WLAN Guest - ISE sending CoA to foreign disassociates (some) clients
We have a funny behavior on one customer's guest access.
The solution has web authentication (L3), the login page is stored locally to the anchor controllers (Local Web Authentication) and Cisco ISE v184.108.40.2069, patch 6, hosts the sponsor portal and authenticates clients via CHAP/RADIUS.
Recently we implemented a foreign + anchors architecture and upgraded to 7.6.130 (from 7.3).
As stated on Cisco’s Enterprise Mobility 7.3 Design Guide, the wlan’s security parameters are configured exactly the same on both the foreign and the anchors, including the authentication and accounting servers (acct+auth are active on both foreign and anchors, with the same radius servers - the ISE PSNs).
This generates double accounting, where the foreign send acct start with username = mac as soon as the client associates and the anchor acct start with username=username after the user authenticates. The "live sessions" on ISE indicate the foreign IP as the NAS associated to these guest users.
On certain clients (didn’t catch yet the trigger) ISE sends a CoA Admin Reset to the foreign after the user is successfully authenticated by the anchor and the user is dissociated. The workaround is to disable RFC3576 (CoA feature) on the radius servers configuration of the foreign – ISE sends the CoA but the WLC rejects it and everybody is happy (except from a "dynamic authorization failed" alarm on ISE).
When I disable the "Allow only one guest sessions per user" option on ISE, this behavior stops, which seems to indicate that ISE is somehow counting sessions twice. My theory at this point is that ISE understands that the accounting from the foreign (with the device mac) is actually from the same user as the one on the anchor and disconnects the older session (as expected), being this the one on the foreign because it is created as soon as the client associates.
One solution is, of course, to disable accounting (and maybe even authentication) on the foreign but: first, I don't know if this will break the anchoring at some point; second, because I don't want to diverge from the design guides on a productive environment.
Is anyone seeing the same behavior? What is your opinion on this?
Thank you for the overwhelming response to the First and Second EFT refresh of 8.10MR6!
We are excited to announce the third refresh of 8.10 MR6 EFT Program for PRODUCTION deployments.
While the CCO release of 8.10MR6 is just a few we...
Greetings!Thank you for the overwhelming response and feedback for the first 17.3.4 EFT/Beta release.
Now we are excited to announce the second refresh of 17.3.4 EFT/Beta Program for PRODUCTION deployments.
This release is the s...
It’s been about two and half years, since the launch of next generation Cisco Catalyst 9800 Wireless LAN Controllers that has the most deployment flexibility and runs the modular, scalable, highly reliable, open and programmable operating system, I...
Hi All, I have made this video for Cisco Pitch the Future Contest in Malaysia which talks about Wi-Fi 6 and EWC Demo. Please feel free to view the video below and please support me for this contest by giving the video a like as the Contest will end o...