ISE 1.2 Patch 7 possible guest CWA bug

Just upgraded an ISE implementation to patch 7 and discovered that the patch broke the CWA guest portal on wireless. I haven't tested wired CWA but wireless is busted.
In summary the redirection works fine but when you enter valid guest credentials nothing happens including no logs on ISE. If you enter credentials that don't exist in the guest group you get a failed authentication and the corresponding log. As soon as I rolled back to patch 6 everything worked again.
If any TAC engineers see this feel free to pursue it - I would log a case but the kit is NFR and I can't be bothered going through the process of logging a job on NFR kit.

Hi,
I'm experiencing similar issues with patch 7. I am actually using a custom portal, which was working fine in patch 4 - after upgrading to patch 7 to fix a Web Posture bug, the portal would randomly push out pages from the Default Portal (I.E. Device Registration when I had no self provisioning flow enabled). Now, I am getting the error in the attachment after the user accepts the AUP.
The standard portal is working fine, except for a bug with the "Require Users to change password at login" option. When users try to change their password at first login, the portal errors out and I get an error in the Authentication Logs. However, the password is changed successfully. This issue is apparent since installing patch 7.

Similar Messages

Https redirection issue for Wireless Guest CWA - ISE 1.3

Our Setup is
ISE 1.3 (Patch level 2) running on ACS 1121
2 nodes clustered with Admin, monitoring, policy service enabled ( Primary and Secondary ).
Configured SSID Guest for Centralized web authentication with ISE.
We have issues in web redirection with chrome . It is not redirecting to the ISE page but rather showing " Page cannot be displayed".
By default chrome is pointing to https. For example if we type https://google.com it is not redirecting to ISE page. But when I specify the same as http://google.com it works.
There is no issue with IE, Firefox as it is redirecting to ISE page with default https and i can see it is hitting our rule.
Please advice.

Hi Neno
They are using a third party certificate (digi cert) for client auth. They have confirmed even if they use a self-signed-cert the result is same.
So basically none of the https page is not loading. If we manually browse some https site from Firefox, IE the result is same showing " page cannot be displayed".
Redirection to https is the problem which i have never faced with my other customer. This is the upgraded version of ISE from 1.2 to 1.3.

ISE 1.2 Patch 12

Hi all,
I upgraded from ISE 1.2 patch 6 to 1.2 patch 12 to fix an ISE portal bug over the weekend.
None of my Guest Wireless users are complaining, authentication is working fine. But the below error is appearing for every Guest user session under ISE/Operations/Live Authentications.
"5441 Endpoint started new session while the packet of previous session is being processed. Dropping new session"
Is anyone aware of a bug possibly and I guess you need to upgrade to 1.3.x
I would've thought Cisco would bring out a fix for this in 1.2.x....maybe patch 13 (new bug?)
Any info out there about 5441 before I log a TAC?????
Thanks.

Any updates? I am not so sure it is cosmetic. I have clients failing to make it through the flow. I am seeing the following on these clients requests:
It would appear that because the accounting data doesn't get back it, there is confusion that the session doesn't exist and the auth fails.
Event
5400 Authentication failed
Failure Reason
12953 Received EAP packet from the middle of conversation that contains a session on this PSN that does not exist
Resolution
Verify known NAD issues and published bugs. Verify NAD configuration. Turn debug log on DEBUG level to troubleshoot the problem.
Root cause
Session was not found on this PSN. Possible unexpected NAD behavior. Session belongs to this PSN according to hostname but may has already been reaped by timeout. This packet arrived too late.

ISE 1.2 patch 4 not retrieving groups

Since the update to ISE 1.2 patch 4 it isn't possible anymore to retrieve groups or attributes from the active directory. It keeps loading.
Anyone else experiencing this issue?
Regards,
Mathieu

The issue you are referring to is documented in the following CDETS:
CSCul84544: Retrieval of AD groups or attributes is failing
This is not yet resolved. May be resolved in a future patch
The workaround given in the CDETS is
Fix the DNS server so that the reverse DNS lookup matches
I believe there are other steps that can be taken to mitigate this but would need intervention from TAC

ISE 1.2 Patch 8

Our ISE Deployment for wireless only is operating on 1.2.0.899 Patch 3. We are looking to upgrade to Patch 8. We plan on testing in a Dev envioronment first, but I was curious what others experience had been with stability in Patch 8?

