cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3839
Views
25
Helpful
18
Replies

ISE 2.4 and 9800 WLC: Wireless guest issue

ittechk4u1
Level 1
Level 1

Hello Experts,

 

I am facing a issue with guest access authentication. Old AIROS wlcs are working but now I have a installed a new 9800 wlc and its creating an issue.

 

Requesting help to troubleshoot below authentication fail error messages seen for wireless guest users.

 

Event5400 Authentication failed
Failure Reason15039 Rejected per authorization profile
ResolutionAuthorization Profile with ACCESS_REJECT attribute was selected as a result of the matching authorization rule. Check the appropriate Authorization policy rule-results.
Root causeSelected Authorization Profile contains ACCESS_REJECT attribute
UsernameUSERNAME

 

Its not hitting the right Authentication policy.

 

Auth policies:

 

AuthZ.png

 

authentication.png

 

1.png

 

Steps

 11001Received RADIUS Access-Request
 11017RADIUS created a new session
 15049Evaluating Policy Group
 15008Evaluating Service Selection Policy
 15048Queried PIP
 15041Evaluating Identity Policy
 15013Selected Identity Source -
 22043Current Identity Store does not support the authentication method; Skipping it
 22064Authentication method is not supported by any applicable identity store(s)
 22058The advanced option that is configured for an unknown user is used
 22060The 'Continue' advanced option is configured in case of a failed authentication request
 24715ISE has not confirmed locally previous successful machine authentication for user in Active Directory
 15036Evaluating Authorization Policy
 15048Queried PIP
 15048Queried PIP
 15048Queried PIP
 15016Selected Authorization Profile - DenyAccess
 15039Rejected per authorization profile
 11003Returned RADIUS Access-Reject
 5434Endpoint conducted several failed authentications of the same scenario

 

 

Thanks in advance

Best Regards

 

18 Replies 18

Hi Grendizer,

I have a third-party certificate installed but when I put the guest.corp.com name for the certificate the guests get a "This site can't be reached" when it redirects to the name I put in.  I believe this is because I need to enter a DNS record for guest.corp.com to 192.0.2.1 as you mentioned.  How do I go about doing that? Is it through Administration > DNS and then add DNS Server or is there a different page to add that DNS record?  Thanks for the hlep. 

Configuration > Security > Web Auth > global > General >
Virtual IPv4 Address: 192.0.2.1
Virtual IPv4 Hostname: guest.corp.com
and select the "Trustpoint" that contain your 3rd party cert
next, (from the DNS Server), you need to add to the DNS record to point the guests to the 9800 virtual IP address.

Hello,

It's that last part that I am confused about, what DNS server?  We are using our ISP's DNS servers for the guest wireless so will I have to change that to use our local DNS then?  If we use our local DNS is there a way for us to access the controller securely on the management IP vs guests accessing the virtual IP/DNS name when they sign in?

I am looking through the DHCP options, is it possible to add the ip and hostname there so we can keep the external DNS? 

The DNS query will be sent from the guests to the DNS to resolve guest.corp.com to 192.0.2.1 so no involvement from the WLC.
You can keep the external DNS for the guests but you can advertise the 192.0.2.1 IP Addresses to the public DNS as "forward only" DNS A record, in this case, from anywhere, a DNS lookup of the guest.corp.com will get the 192.0.2.1 IP Address, this will work fine for the Guests inside your network and they will get the portal with no issues, anyone from the internet will not get any response.
And obviously the second option to use your local DNS server for the guests.
There is no DHCP option to solve the above.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: