ISE 1.2 CWA with Multiple PSNs - SessionID Replication / Session Expired

Hi all.
I have a (2) Policy Services Nodes (PSNs) in an ISE 1.2 deployment running patch 1. We are using Wireless MAB and CWA on 5760 Wireless LAN Controllers running v3.3.3.
We are hitting an issue wherein a client first passes MAB and then gets redirected to a CWA custom portal. The client then receives a Session Expired message. This seems to be related to the fact that CWA is technically a 2-stage authentication (MAB by the WLC and then CWA by the client). Specifically, it seems to happen when the WLC makes its MAB RADIUS access-request to PSN-1 and then the client comes in to PSN-2 to complete the CWA. This issue does not happen when only one PSN is in use and all authentication traffic (both MAB RADIUS and CWA) is directed at a single PSN.
Clients resolve the FQDN in the redirect URL using public DNS and a public DNS zone file (call it cwa-portal.example.com). cwa-portal.example.com has two A records for the two PSN nodes. DNS is responding to queries using DNS round-robin.
I have the PSNs configured in a Node Group for session information replication between PSNs, but this doesn't seem to make a difference in behavior.
So I ask:
What is the recommended architecture for CWA when using more than one PSN? It seems that you would need to keep the two authentication flows pinned together so that they both hit the same PSN when using more than one PSN in a deployment. A load balancer balancing on the SessionID string comes to mind (both the RADIUS MAB request and the CWA URL contain this unique per-client SessionID), but that seems terribly overbuilt for a seemingly simple problem. On the other hand, it also seems like using a Node Group setup should easily be able to replicate client SessionIDs to all nodes in the deployment so that this isn't an issue. I.e., if the WLC authenticates MAB on PSN-1, then PSN-1 should tell the Node Group about it such that when the client CWA's on PSN-2, PSN-2 doesn't respond with a Session Expired message.
Is there any Cisco documentation that talks about this?
Possibly related:
https://supportforums.cisco.com/discussion/12131531/ise-12-guest-access-session-expired
Justin

Tim,
Thanks for your reply and confirming my suspicion. Hopefully a future version of ISE will provide automated SessionID synchronization among PSNs so that front-end finagling in a multi-PSN environment won't be necessary.
For anyone else with this issue who for whatever reason can't implement a load balancer(s), I built an automated EEM applet running on a "watchdog" switch (3750 running 12.2(55)SEE9) using IPSLA tracking that senses when PSN1 is down and then
modifies an ASA to change its client-facing NAT statement for PSN1 to PSN2
modifies the primary and HA wireless LAN controllers to change its MAB RADIUS aaa server group to use PSN2
reverts the ASA and WLCs to using PSN1 when PSN1 is detected up and running again
The applet ensures the SessionID authentications stay "glued" together so that both WLCs and the client hit the same PSN for both stages of authentication. It's failover only, not a load balancing solution, but it meets our current project's need for an automated HA environment.
PM me if you want the code. I'm have a little too much going on ATM to sanitize and post it. :)
Justin

Similar Messages

Dealing with multiples windows within a session (servlets & JSPs)

Hi,
How can I show multiple windows during a session and avoid terminating the current session when one of those windows is closed?
I have a main window through which the client navigates from page to page using servlets and JSPs. But if he opens the help window (via a <a href ... target="_blank"> and then closes the help window, the session is lost and the server doesn't recognizes the client anymore and creates a new session.
Can someone help?
Jean Vaillancourt, Montrial

Hallo,
how long is session-timeout and what do u do in your application ??
Sanjay

When closing 2 windows(with multiple tabs each), system restore does not properly restore the second window's tabs. Is this a bug in the new update/any ideas to fix?

I regularly use 2 windows with multiple tabs each and session restore would work to get them all back, but after this latest update the second window does not restore properly, with the first tab not visible on top(only in drop down menu) and the add a tab button now on the left(instead of right). The add a tab button is not really concerning other than it indicates other problems with the tabs on tab of the 2nd window. Not having the 1st tab visible is frustrating, because I can not move it or as easily navigate. Also, the tabs on top of the 2nd window that are visible no longer have the "x" to close visible unless that tab is selected. I'm assuming this is a problem with the new release/update, since this is the first time I've ever encountered the problem, and I've shut down and restored Firefox a few times to make sure this was a recurring problem and not a one-time deal. Any ideas on how to fix would be welcome(other than perhaps cramming my tabs onto one window or sucking it up XD).

