally previous successful machine authentication for user in Active Directory
 15036Evaluating Authorization Policy
 15048Queried PIP
 15048Queried PIP
 15048Queried PIP
 15016Selected Authorization Profile - DenyAccess
 15039Rejected per authorization profile
 11003Returned RADIUS Access-Reject
 5434Endpoint conducted several failed authentications of the same scenario

 

 

Thanks in advance

Best Regards

 

3 Accepted Solutions

Accepted Solutions

Just remove the below lines as I mentioned before:
redirect on-success  https://www.grammer.com/
redirect portal ipv4 192.0.2.1
with the above, this will be sent to ISE as Login, meaning to match on ISE you need Radius:Service-Type = Login
this is used if you have a Web server that provide you a portal or if you want to use one of the ISE portals, usually a copy of the sponsored Guest Portal, so in your case because you want to use the 9800 customized portal then you have to leave those fields empty by removing the above cli lines and that's mean when you check the username/pass with ISE (using ISE locally defined users or from Active Directory) then the 9800 will send those as "Outbound", Radius:Service-Type = Outbound
One more thing, in your ISE Policy Set, you're not telling ISE where to look and check for the usernames/pass that Guests will be using, meaning, if you need to check against AD group then you specify that group, if you need to check them against ISE local group you need to specify that. In below screenshot you can see that I'm using simple policy set to check both AD and internal ISE group without checking the service type, but you can definitely use that check too.
ISE Policy Set.jpg

View solution in original post

You can try this method as well.. I tried in my lab and it worked:

 

First you need to create a trustpoint on the WLC. The trustpoint contains the certificate authority that signed the certificate in use.

 

WLC1 (config)#crypto pki trustpoint WILDCARD
WLC1 (ca-trustpoint)#fqdn *.xyz.com
WLC1 (ca-trustpoint)#subject-name cn=*.xyz.com
WLC1 (ca-trustpoint)#revocation-check crl
WLC1 (ca-trustpoint)#rsakeypair WILDCARD

 

Next, you should import the certificate. There are multiple ways for importing the certificate, but you can use FTP/tftp to transfer the certificate from your laptop to the wlc. 

Info: Certificate must be in PKCS12 (.pfx) form

 

WLC1(config)#crypto pki import WILDCARD pkcs12 ftp: password xyz12345

% Importing pkcs12...

Address or name of remote host []? 192.168.21.25

Source filename [WILDCARD]? WildcardCert.pfx

Reading file from ftp://192.168.21.25/WildcardCert.pfx!

[OK - 6048/4096 bytes]

% The CA cert is not self-signed.

% Do you also want to create trustpoints for CAs higher in

% the hierarchy? [yes/no]:yes

*Sep 16 10:38:02 UTC: %CRYPTO_ENGINE-5-KEY_ADDITION: A key named WILDCARD has been generated or imported by pki-pkcs12

CRYPTO_PKI: Imported PKCS12 file successfully.

WLC1(config)#exit

WLC1(config)#wr

 

*Sep 16 10:38:06 UTC: %PKI-6-TRUSTPOINT_CREATE: Trustpoint: WILDCARD-rrr1 created succesfully

*Sep 16 10:38:06 UTC: %PKI-6-PKCS12_IMPORT_SUCCESS: PKCS #12 import in to trustpoint WILDCARD successfully imported.

 

The certificate is now successfully imported into the WLC and can be associated with the Webauth wlan.

then you can assign wildcard certificate to webauth parameter map.

 

Regards

Dont forget to arte helpful posts

View solution in original post

18 Replies 18

craig.beck
Level 1
Level 1

15039 Rejected per authorization profile

 

Can you show the full failure log, please?

which logs you want to me paste  ?

 

from ISE side or debug from WLC ?

Grendizer
Cisco Employee
Cisco Employee

you need to change (redirect portal ipv4 192.0.2.1) to the ISE IP Address instead.

Check this line (redirect for-login guest.corp.com) Which ISE portal will reply the requests?

you're using Guest Users (meaning the users are configured in ISE)

not sure about this condition: WLC_Web_Authentication (it needs to check ISE Guest Users group as you specified in AuthC rule)

moreover, ISE portal is using by default TCP port 8443 and with that you will need to create a Pre-Auth ACL that will be applied on the WLAN > Security > Layer3 > Preauthentication ACL > IPv4, example ACL below:

permit tcp any host ISE_IP_ADDRESS eq 8443

permit tcp host ISE_IP_ADDRESS eq 8443 any

permit tcp any any eq domain

permit udp any any eq domain

permit udp any any eq bootpc

permit udp any any eq bootps

deny ip any any

Hi,

 

Thanks for your input but I am using Portal on customized WLC itself.

 

Portal is on WLC

Guest users are in ISE sponsor Portal

 

Best Regards

Ok, then you need to do these changes:
Changes on 9800:
Add the below command:
aaa authentication webauth default local group ISE
to check the WLC local users first then ISE, if you need to check the 9800 local users/guest accounts then you have to add this line too (aaa authorization network default local)
OR
aaa authentication webauth default group ISE
to check the users from ISE only
Note: "Named Method lists not supported for webauth" so in your case we can't use the method list ISE so instead we have to use default as in above cli.
also you shouldn't use the below lines under global parameter map: (by the way you can use different "new" parameter map and will work too, meaning doesn't have to be the global parameter map but that works too)
redirect for-login guest.corp.com
redirect portal ipv4 192.0.2.1
Because if you want to use guest.corp.com as the DNS name to the ipv4 virtual IP address then you need to put that in (Virtual IPv4 Hostname) section also you need a DNS record to point the guests to the 9800 virtual IP address, meaning, DNS record for guest.corp.com=192.0.2.1 and of course you need a certificate signed by public CA (with SAN) so guests will not see certificate error, info is here https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213917-generate-csr-for-third-party-certificate.html
side note: i didn't see ISE1 as RADIUS configured but it used under group ISE so either you configure that or remove it from that group
for more info, check this doc Custom Web Authentication on Catalyst 9800 Wireless Controllers Configuration Example
https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/216121-custom-web-authentication-on-catalyst-98.html

