Hi team!
We have been struggling with an issue after migrating our ISE deployment from 2.6 to 3.1 last year.
We found out that accounts used for Wifi guest solution stop working properly after 21 days of being created using the Sponsor portal. The behaviour is that the user cannot navigate anymore and this is how it looks from Guest Accounting reports page:
From a policy perspective, the attempt seems to get stucked at the CWA redirection and we couldn´t find anything relevant on the Live logs, except that compared to a working device, Step 15048 doesn´t appear for a non-working device.
This happens to any kind of device and once the account stops working, it doesn´t work anymore until we create it again. On the Sponsor portal, the accounts are not locked or expired.
We use AD for authentication and another strange behaviour is that some accounts are not able to creat guest accounts which work, even if they are on the same AD group.
Any help or suggestion will be much appreciated. I could provide more details but didn´t want to make it very extensive.
Thanks.
Thanks for taking the time to answer. The purge rules we have are the following, where the first two are not actually in use because those IdentityGroups are not referenced anywhere. The third one is related, however the days doesn´t match. We could try to disable it though.
The other purge policy is the following, although we are able to see how a non-working account is not expired nor purged with this policy.
Regarding the Guest Flow, yes, we use it and the weird thing is that it´s the same configuration as it was on previous deployment, version 2.6. Now we have version 3.1, patch 7.
The CWA redirection policy result is the following:
One more thing we realized is that an account when stop working, it´s like it gets stucked on the CWA redirection policy according to the Live Logs.
So, 2 things I can think of that we saw on ours.
1) You may have your portal creating a 21 day account if that is all they are getting, check the portal settings.
There is also a second place to check and that is under guest type.
The last thing we ran into is the endpoint purge. This was deleting registered guest endpoints. By default it is 30 days from registration, I had to change ours to 30 days inactive. You can find this under Administration>>Identity Management>>Settings and will see endpoint purge on the left.
Thanks Dustin for your reply.
For point 1, the solution we have implemented is a Sponsored Guest Portal, not the Self-Registered, so there is no option specify the valid days for an account.
For the second place, we have it just like your screenshot.
In regards of the last thing you mentioned, we already have it like that
This just happened so I´m adding some screenshots in order to give you more details.
An account created two months ago, that is still active and the MAC is present in the Guest Identity group is not working at the moment. In the Live Logs we can see how is redirected to the proper auth policy and is showed as connected for a couple of minutes, until the connection drops. In the Live Logs, is showing that goes back to the redirection policy and stays there.
Account details:
So, the only thing I see that is odd is when it works it's getting the guest username in the identity, but when it's not working it's presenting the mac of the phone. Does the system register the device at all as a guest endpoint? If so I wonder if you add to your or statement in the rule
Yes, the system registers the device as a guest endpoint, or whatever Indentity group you define in the Guest types. The statement is added on the rule, we even tried without the Guest flow and the symptons are the same.
Hi Dustin,
When we tried removing the guest type from the auth policy, that didn´t work either for new connections. The attempts got stuck in the CWA redirection auth policy with the MAC as the username, as if the web redirection wasn´t working. And the sponsor portal doesn´t appear on the device in order to authenticate.
For a working account, this solution is still working, with the CWA redirection (until the three weeks pass)
Not sure why your redirect isn't working. Here is what we use for guest without issue. when they are on the redirect, if they put in an IP address do they redirect? Something not on your network.
After some weeks of troubleshooting, apparently we finally found the issue. We disabled the "Enable Session Timeout" on the WLC for this guest SSID and the non-working accounts are starting to work again. Also new accounts after the 21 days.
I don´t understand the reason. Meanwhile, we are monitoring if everything is working as expected. Thanks for your support.