Hi,
You can try to '''Reset toolbars and controls:''' and '''Make Changes and Restart''' in the [https://support.mozilla.org/en-US/kb/Safe%20Mode Safe Mode] start screen.
If the problem persists, please try a [https://support.mozilla.org/en-US/kb/Managing-profiles?s=profile&r=0&e=sph&as=s new profile]. You can later copy [https://support.mozilla.org/en-US/kb/Backing%20up%20your%20information?s=backup&r=1&e=sph&as=s needed data] from the old profile to this.
[http://kb.mozillazine.org/Profile_folder_-_Firefox Firefox Profile Folder & Files]

ISE 1.2 issue with CWA (Error : Your session has expired)

Hii
we have ISE deployment with two administration nodes and two service policy nodes running 1.2.1.198 , with CWA for wireless guest users (Cisco WLC) . Suddenly , many guest users faced an issue where login page is redirected but after inserting user/password it gave ""Your session has expired. Sign on again""
authentication logs on ISE shows:
Event 5418 Guest Authentication Failed
Failure Reason 86017 Session Missing
Resolution Please contact your Administrator
Root cause SessionID is missing. Please contact your System Administrator
we suspected the bug CSCul10677 , but it is fixed in 1.2.1.198 . We reloaded the two service policy nodes and that resolved the issue temporarily , but it showed back after couple of hours . The issue appeared with some users not all , and with no specific devies or operating systems.
Any idea ?
Regards,
Mohammad

Please refer the link : https://supportforums.cisco.com/discussion/12131531/ise-12-guest-access-session-expired
Workaround:
Terminate session from admin UI and type in the original URL to redirect to guest portal with a new session-id.
Disconnect SSID, wait for a few minutes, reconnect and enter the original URL to redirect to guest portal with the new session-id.

ISE 1.3 Multiple PSN's and Guest Credential Propagation

Hi There, I am struggling to find any information about Guest Credential Propagation in 1.3
I have 1 x Admin 1 x Backup admin Node 3 x PSN's
In 1.2 Each PSN hosted a guest portal/guest admin portal. As far as I can see that's now changed with 1.3 with 1 URL pointing to one PSN. We have multiple PSN's in different geographical zones to keep the authentication latency down but I am not sure how long it takes for the PSN where the single URL points to update all the PSN's in the deployment.
Does any one have any insight/ done this?

Hi Jan, its more the sponsor portal that is the issue as there is only one URL into that portal. So that portal is on just one PSN/url as far as I am aware. Happy to be told otherwise!