Changes on ISE:
You're using (WLC_Web_Authentication) as a condition, the rules for this condition are:
Radius:NAS-Port-Type = Wireless - IEEE 802.11
Radius:Service-Type = Login
while in this case the Service Type is "Outbound" so will not match your rule, so you need to remove that condition or create a new one with Radius:Service-Type = Outbound

Hi @Grendizer ,

 

Thanks for detailed explanation!

 

I did as you mentioned above but still hitting the default policy with Deny Access:

 

1. Method list name created with name "default"

aaa authentication login default local group ISE
aaa authentication webauth default local group ISE

 

2. New Parameter MAP:

 

parameter-map type webauth LWA
type webauth
sleeping-client
redirect portal ipv4 192.0.2.1
logout-window-disabled
success-window-disable
cisco-logo-disable

 

3. Changes on ISE:

Authentication

9800_Web1.PNG

 

9800_Web.PNG

 

 

 

AuthZ

9800_Web_Authz.PNG

 

 

SSId Config:

 

wlan CorpGuest 1 CorpGuest
peer-blocking drop
no security wpa
no security wpa wpa2
no security wpa wpa2 ciphers aes
no security wpa akm dot1x
security web-auth
security web-auth authentication-list default
security web-auth parameter-map LWA
no shutdown

 

 

Bets Regards

 

Just remove the below lines as I mentioned before:
redirect on-success  https://www.grammer.com/
redirect portal ipv4 192.0.2.1
with the above, this will be sent to ISE as Login, meaning to match on ISE you need Radius:Service-Type = Login
this is used if you have a Web server that provide you a portal or if you want to use one of the ISE portals, usually a copy of the sponsored Guest Portal, so in your case because you want to use the 9800 customized portal then you have to leave those fields empty by removing the above cli lines and that's mean when you check the username/pass with ISE (using ISE locally defined users or from Active Directory) then the 9800 will send those as "Outbound", Radius:Service-Type = Outbound
One more thing, in your ISE Policy Set, you're not telling ISE where to look and check for the usernames/pass that Guests will be using, meaning, if you need to check against AD group then you specify that group, if you need to check them against ISE local group you need to specify that. In below screenshot you can see that I'm using simple policy set to check both AD and internal ISE group without checking the service type, but you can definitely use that check too.
ISE Policy Set.jpg

Thanks, I will configure the policies as you mentioned and will give a try and let you know!

 

Best Regards

Thank you. It working now.

 

Could you please also tell me how to install a wildcard certificate for webauth certificate eon 9800 WLC?

 

Thanks in advance.

Check this link:

 

https://thewlan.com.au/2020/07/14/9800-local-webauth-certs/

 

Regards

Dont forget to rate helpful posts

I will try to install it and let you know.

 

Thanks

You can try this method as well.. I tried in my lab and it worked:

 

First you need to create a trustpoint on the WLC. The trustpoint contains the certificate authority that signed the certificate in use.

 

WLC1 (config)#crypto pki trustpoint WILDCARD
WLC1 (ca-trustpoint)#fqdn *.xyz.com
WLC1 (ca-trustpoint)#subject-name cn=*.xyz.com
WLC1 (ca-trustpoint)#revocation-check crl
WLC1 (ca-trustpoint)#rsakeypair WILDCARD

 

Next, you should import the certificate. There are multiple ways for importing the certificate, but you can use FTP/tftp to transfer the certificate from your laptop to the wlc. 

Info: Certificate must be in PKCS12 (.pfx) form

 

WLC1(config)#crypto pki import WILDCARD pkcs12 ftp: password xyz12345

% Importing pkcs12...

Address or name of remote host []? 192.168.21.25

Source filename [WILDCARD]? WildcardCert.pfx

Reading file from ftp://192.168.21.25/WildcardCert.pfx!

[OK - 6048/4096 bytes]

% The CA cert is not self-signed.

% Do you also want to create trustpoints for CAs higher in

% the hierarchy? [yes/no]:yes

*Sep 16 10:38:02 UTC: %CRYPTO_ENGINE-5-KEY_ADDITION: A key named WILDCARD has been generated or imported by pki-pkcs12

CRYPTO_PKI: Imported PKCS12 file successfully.

WLC1(config)#exit

WLC1(config)#wr

 

*Sep 16 10:38:06 UTC: %PKI-6-TRUSTPOINT_CREATE: Trustpoint: WILDCARD-rrr1 created succesfully

*Sep 16 10:38:06 UTC: %PKI-6-PKCS12_IMPORT_SUCCESS: PKCS #12 import in to trustpoint WILDCARD successfully imported.

 

The certificate is now successfully imported into the WLC and can be associated with the Webauth wlan.

then you can assign wildcard certificate to webauth parameter map.

 

Regards

Dont forget to arte helpful posts

Thank you I will try it!

 

Could @Grendizer @Sandeep Choudhary please help me about this issue ? Here is the post about my Mobility express issue:

https://community.cisco.com/t5/wireless/mobility-express-issue-with-ise-amp-cloud-radius-server/m-p/4466968#M233371

 

Thanks again

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: