Cisco ISE CWA issue
Good Day,
I have Cisco ISE 1.2 with Cisco 2960 NAD.
I configured the authorization for the employee successfully, but my issue is with the guest users the link is not redirected.
Please advise what I have put in the authentication policy default rule?? deny access ?
And on the switch I should put the guest connect to a specific ports or I have to configure specific VLAN in the authorization profile?
Appreciate your support,
In your authorization policy you are giving your Wired-Guest the same result as Wired-Webauth.
First time through you don't know he's a guest so he hits Wired-Webauth and gets redirected. Second time through, you have him in guest flow, so you know he's an authenticated guest, he hits Wired-Guest, but you send him the same permissions "Web_Auth". Create a profile that you want to give to your authenticated guests - Guest_Allowed for instance.
Similar Messages
-
Cisco ISE - CWA AD Authentication
Hello,
I'm using a Cisco ISE on 1.3 and have a CWA portal setup for AD Auth. When a user connects to a particular SSID (from a WLC) that is setup for mac filtering, it redirects to a CWA via the Auth Policy. the CWA is disabled, they login, the device registers, etc.. and all is well. The next policy checks to see if the device is registered, and if so, bypasses the Auth. Which also works. However, any AD account can authenticate against the CWA, not the particular AD account I want. I don't know where to put the Auth Policy or what it looks like. Any help would be appreciated. I've tried a few combinations to no avail.
Below are my current Auth Policies, as I mention above. They work, but the CWA validates any AD credential, not the group I want. Should a NetworkAccess:UseCase=GuestFlow go between the 2 policies perhaps?Hi Marc, what I meant by "desired_permissions" is what your environment/situation calls for. With that being said, returning back only "access_accept" with your "authorization profile" would work but at the same time it will give the authorized users/devices full access. So unless you have an ACL to Firewall off the guest users, you would need to return some additional attributes when trying to restrict/limit guest users/devices.
For instance, I like to use Policy Sets and dedicate a policy set per SSID and then either a general Policy Set for Wired or one Policy Set for Corporate Wired and one for Guest Wired. If you don't use policy sets, then you should create one "authorization rule for Guest_Wired and one for Guest_Wireless.
For the Guest_Wired, you will need to return "access_accept" and then a "DACL Name" that you can create locally in ISE.
For the Guest_Wireless, you will need to return "access_accept" and then a "Airspace ACL Name" That ACL is not a DACL (WLCs do not support DACLs). Instead, that is an ACL that you configure locally on the WLC, thus, the name must match on both ends and it is case sensitive!
Both the DACL and the "Airspace ACL" would contain rules that fit your environment/security requirements. Typically though you would have:
1. Permit DNS- Needed for DNS resolution
2. Permit access to ISE - Needed for the guest pages to properly load)
3. Deny any private/RFC 1918 addresses - Blocks guests from accessing internal hosts
4. Permit everything else - Needed for general internet browsing
I hope this helps!
Thank you for rating helpful posts! -
Cisco ISE - CWA redirect in another way than cisco-av-pair?
Hello.
I'm trying to set up ISE as a CWA.
I have made all the rules in both Authenticatin and Authorization, and I also see the clients hitting the right rules. The Authorizaton rule redirects the client to a captive web portal within ISE like this: cisco-av-pair = url-redirect=https://ip:port/portal/gateway?sessionId=SessionIdValue&portal=etc.
But here is the problem: We use Aerohive as Accesspoints. And Aerohive does not support cisco-av-pair attributtes, since it's Cisco proprietary.
Therefore, even if ISE says everything is fine, it's not, because Aerohive does not understand what's been sent to it.
So the big question: Is there way to make the same redirect using standard radius attributes?
Thank you.Unfortunately there isn't. I have done a project with ISE and Aerohive before and outside of basic 802.1x authentications, I was not able to deploy any of the other ISE features. There isn't an interoperability guide for ISE but just a compatibility one:
http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/compatibility/ise_sdt.html
If could be wrong here so if someone else has done this before pls chime in.
Thank you for rating helpful posts! -
Hi dears,
I deployed the ISE primary and secondary mode. Then I did deregister the secondary ISE at Primary ISE. Now i want to register the same second ISE as secondary mode on Primary ISE. but this error occur:
Unable to register SecondaryISE. Node is not a Standalone node.
I connect the secondary ISE and see deployement personas
Administration: Secondary
Monitoring: Secondary
Then I did promote to primary command after that ISE is log out but the problem is not solve.
version 1.20.8xx of both ISE's
How i solve this issue?