So far I have not had serious issues with patch 8 versus previous patches which caused me bother in certain areas. I think with all ISE patches you need to read the release notes and read the caveats to see what issues may or may not affect you. If you are on a production system I would also make sure you have your rollback option in place aswell. For what it is worth I am always keen to stay on the most recent patch of ISE due to patches generally fixing more than they break. Just make sure you run through your original system test plans and user test plans and all should be well.

Possible Family Sharing Bug

I saw a possible Family Sharing bug in action today that I'd like to share. My neighbor experienced this problem today and it has us scratching our collective heads.
My neighbor is the “organizer" of a three-member family group under iCloud Family Sharing. The mother has two daughters, A (21 years old) and B (16 years old). Daughter B has her iTunes Store (etc.) purchases restricted and must have them electronically approved by her mom before the purchase will complete/download will begin (called the Ask To Buy feature). Daughter A is not restricted in any way.
Shortly after setting up Family Sharing for their family, the mother tells me that she keeps getting messages from iCloud (on her phone and Mac) saying Daughter A is wanting to purchase something from the iTunes Store.
So, I double-checked the mother's iCloud settings (on her iPhone and Mac) to successfully confirm that Daughter A is still not restricted and Daughter B is restricted. I also confirm with Daughter A (away at college) that she did try and make any such purchase.
When I asked Daughter B, she said she had tried to make a purchase from her iPhone (that was the same title the mom received a request for). When I checked Daughter B's iPhone, I found that Daughter B is logged into iCloud as herself using her own Apple ID. However, at the same time, she was logged into the iTunes and App Stores on her iPhone as using her older sister's (Daughter B) Apple ID.
To the best of my ability, I think I have spotted a logic problem with Family Sharing’s purchase restriction system. Since Family Sharing appears to be a part of iCloud and not iTunes Store specific, here is what I think is going on:
Daughter B is trying to make a purchase and the system is restricting her as designed. However, because she is using her sister’s Apple ID at the iTunes Store, the purchase request is being sent to the mother but with the wrong daughter’s name on the request.
[Note: Every Macintosh computer and iPhone in this scenario is running the latest versions of iOS 8 and OS X 10.10 on their devices. I personally upgraded each device.]
Does anyone agree or disagree with my suspicions?
When Daughter B logged out of iTunes Store on her iPhone and logged back into the Store with her own Apple ID, the problem went away. The purchase request was forwarded to her mother with the correct Daughter’s name attached.

ApplePate,
Not all content can be downloaded via Family Sharing. The information outlined below details how to go about determining if content can be shared via Family Sharing.
Make sure that an app is shareable
To see if you can share an app, go to its product page in the App Store and scroll down to Information. Then see if it says Yes or No in the Family Sharing section.
Some apps may not be enabled for Family Sharing. If you’ve acquired one of these apps, you will be able to see it in your purchase history, but your family members won't be able to see or redownload it.
If you don't see your family's shared content
https://support.apple.com/en-us/HT201454
Regards,
Allen

Is there a patch out for the bash bug (CVE 2014-6271)?

Is there a patch out for the bash bug (CVE 2014-6271)? I saw one for Oracle Linux, so I hope there's one for Solaris as well.