CWA with ISE and 5760

Hi,
we have an ISE 1.2 (Patch 5), two 5760 Controllers (3.3), one acting as Primary Controller (named WC7) for the APs and the other as Guest Anchor (named WC5).
I have trouble with the CWA. The Guest is redirected and enters the correct credentials. After that, the CoA fails with error-cause(272) 4 Session Context Not Found. I have no idea why....
aaa authentication login Webauth_ISE group ISE
aaa authorization network cwa_macfilter group ISE
aaa authorization network Webauth_ISE group ISE
aaa accounting network ISE start-stop group ISE
aaa server radius dynamic-author
client 10.232.127.13 server-key 0 blabla
auth-type any
radius-server attribute 6 on-for-login-auth
radius-server attribute 31 send nas-port-detail mac-only
wlan test4guests 18 test4guests
aaa-override
accounting-list ISE
client vlan 1605
no exclusionlist
mac-filtering cwa_macfilter
mobility anchor
nac
no security wpa
no security wpa akm dot1x
no security wpa wpa2
no security wpa wpa2 ciphers aes
security dot1x authentication-list Webauth_ISE
no shutdown
wc5# debug aaa coa
Feb 27 12:19:08.444: COA: 10.232.127.13 request queued
Feb 27 12:19:08.444: RADIUS: authenticator CC 33 26 77 56 96 30 58 - BC 99 F3 1A 3C 61 DC F4
Feb 27 12:19:08.444: RADIUS: NAS-IP-Address      [4]   6   10.232.127.11
Feb 27 12:19:08.444: RADIUS: Calling-Station-Id [31] 14 "40f308c3c53d"
Feb 27 12:19:08.444: RADIUS: Event-Timestamp     [55] 6   1393503547
Feb 27 12:19:08.444: RADIUS: Message-Authenticato[80] 18
Feb 27 12:19:08.444: RADIUS:   22 F8 CF 1C 61 F3 F9 42 01 E4 36 77 9C 9B CC 56            [ "aB6wV]
Feb 27 12:19:08.444: RADIUS: Vendor, Cisco       [26] 41
Feb 27 12:19:08.444: RADIUS:   Cisco AVpair       [1]   35 "subscriber:command=reauthenticate"
Feb 27 12:19:08.444: RADIUS: Vendor, Cisco       [26] 43
Feb 27 12:19:08.444: RADIUS:   Cisco AVpair       [1]   37 "subscriber:reauthenticate-type=last"
Feb 27 12:19:08.444: RADIUS: Vendor, Cisco       [26] 49
Feb 27 12:19:08.444: RADIUS:   Cisco AVpair       [1]   43 "audit-session-id=0aea2001530f2e1e000003c6"
Feb 27 12:19:08.444: COA: Message Authenticator decode passed
Feb 27 12:19:08.444: ++++++ CoA Attribute List ++++++
Feb 27 12:19:08.444: 92FB84A0 0 00000001 nas-ip-address(600) 4 10.232.127.11
Feb 27 12:19:08.444: 92FB87EC 0 00000081 formatted-clid(37) 12 40f308c3c53d
Feb 27 12:19:08.444: 92FB8820 0 00000001 Event-Timestamp(445) 4 1393503547(530F2D3B)
Feb 27 12:19:08.444: 92FB8854 0 00000001 reauthenticate-type(756) 4 last
Feb 27 12:19:08.444: 92FB8888 0 00000081 audit-session-id(819) 24 0aea2001530f2e1e000003c6
Feb 27 12:19:08.444: 92FB88BC 0 00000081 ssg-command-code(490) 1 32
Feb 27 12:19:08.444:
Feb 27 12:19:08.444: ++++++ Received CoA response Attribute List ++++++
Feb 27 12:19:08.444: 92FB84A0 0 00000001 nas-ip-address(600) 4 10.232.127.11
Feb 27 12:19:08.444: 92FB87EC 0 00000081 formatted-clid(37) 12 40f308c3c53d
Feb 27 12:19:08.444: 92FB8820 0 00000001 Event-Timestamp(445) 4 1393503547(530F2D3B)
Feb 27 12:19:08.444: 92FB8854 0 00000001 reauthenticate-type(756) 4 last
Feb 27 12:19:08.444: 92FB8888 0 00000081 audit-session-id(819) 24 0aea2001530f2e1e000003c6
Feb 27 12:19:08.444: 92FB88BC 0 00000081 ssg-command-code(490) 1 32
Feb 27 12:19:08.444: 92FB88F0 0 00000002 error-cause(272) 4 Session Context Not Found
Feb 27 12:19:08.444:
wc5#

Reason for this are two bugs which prevent this from working:
https://tools.cisco.com/bugsearch/bug/CSCul83594
https://tools.cisco.com/bugsearch/bug/CSCun38344
This is embarrassing because this is a really common scenario. QA anyone?
So, with ISE and 5760 CWA is not working at this time.

Cannot Open the URL of CWA with ISE

Hi Folks,
I have a problem when doing the CWA with ISE so that I can Provide the access of the network for the guests.
Everything goes fine except the URL of the CWA: When the guests open the explorer and enter a domain after connecting the SSID, they will be redirected to the URL like "https://hostname.demo.com:8443/guestportal/..................." which starts with the hostname of the ISE and the domain-name of the ISE, but for us, we don't have any AD and LAN DNS for our network so that we cannot translate the hostname.demo.com into the IP of the ISE, so can I just change the URL into IP type like "https://10.10.10.70:8443/guestportal"?