Thankstry by promoting the secondary ISE which you have de-registered to standlone and try registering it on primary now
-
Why are the ISE nodes needed to be defined in the web authentication redirect acl that is configured locally on the switch?
All the documentation that I've found states this. I've setup my 2yr old ISE environment this way and was advised in the beginning to do so. But after thinking the whole authentication process through and then testing out my theories I don't understand why the ISE nodes need to be defined in the switch redirect acl. I am now testing with a simple "redirect www & 443" acl and it is working as expected.
The client connects to the network and, for our environment, is requested to do dot1x until that times out and then it shifts to mab. At which point, I do not have an authz rule defined for my test machine and therefore matches my catch-all authz rule of CWA which sends a CWA DACL. The switch lays the acls on the interface in this order: 1. Redirect 2. DACL 3. PACL. In my DACL I have access to the ISE nodes allowed (just to be safe) and the redirection still works because my test machine is not sending any www/443 traffic to the ISE nodes that I'm aware of (CWA is 8443).
Can someone explain (in detail) why a client machine would send www/443 traffic to the ISE nodes and therefore need to be defined in the CWA redirect acl local to the switch.Poonam,
I appreciate the response. I understand the process and flow of CWA but I still don't see why the ISE nodes need to be defined (as deny statements or at all) in the redirect acl that is locally configured on the switch. Let me try to explain it better (sorry for the novel):
1. a default PACL is statically applied to an unused interface. For my environment our PACL is a simple "permit ip any any" which allows an open fallback in case communication to ISE fails.
2. A client plugs in and the switch begins talking dot1x to the client. During this time the PACL is the ONLY acl that is applied to the interface/client.
3. The client does not run dot1x and therefore the switch eventually fails over to mab. At this time, the CWA authz rule comes into effect and ISE sends the DACL to the switch via radius and also references which RACL (redirect acl) to use.
4. Not many people seem to understand this part....The switch then rebuilds the ACL that is applied to the interface/user. The switch creates an ACL that consists of ALL THREE ACLs. The first portion of this ACL is the RACL with permit statements (which are the deny RACL statements configured on the switch) and then redirect statements (which are the permit RACL statements configured on the switch) and then the DACL from ISE is the next portion of this new ACL and then the very last portion is the original static PACL that is configured on the port.
Again, I've tested this out over and over again on several different platforms (6500, 3700, 3800) and because, during the stage where the interface is in CWA state, the ACL that is applied to the interface is ALL THREE ACLs in the order of RACL>DACL>PACL....it doesn't seem to make sense that you need to define the ISE nodes in the RACL because all you need to define is what traffic you want to redirect. You define what traffic you want allowed in the DACL which is where you state access to the ISE nodes (either complete access or only 8443 access).
Let me give you this example. Say I have the following confgured:
CONFIGURED SWITCH INTERFACE ACL (PACL)
ip access-list standard ACL-ALLOW
permit ip any any
CONFIGURED SWITCH REDIRECT ACL (RACL)
ip access-list extended ACL-WEBAUTH-REDIRECT
permit tcp any any eq www 443
CONFIGURED ISE DOWNLOADABLE ACL (DACL)
permit tcp any host <psn01> eq 8443
permit udp any host <dns01> eq 53
deny ip any any
Then the process would look like this:
1. During dot1x negotiation the acl that is used is this:
permit ip any any <<<<<PACL
2. Once CWA is in effect then the acl looks like this:
redirect tcp host <host ip> any eq www 443 <<<<<<RACL
permit tcp host <host ip> host <psn01 ip> eq 8443 <<<<<<DACL
permit udp host <host ip> host <dns01 ip> eq 53 <<<<<<DACL
deny ip any any <<<<<<DACL
permit ip any any <<<<<<PACL -
Good morning everyone,
I have some trouble to use my Cisco ISE to do Central Web Authentication. I followed this following configuration example : http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html
But for the moment, clients can't seee the web portal. My WLC and my Cisco ISE are well configured as presented in the document, when clients connect to the AP, they are listed into the Cisco ISE with the good authorization profile but, the URL redirection doesn't work as well as I want, clients have to enter manually the IP address in the web browser to log-in trough the Cisco ISE.
If anyone already had this problem, maybe could tell me more about that.
Thanks in advance!Good news!
