Accepted Solutions
OK, two things need to be checked:
After the client accept the AUP page/portal, ISE is sending back to the WLC two things to apply them to the client session (yes, you will see successful log from ISE and the WLC moved the client to run state with below):
1. ACL: DENY_GUEST_INTERNAL
2. security-group-tag=0006
ISE shouldn't send group tag in this case
For the ACL, best practice is to not use ACL to control guest traffic, instead use Anchor deployment in the DMZ or VRFs design so you can isolate the guest traffic from corp traffic. In this case it might causing the problem somehow, you can start removing the security tag first from ISE config then if that doesn't fix the problem then try to remove the ACL too from ISE reply and make it simple "Permit Access" as in below screenshot.
I'm positive one of the above is causing the issue you have.
[cid:image001.jpg@01D78B1D.3D3E8960]
From the RA trace:
2021/08/06 15:23:46.036756 {wncd_x_R0-0}{1}: [radius] [24995]: (info): RADIUS: Cisco AVpair [1] 32 "cts:security-group-tag=0006-00"
.
.
2021/08/06 15:23:46.036773 {wncd_x_R0-0}{1}: [radius] [24995]: (info): RADIUS: Airespace-ACL-Name [6] 21 "DENY_GUEST_INTERNAL"
.
.
2021/08/06 15:23:46.040199 {wncd_x_R0-0}{1}: [aaa-attr-inf] [24995]: (info): [ Applied attribute : security-group-tag 0 "0006-00" ]
.
.
2021/08/06 15:23:46.040201 {wncd_x_R0-0}{1}: [aaa-attr-inf] [24995]: (info): [ Applied attribute : bsn-acl-name 0 "DENY_GUEST_INTERNAL" ]
Hi Arshadsaf,
Here is what my policy tag looks like, all of those options are enabled
Additionally, we've checked our testing PA Firewall and can see that port 1700 is not being blocked. We see ISE successfully communicating over UDP port 1700. ISE also appears to be acknowledging that the WLC has replied.
Below is our generalized punt ACL for web auth redirection. We've tinkered with this a lot and admit that it's certainly very generalized and just enough to get the client to hit get the Hotspot Guest Portal (IP has been blurred.)
This ACL seems to "work" and users do get to the Hotspot Guest portal on all of the devices we've tested. They scroll down, press "accept" and get a confirmation screen that says, "You've connected to the network".
During this, I see the client move to the "RUN" state on the WLC and a successful authentication log is produced on ISE.
However, still, the client does not see that it has an internet connection. We do have a deny ACL that is on that policy tag to block internal applications from being accessed by the guest user, but even taking that ACL out of play, the client still doesn't see it as having internet until you manually disconnect from the SSID and rejoin.
Hi Grendizer,
I had ran into this previously, but had already made these changes as well. The captive portal is working as expected. My failure occurs here:
While the page shows "Connection Successful" users have to hit "Cancel" and then "Use without internet".
Immediately upon doing this, the client recognizes that it does have wireless connectivity and they can browse the internet as expected. This holds true for my Macbook as well as my android devices. Users never see that "done" button appear as we would expect. If they don't hit cancel, but toggle their wifi off and then on, the connection works as expected.
We're utilizing one VLAN for our guest network and not attempting to apply a new VLAN after authentication. As far as I am aware, this shouldn't be causing any issues with authentication and the client recognizing it has network.
Before the user hits "cancel" and "Use without internet" the WLC shows them in the "RUN" state and our ISE installation generates a successful Live Log.
Additionally, I've ran my configuration through the Wireless Config Analyzer Express (to see if there was anything obviously wrong) and got no results from that.
Any thoughts or guidance is greatly appreciated.