Screenshot of a screenshot (sorry) attached.
Basically it's in authorization policy, allows you to use a static DNS or IP address

CWA with WLC Firmware 7.0.228 and ISE 1.1.1

Hi,
Does Cisco ISE central web authentication supports on WLC version 7.0.228 ?
My customer has many access points which are support only for firmware code 7.0.228.
Cisco ISE version 1.1.1
WLC 5500 Series but the existing access point is cannot support to 7.3
Thanks,
Pongsatorn Maneesud

Tarik is correct, you need 7.2.x and later to use CWA with ISE. Here is a general summary of features supported on ISE on 7.0 and 7.2 versions of code:
Scenarios                                                          WLC 7.0                                             7.2
802.1X Auth                                                     Yes                                                      Yes
802.1X + Posture                                            Yes                                                      Yes
802.1X + Profiling                                           Yes                                                      Yes
Web Auth + Posture                                       No *                                                   Yes
Web Auth + Profiling                                      Inventory only *                         Yes
Central Web Auth(CWA)                               No *                                                   Yes
Local Web Auth(LWA)                                   Yes                                                      Yes

Problems with Authorization Policy, the USER has expired and the ISE is allowing access.

Hi,
My end customer reported an issue with ISE 1.1.4-218.
The GUEST user is expired but still can authenticate in the WLAN.
That's an known issue/bug?
Thanks!
Regards,
Rafael Eloi

Check if the option in the configuration part of the Authentication process = CONTINUE.
For example, when you use CWA, the IF AUTHENTICATION FAILED Option = CONTINUE so the MAB Auth always fails but based on that Option your connection continues so you are actually redirected using the AUTHORIZATION Policy.

How can a family with multiple existing accounts use Home Sharing?

I'd like to use the new Home Sharing feature, but it appears to be restricted to families in which all of the family members share a single user account.
We already have separate accounts for each family member. Is there some way for us to use Home Sharing without abandoning most of our existing accounts, along with all of the purchases made by those accounts? I don't think anyone in this situation would be willing to do that.

Eh. I am not too sure since I have not messed with it much but I do have a great deal of experience with multiple accounts. Each computer can be authorized for multiple accounts. As can iPods. iPods can sync songs/videos/apps from multiple accounts as long as the computer is authorized with them. What I have set up here, is I buy my stuff I want, my parents buy what they want and so do my brothers. When my bro gets something I want I just move it to my computer. That way all our accounts are separate, but if there is something I want I can get it. Also, since the music no longer has DRM, it won't matter. It will play on any computer. What you should see is if you can just do the shared library with multiple accounts. Then if you don't have videos or such, you can get apps or music. Hope this helps!

How do I use your iPhone with multiple iTunes libraries

Hi, I have my music spread out between 3 seperate Itunes libraries on 3 different profiles on my computer. I have the newest generation Ipod Nano, Ipod Shuffle, and Iphone 4s. My Ipod's are both full, so I've decided to start putting music onto my phone. With my Ipod's, I can plug them into one profile on the computer, download the music on the Itunes library that exists on that profile, then do the same with the other profiles with no issue. However when I try to do this with my phone, It asks me to erase the music I have gotten from one Itunes library and sync with the current library, as soon as I plug it in to a different Itunes on one of the other profiles. I have my Iphone configured with the Manually manage music option, and I still haven't found a way to use my Iphone with multiple music libraries. PLEASE HELP

http://support.apple.com/kb/PH12113 - If you use manual syncing, you can sync items from more than one iTunes library to your iPod. (You can sync iPod touch, iPhone, and iPad with only one iTunes library.)
http://support.apple.com/kb/HT1202 - When manually managing content, you can add content from multiple libraries to your iPod or iPad. Even when manually managing music, some content may be available from only one library at time. This includes all content on iPhone and video content on iPod and iPad.
They seem inconsistent as far as the iPad is concerned but in both articles the iPhone appears to only be able to sync to one library at a time.
Troubleshooting Home Sharing - http://support.apple.com/kb/TS2972

How to share account with multiple devices?