I have resolved my problem 15 minutes ago. For people who have the same problem, I have just changed my static route in my WLC. The issue was that I broadcast the same VLAN used for the management interface and in adding the network allowing admin to reach service-port, all traffic of my broadcasted VLAN was sent to the service-port. A simple netmask modification resolved the problem.
I have still a problem with CoA which doesn't work properly and I have to disconnect/reconnect to the SSID to have a complete access but I'm going to continue my research for that.
Thanks all for your help !!!! -
Cisco ISE Guest Portal - DNS Issue - External Zone
Hello,
I have a customer that has the following sceanrio :
In a wireless deployment and a Cisco ISE 1.1.3 deployment with CWA, when the wireless guest receives the redictect URL from ISE (URL to access the ISE Guest Portal), this URL is based on the ISE DNS name, not on its IP address; so, the PC can't resolve this via DNS name since there is no DNS in the External zone (for guets) or by using the ISP DNS servers addresses provided by the DHCP server, and, so, it can't access the Guest Portal at all ;
I know that in trying to manually code the IP address - this does not work (ie in the CWA Authorization profile, the equivalent URL redirect via the CISCO av-pair as follows :
cisco-av-pair=url-redirect=https://10.10.10.10:8443/guestportal/gateway?sessionId=sessionIdValue&action=cwa, )
since the sessionIdValue variable is not replaced by its real value when sent to the wireless client)
My question is : Has this issue been addressed in version Cisco ISE 1.2 - has anyone tried it if has been addressed? If not in Cisco 1.2 - does anyone know iof this feature will become available?
Thank-you in advance for your replies.
Robert C.Robert,
Manual assignment has been made available in ISE 1.2 release.
M. -
Cisco ISE 1.2.1 deplyomet issue with Anyconnect and Profiling
Hi All,
We are running cisco ise box in 1.2.1 version wherein I am facing below issue while deployment. We are having two ISE boxes where One box act as Primary Admin,Secondary MNT and Policy Service and Second Box act as Secondary Admin,Primary MNT and Policy Service
1) Profiling of Endpoints - HP Laster jet printer 55XX series and scanner profiling are not happing in Cisco ISE 1.2.1 wherein I have enabled below probes in ISE for profiling
RADIUS Probe
SNMP Probe SNMP Trap HTTP Prob and DNS
2) Any-connect issue - We are using any-connect supplicant 3.0.11042 for wired and wireless user profile in windows 7 enterprises 32 bit machine
- Yellow mark issue - Once authentication , posturing completed we are getting yellow mark on network drive but still we are able to connect to network
- Network Map Drive issue - Once authentication , posturing completed we are getting red cross mark on Network map drive and if we double click on that drive then its get accessible and red mark turns in to green.
For that we have already allowed Ip level access to all domain in before logon dacl ( Machine authentication )
That would be really great if any one can help me on the same.
Thanks & Regards
PranavHi Pablo ,
Please find below solutions
Yellow mark issue - - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet. This Service is by default disabled on Windows XP and Widows 8.X operating system. This is only enabled by default on Windows 7 and Windows Vista operating system.
Network Map Drive issue - Create logon script and deploy it using group policy. Script will check full network connectivity and then map network drives
Regards
Pranav -
Coa issue with Cisco ISE 1.2
Hi, i am currently implementing webauth with Cisco ISE for self register, but i am having issue coa. I was able to get non-windows machine to work but with windows i can't push out the url redirection through coa. I have enabled debug and i can see ISE trying to push out the url redirection to the port, however the url was not show when i issue a show authentication session interface gi 1/0/x command. The only issue i can see from the debugging is that the interface failed authorization first then a success authorization right after. Again, the url redirection work on non-windows machine, i have even go as far as disable dot1x supplicant on windows and it still didnt fix the issue.
please see attachment for the debugging i had mention above. If anyone know or had this issue before please let me know how i can resolve this.finally figured it out. redirection acl was mess up.
-
Cisco ISE 1.3 Active Directory issue
Hi Folks
I am having an issue with our Cisco ISE and would love some feedback or a solution. I have to ISE configured to use our Active Directory setup and so far it appears to be functional. I could connect to AD retrieve groups and use AD for authentication. The issue I am experiencing is that when I try to go to the 'Administration > Identity Management > External Sources page and select our AD instance from the left hand side window the screen locks up and refuses to load. Any advice?hi
i also had this issue (and one of my collegue also) when using Firefox (version 34 and 35)
i managed to create the AD server using IE 10 for example, and after it appears correctly with Firefox
it was before ise1.3patch 1, but i have seen no corrected issue in patch1 release note for this problem
guillaume -
CISCO ISE ISSUE 24206 User disabled
Hi there,
We have here an issue with Cisco ISE. When I create a guest account with the sponsor portal We can´t access the Wlan. On tne Cisco ISE Operations \ Authentications returns the error message Event "Authentication" Faulure Reason "24206 User Disabled" Auth Method "PAP_ASCII" Authentication Protocol "PAP_ASCII"
In order to fix this issue, what can I do? I don´t understand why because I can create the user withou error message.
