Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2757
Views
0
Helpful
3
Replies

ISE authorization Policy not working

Amol Patil
Level 1
Level 1

‎04-07-2015 04:33 AM - edited ‎07-05-2021 02:51 AM

Hi ,

 

I have configured the ISE as per the belwo link 

https://supportforums.cisco.com/document/110031/central-web-authentication-cwa-guests-ise

but my authorization policy is not working as when user get connected to guest wlan it get authneticated but when it look for authorization

it going to default policy it should hit on above policy created screen shot as below

 

 

Labels:
Preview file
38 KB
0 Helpful
3 Replies 3

ajc
Level 7
Level 7

‎04-07-2015 03:20 PM

Arnol,

 

Your AUTHZ configuration is wrong based on the steps you followed from the link. You should not combine Wireless MAB + Authentication Status equal to UNKNOWN User in the same rule.

If you check the link, the Wireless MAB applies only to the AUTHENTICATION Policy part of the ISE Configuration which is combined with the IF USER NOT FOUND = Continue.

The AUTHZ policy part ONLY requires 2 policies to be configured for CWA to work:

1.-Network Access equals to GUEST FLOW (This policy avoid a loop that is caused after going through the initial authentication process once you are redirected)

2.-Network Access Authentication EQUALS Unknown User THEN CWA (this is the initial redirect and authentication

3.-Disable temporarily the NEW_PC_USER AUTHZ policy you created and test again CWA only.

 

 

 

0 Helpful

Amol Patil
Level 1
Level 1
In response to ajc

‎04-08-2015 01:03 AM

But when i apply 2.-Network Access Authentication EQUALS Unknown User THEN CWA 

policy it will not work and it matching the last default policy .

0 Helpful

ajc
Level 7
Level 7
In response to Amol Patil

‎04-08-2015 08:28 AM

What version of ISE + patch are you running?. Could you please send an screenshot of AUTH policies including the default --- > USE part?. Are you using customized portal for the first authentication process?

CWA is pretty straightforward. Only issues I faced was multiple VM (ISE Personas) running on one single server was not replicating properly the AUTHZ policies so I added the PSN persona into the PAN Node and everything worked fine immediately. In addition to that, I realized that I needed at least ONE ENTRY into the ISE PAN Internal Endpoints DB so I could hit the AUTH Policy for MAB & user not found condition which sent me to the AUTHZ = User Unknown + Redirect. Once I authenticated the user using the Default Portal that meant I hit the GUEST FLOW policy. If you are using customized portals for the first authentication process, check: web portal mgmt. --- > Guest --- > MultiPortal Configurations --- > Customized Portal -- > Authentication part.

 

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card