Hi,
another approach could be to just build a custom bash package yourself using
the available changes published here:
https://java.net/projects/solaris-userland/sources/gate/show/components/bash
That's the build infrastructure and source we use to build the official Solaris 11
IPS packages.
Regards,
Ronald

ISE 1.1.1 Iphones Guest CWA connection dropouts

Hi all
I have deployed wireless guest access utilising CWA. I have no posture or client provisioning enabled on the deployment therefore it is a straightforward configuration. In short my issue pertains directly to Iphones (I haven't tested with other mobile devices yet). Basically a laptop connects, gets redirected, authenticates successfully and ultimately can browse the internet and network resources.
With an Iphone I connect, get redirected, authenticate successfully, accept the AUP and finally get a page that says I am connected and should reenter my original URL. At this point I try to open safari by going to the main IPhone GUI, the wireless connection drops and safari falls back to 3G connectivity. I then go back to the wireless connections and click on the SSID which immediately reconnects and allows access based off the orignal connection.
Has anyone experienced this issue and if so what is it related to? Is there a setting or command I am missing on the system or is this yet another case of BYOD device been a pain in the backside with ISE?

Did you test this on iOS6 ? it has a feature that will drop wireless and go to 3G if you are unable to reach www.apple.com/library/test/success.html, i beleive it's called auto-join or something? also recently this page was down at apple, and caused quite a bit of problems for Iphone/Ipad users, maybe thats what you were seeing.

ISE Guest CWA with Smart Phones

I've configured the Guest Web Authentication in the ISE and I've tested and every thing is working fine. I got the redirect url, I could authentication and then got an access. However, If I got the redirect url and then disconnect from the guest SSID and connect to another SSID on the same WLC (not associated to the ISE) and then connect back to the guest SSID, I'm not getting the redirect url.
I've checked the ISE and I noticed that the radius session is not terminated if I disconnected from the SSID. I tried to add an attribute in the authorization profile to have radius idle timeout, it did work and the ISE initiate new session ID, but the smartphone is not getting the url.
Anyone have/had this issue ?

I've done a test with CWA + open SSID and I don't see the problem. (iPod, latest SW update, pretty old HW)
My steps:
1) connected to CWA SSID and it asked me to register, provided my username and password to see if they are correct
2) disconnected (connected to openSSID) without registering.
3) Checked reachablity over openSSID
4) reconnected to the CWA one.
5) Got redirected automatically.
Did I miss anything? Any more steps you've done?
M.

Wired Guest CWA with ISE

Having a heck of a time getting this to work.
First option is for the device to try and authenticate using Dot1X/EAP-TLS - for domain-connected devices only.
If that fails, they want the option to pop a CWA portal where they can enter either AD creds, or internal Guest user creds.
My challenge is the Policies and where to insert.
I'm using Policy Sets in ISE 1.2
Currently, I have these statements in the Default Policy Set:
Rule Name
Conditions
Permissions
Wired Guest Portal Auth
if Net Access:UseCase EQUALS Guest Flow
Permit Access
Wired Guest Redirect
if Wired_MAB
Wired CWA
What i figured is if they fail the .1X, they'll drop down here to Wired MAB, and that will initiate a redirect and Guest Flow.
Couple problems:
First, it does seem to try; a show auth sess shows the proper redirect URL getting sent to the switchport.
Unfortunately, my browser pop gives me a certificate not recognized error, and if i try to continue anyways, it doesn't do anything. Wireless Guest, which I copied works fine.
Second challenge is that it forces the redirect whether i have the switch (NAD) in Monitor Mode or Low Impact Mode. This is a problem because there are multiple sites, and we're cutting each over to Low Impact progressively.
Does anyone have any insight, or a document laying out in step by step terms implementing this?
thanks in advance.

Hi Andrew! Yes, good job on fixing the portal issue!
And yes, the authorization rules are considered even in an open mode! And you are also correct that you will need to create different rules to account for NADs that are in production and for NADs that are in monitor mode. I have always liked using a separate Policy Set for Monitor Mode and a separate Policy Set for Production Mode. Then I used device location to match against these conditions. For each location I have two sub-groups: One for Monitor and one for Production. That way I can move a NAD from monitor mode to full production by simply changing its group.
Lastly, yes, your CWA rules should be at the bottom of your production authorization rules.
Thank you for rating helpful posts!