At the sponsor portal the user that I have created doens´t show at the list...
Any help??
Regards
AdrianoSelect the affected account and click Reinstate.
It is possible, that your sponsor account does not have the permission to Reinstate/Suspend accounts. Check/change this in your ISE admin page:
- Go to Administration > Guest Management > Sponsor Groups.
- Click the Sponsor Group your sponsor account is a member of to edit.
- Select tab Authorization Levels: view/modify the permission listed for the option Suspend/reinstate Accounts.
ref: https://supportforums.cisco.com/discussion/11431386/ise-guest-user-problem -
Facing issue in integrating with Cisco ISE
We are trying to integrate our product(Cisco Prime Infrastructure) with Cisco ISE for Authentication and Authorizations. We already support PAP/CHAP, and not trying to add support for EAP-TLS.
Currently during our integration, facing TLS payload errors. We are using jradius library for talk to Cisco ISE for authentication and facing the below TLS error in ISE logs. Tried with Cisco ISE 1.2 and 1.3 versions.
Event 5400 Authentication failed
Failure Reason 11500 Invalid or unexpected EAP payload received
DetailedInfo TLS packet parsing failed: total accumulated size plus this last fragment size is greater than expected total TLS message size
Any pointers to resolve this problem or any other free java based client library instead of jradius which is tried out successfully with Cisco ISE would also be great.
Regards
ChandrakumarDECLARE
CURSOR s_cur
IS
SELECT eno FROM emp;
TYPE fetch_array IS TABLE OF s_cur%ROWTYPE;
s_array fetch_array;
BEGIN
OPEN s_cur;
FETCH s_cur
BULK COLLECT INTO s_array;
CLOSE s_cur;
FORALL i IN 1 .. s_array.COUNT
INSERT INTO (select eno from emp_temp)
VALUES s_array (i);
END;
Its working, but not understood the concept.
INSERT INTO (select eno from emp_temp)
VALUES s_array (i);
How it works? -
Dear guys,
I deployed Cisco ISE for Network Access Control. My topology as described as attached image. I configured Cisco ISE as Radius Server for Client Access Control. But, I got some problems such as:
No Accounting Start. (I have configured accouting on Switch 2960).
Radius Request Dropped (attached image). These NAS IP Address are Servers on same subnet with Cisco ISE.
I would greatly appreciate any help you can give me in working this problem.
Have a nice day,
Thanks and Regrads,Sorry for late reply.
Here is my switch config.
Current configuration : 8630 bytes
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Switch
boot-start-marker
boot-end-marker
no logging console
enable password ******************
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting delay-start all
aaa accounting auth-proxy default start-stop group radius
aaa accounting dot1x default start-stop group radius
aaa accounting network default start-stop group radius
aaa server radius dynamic-author
client A.B.C.D server-key keystrings
aaa session-id common
system mtu routing 1500
vtp mode transparent
ip dhcp snooping
ip device tracking
crypto pki trustpoint TP-self-signed-447922560
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-447922560
revocation-check none
rsakeypair TP-self-signed-447922560
crypto pki certificate chain TP-self-signed-447922560
certificate self-signed 01
xxxxx
dot1x system-auth-control
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
vlan 139,153,401-402,999,1501-1502
interface FastEthernet0/11
switchport access vlan 139
switchport mode access
authentication host-mode multi-auth
authentication open
authentication port-control auto
authentication periodic
authentication timer inactivity 180
authentication violation restrict
mab
interface FastEthernet0/12
switchport access vlan 139
switchport mode access
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action authorize vlan 139
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity 180
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
interface GigabitEthernet0/1
switchport mode trunk
interface GigabitEthernet0/2
interface Vlan1
no ip address
interface Vlan139
ip address E.F.G.H 255.255.255.0
ip default-gateway I.J.K.L
ip http server
ip http secure-server
ip access-list extended ACL-ALLOW
permit ip any any
ip access-list extended ACL-DEFAULT
remark Allow DHCP
permit udp any eq bootpc any eq bootps
remark Allow DNS
permit udp any any eq domain
permit icmp any any
permit tcp any host A.B.C.D eq 8443
permit tcp any host A.B.C.D eq 443
permit tcp any host A.B.C.D eq www
permit tcp any host A.B.C.D eq 8905
permit tcp any host A.B.C.D eq 8909
permit udp any host A.B.C.D eq 8905
permit udp any host A.B.C.D eq 8909
deny ip any any
ip access-list extended ACL-WEBAUTH-REDIRECT
permit tcp any any eq www
permit tcp any any eq 443
deny ip any any
ip radius source-interface Vlan139
snmp-server community keystrings RW
snmp-server enable traps snmp linkdown linkup
snmp-server enable traps mac-notification change move
snmp-server host A.B.C.D version 2c keystrings mac-notification