3 kids with 3 devices - an iPod Touch and two iPads Mini - family shares one account with Apple/iTunes and one library on our family PC. They use FACETIME and MESSAGES with their friends, and they all see each others messages and conversations. How do I fix this? Is there a setting or a way to create sub-accounts off the family account so they can still share the main library for music and video OR do I have to create separate Apple/iTunes accounts for each kid? Is there a setting on their devices that can help? Any help is greatly appreciated. I'm not even sure the right question to ask...

How to use multiple iPods, iPads, or iPhones with one computer
http://support.apple.com/kb/HT1495
How to Share a Family iPad
http://www.macworld.com/article/1163347/how_to_share_a_family_ipad.html
Using iPhone, iPad, or iPod with multiple computers
http://support.apple.com/kb/ht1202
iOS & iCloud Tips: Sharing an Apple ID With Your Family
http://www.macstories.net/stories/ios-5-icloud-tips-sharing-an-apple-id-with-you r-family/
How To Best Use and Share Apple IDs across iPhones, iPads and iPods
http://www.nerdsonsite.com/blog/2012/06/07/help-im-appleid-confused/
 Cheers, Tom

How can I merge all of the new FF windows that are open into one window with multiple tabs? Safari has a merge windows feature that I like. This is really nice when conducting reasearch on multiple sites at the same time.

When I clik on weblinks they all open into new windows making it somewhat painful to clik on window in the menu bar to go to each new page. I would rather have a feature that would allow me to merge all of those individual windows into tabs within one page.
== This happened ==
Every time Firefox opened

Thank you. That worked. I was able to open 1 window with multiple tabs. Thanks cor-el!

How can I share only the same music with multiple iTunes accounts

Hello
I hope someone can help. [I am using Windows Vista (Unfortunately J) and iTunes 10]
I am trying to share the same music library with multiple iTunes accounts. Basically, I want to know if there is a way to automatically upload to other libraries when importing new music into my library, vice versa. [Better information below]
Me, my sister and my dad all use iTunes (on different iTunes accounts), and before now we used to have are own music on our own windows user. Due to many duplicates and a loss of hard drive space I have brought an external hard drive and organised all the music.
It was all going well - I first populated all the music onto my iTunes, exported the library, and then imported it on both the other users. However! Because this is only a copy of the library, when I try to import a new CD, it will not show up on there’s until I “Add File to Library”! Originally I thought about using the same library however we each have are own apps etc, that we don’t want to share.
If you need anymore information please ask!
Matt

Hello roaminggnome
Unfortunately the support is down at the moment, I will have a better look later. I did go though the Apple support previously, however I found nothing that worked.
The first thread I came across was “Home Sharing” however no mater what I did, it did not appear in the iTunes sharing list (I did go though the “Show Sharing Networks” support as well)
Secondly, I saw “Using A Single Library With Multiple Accounts On The Same PC” (Something like that) but all this did was let us share the same music location, if I was to rip extra music, it will not show in there library
Matt

How to configure one TREX host with multiple index servers ?

Hi All,
Does anyone know how to configure TREX on the one host,
with multiple index servers ?
Reason for this is to make better use of resources available on the host server(4 Gig, 4 Processor, Windows2003), to improve the search performance of
our KM content for portal users.
I am using TREX 7 and have not been able to do this,
despite reading the Single and Distributed install
documentation.
Any help would be appreciated.
Regards,
Andres

Hi Andres,
To make use of the RAM a Server provides you have to run two indexserver processes (each can then consume 2 GB);
Proceed like this:
1. Go to TREXdeamon.ini; check if section [indexserver2] is there (it is already provided, but not active in standard installation)
2. In TREXdeamon.ini go to
[daemon]
references sections below
programs=nameserver,preprocessor1,indexserver1,queueserver,alertserver
and add indexserver2 here. Restart TREX; second porcess is then started; can be checked in TREX monitor in Portal as well
3. To distribute existing indexes to the new process, start TREXadmintool and go to Index: Landscape
Go to the last two columns and move the indexes (move master here/secondary mouse click)
If you don't distribute the indexes the new index server process will be regarded when an new index is created.
Hope this helps!
cheers
Bettina

ISE 1.2 CWA with Multiple PSNs - SessionID Replication / Session Expired

Similar Messages

Maybe you are looking for