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
radius-server host A.B.C.D auth-port 1812 acct-port 1813 key STRINGSKEY
radius-server vsa send accounting
radius-server vsa send authentication
line con 0
line vty 5 15
end
My switch version is
WS-2960 12.2(55)SE5 C2960-LANBASEK9-M
I would greatly appreciate any help you can give me in working this problem. -
HI
i am trying to implement guest portal and i have configure the ISE and switch to redirect guests and i see the whole process goes will when i issue
show authentication session interface GigabitEthernet1/0/11
Interface: GigabitEthernet1/0/11
MAC Address: 1078.d2fc.698c
IP Address: 192.168.0.59
User-Name: 10-78-D2-FC-69-8C
Status: Authz Success
Domain: DATA
Oper host mode: multi-domain
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: 81
ACS ACL: xACSACLx-IP-TEST-WEBAUTH-DACL-519b76ec
URL Redirect ACL: ACL-WEBAUTH-REDIRECT
URL Redirect: https://HDOFFISEP01.mycompany.com:8443/guestportal/gateway?sessionId=0A0A6518000000010006F2B5&action=cwa
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A0A6518000000010006F2B5
Acct Session ID: 0x00000003
Handle: 0x0D000001
Runnable methods list:
Method State
mab Authc Success
dot1x Not run
my problem that the web browser does NOT direct automtically to the portal but it does manually when i copy the URL from the switch, any idea ?
switch configuration
boot-start-marker
boot-end-marker
logging monitor informational
enable secret 5 $1$PO2h$G1BUFwkbkA8ywc89FhBso/
username cisco privilege 15 password 0 cisco
username ise-rad-alive password 0 CICSOISEalive123
aaa new-model
aaa authentication login local local
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting auth-proxy default start-stop group radius
aaa accounting dot1x default start-stop group radius
aaa server radius dynamic-author
client 10.10.20.13 server-key myshared
client 10.10.20.14 server-key myshared
aaa session-id common
switch 1 provision ws-c2960s-24ps-l
ip dhcp snooping vlan 1-2000
no ip dhcp snooping information option
ip dhcp snooping
ip domain-name mycompany.com
ip name-server 192.168.10.40
ip device tracking probe use-svi
ip device tracking
ip admission name Webauth proxy http inactivity-time 60
vtp mode transparent
epm logging
dot1x system-auth-control
fallback profile Webauth
ip access-group ACL-WEBAUTH-REDIRECT in
ip admission Webauth
spanning-tree mode pvst
spanning-tree extend system-id
interface GigabitEthernet1/0/11
switchport mode access
switchport voice vlan 93
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 777
authentication event server dead action authorize voice
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
mab
dot1x pae authenticator
spanning-tree portfast
interface Vlan1
no ip address
shutdown
interface Vlan80
ip address 10.10.101.24 255.255.255.0
ip default-gateway 10.10.101.1
ip http server
ip http secure-server
ip access-list extended ACL-AGENT-REDIRECT
remark explicitly prevent DNS from being redirected to address a bug
deny udp any any eq domain
remark redirect HTTP traffic only
permit tcp any any eq www
remark all other traffic will be implicitly denied from the redirection
ip access-list extended ACL-ALLOW
permit ip any any
ip access-list extended ACL-DEFAULT
remark DHCP
permit udp any eq bootpc any eq bootps
remark DNS
permit udp any any eq domain
remark Ping
permit icmp any any
remark PXE / TFTP
permit udp any any eq tftp
remark Drop all the rest
deny ip any any log
ip access-list extended ACL-WEBAUTH-REDIRECT
deny ip any host 10.10.20.13
deny ip any host 10.10.20.14
deny ip any host 192.168.10.43
deny ip any host 192.168.10.40
deny ip any host 192.168.10.41
deny ip any host 192.168.10.42
remark explicitly prevent DNS from being redirected to accommodate certain switches
deny udp any any eq domain
remark redirect all applicable traffic to the ISE Server
permit tcp any any eq www
permit tcp any any eq 443
ip radius source-interface Vlan80
logging origin-id ip
logging source-interface Vlan80
logging host 10.10.20.11 transport udp port 20514
logging host 10.10.20.12 transport udp port 20514
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
radius-server host 10.10.20.13 auth-port 1812 acct-port 1813 key myshared
radius-server host 10.10.20.14 auth-port 1812 acct-port 1813 key myshared
radius-server vsa send accounting
radius-server vsa send authenticationVerify that the redirection URL specified in Cisco ISE via Cisco-av pair "URL Redirect" is correct
CWA Redirection URL: https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cwa
802.1X Redirection URL: url-redirect=https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cpp -
Cisco ISE Guest Sponsor Portal Isssue
Dear all ,
We have insatalled 5 ise 3315 boxes IOS 1.0.4 in our network where in two of them are admin node , two of policy services and one is mnt node. We are using guest sponsor portal for wirless guest user where in we have integrated WLC 5508 with ise and using weblogin for guest users.
We have created open ssid in wlc and using external redirected url of ise for guest login page.
But when we create any guest user in sponsor login for guest user we faced following issue
1) When guest user gets conected to wirless and login in to guest portal with credential after putting credential then its again redirect to same login page
wihout successful login prompt.
Can we pompt successful login after guest login to guest portal or redirect to any other link like google.com so guest user will gets to know he is able to access internet now
2) We have creted time profile 8hours first login for guest user. When guest user gets connected while putting credential in to guest portal.
But we face issue after approximately every 20 mins guest gets disconnected from internet and guest again gets login page of guest portal and if we put same credential then its working but after approx 20 min interval user get disconnected from internet.
Can anyone help me to resolved above issue regading cisco ise guest sponsor portal
Thanks & Regards
Pranav GadePranav your answers are inline,
1) When guest user gets conected to wirless and login in to guest portal with credential after putting credential then its again redirect to same login page
wihout successful login prompt. When you are using CWA (central web authentication) there is no way we can redirect users using the redirect-url because this will always redirect users for every time they initiate a web request. There is no other coa feature that will remove this condition since they have already been authenticated. Here is a guide that explains the user experience when using central web auth -
http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_guest_pol.html#wp1296954
Can we pompt successful login after guest login to guest portal or redirect to any other link like google.com so guest user will gets to know he is able to access internet now No this is not possible, you can change the verbage and force the AUP to be displayed informing users that they can retry their web request after hitting the accept button.
Here is the documented experience once users go through the guest process -
http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080ba6514.shtml#final
2) We have creted time profile 8hours first login for guest user. When guest user gets connected while putting credential in to guest portal.
But we face issue after approximately every 20 mins guest gets disconnected from internet and guest again gets login page of guest portal and if we put same credential then its working but after approx 20 min interval user get disconnected from internet. Check the advanced timer on your SSID as you may be hitting the session timeout on the WLC. Please disable this option and let the COA feature in ISE expire user sessions on the controller.
Thanks,
Tarik Admani
*Please rate helpful posts*
Maybe you are looking for
-
Old Computer whent bad how do I deauthorize it?
All right I live in more than one place to start off with so I have 2 computer two start with that I authorize to play and down load music + a laptop. Well I had a hard drive go bad on one computer and then my Step father decied to reload the pc that
-
CS4 closes after about 5 minutes
When I run CS4, after about 5 minutes ( of non-use), it closes automatically. It was working fine until last night. Any suggestions as to what is causing this? I have Windows XP Home Edition.
-
I have a laptop running Windows 7 and the latest iCloud Panel installed. This laptop does not keep iCloud enabled after it has been turned off. Other computers/laptops on same network are working correctly. Looking for an answer and or soultion.
-
Hi there.. We are presently working on 4.6c & upgrading to MySAP . We have installed IDES ECC5 System (SAP ERP Central Component 5.0) in our organization. As we have never used BI or any of it's features, how do we start using the BW IDES & learning
-
Hi I am using BW 3.5 and R/3 4.6 and i am installing Business Content cubes for Project System. When i am loading data into cube 0PS_C04, i am unable to find the data for OPROJ,WBS... I heard that this infocube which consist of GUID will not support