How to Prohibit Domain Computer in WLAN Guest - CWA

Hello,
I create a Open SSID in WLC named Visitante and Configured ISE to do CWA.
Rule is:
AuthZ_CWA = If Device:Wireless Lan Controller Equal WLC then WLC_CWA
I create a guest account in Sponsor Portal and above rule in ISE is:
AuthZ_Guest = If Guest and AD:ExternalGroups NOT EQUAL mydomain/users/Domain Computers then INTERNET-ACCESS
When I connect with a Domain Computer, this Computer gets Internet Access doing Match in AuthZ_Guest rule.
What I'm doing is correct? should work? or is there another way to do this control?
I would appreciate some help in this case
Best Regards,
Daniel Stefani

This is a valid option.
But I was thinking in do this through the ISE. Do you know if this is possible?
Apparently the ISE can not read the AD attributes: ExernalGroups when in CWA.
On doubt here: Is the ISE that can't read this attributes or Domain Computer that don't send this attributes to ISE?
Best Regards,
Daniel Stefani

ISE 1.2, Patch 7: "NAK requesting to use PEAP instead"

We're experiencing seemingly random occurrences of users failing authentication because they're trying PEAP vs EAP. Does anyone know if it is possible to force the Windows supplicant to use EAP only?
For what it's worth, the user can fail authentication for hours and I can either allow open authentication on the port for a bit, or the user can leave for the day and come back tomorrow and authentication will succeed. I'm not sure if it's an ISE problem or a supplicant problem, but I'm leaning towards supplicant.
Personas:
Administration
Role:
PRIMARY(A)
System Time:
Apr 24 2014 08:26:58 AM America/New_York
FIPS Mode:
Disabled
Version:
1.2.0.899
Patch Information:
7,1,3
11001
Received RADIUS Access-Request
11017
RADIUS created a new session
15049
Evaluating Policy Group
15008
Evaluating Service Selection Policy
15048
Queried PIP
15048
Queried PIP
15004
Matched rule
11507
Extracted EAP-Response/Identity
12500
Prepared EAP-Request proposing EAP-TLS with challenge
12625
Valid EAP-Key-Name attribute received
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12301
Extracted EAP-Response/NAK requesting to use PEAP instead
12300
Prepared EAP-Request proposing PEAP with challenge
12625
Valid EAP-Key-Name attribute received
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12302
Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
12318
Successfully negotiated PEAP version 0
12800
Extracted first TLS record; TLS handshake started
12805
Extracted TLS ClientHello message
12806
Prepared TLS ServerHello message
12807
Prepared TLS Certificate message
12810
Prepared TLS ServerDone message
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
12318
Successfully negotiated PEAP version 0
12812
Extracted TLS ClientKeyExchange message
12804
Extracted TLS Finished message
12801
Prepared TLS ChangeCipherSpec message
12802
Prepared TLS Finished message
12816
TLS handshake succeeded
12310
PEAP full handshake finished successfully
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
12313
PEAP inner method started
11521
Prepared EAP-Request/Identity for inner EAP method
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
11522
Extracted EAP-Response/Identity for inner EAP method
11806
Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
11808
Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
15041
Evaluating Identity Policy
15006
Matched Default Rule
15013
Selected Identity Source - *****
24431
Authenticating machine against Active Directory
24470
Machine authentication against Active Directory is successful
22037
Authentication Passed
11824
EAP-MSCHAP authentication attempt passed
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
11810
Extracted EAP-Response for inner method containing MSCHAP challenge-response
11814
Inner EAP-MSCHAP authentication succeeded
11519
Prepared EAP-Success for inner EAP method
12314
PEAP inner method finished successfully
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
15036
Evaluating Authorization Policy
24433
Looking up machine in Active Directory - host/*****
24435
Machine Groups retrieval from Active Directory succeeded
15048
Queried PIP
15048
Queried PIP
15048
Queried PIP
15048
Queried PIP
15048
Queried PIP
15004
Matched rule - Default
15016
Selected Authorization Profile - DenyAccess
15039
Rejected per authorization profile
12306
PEAP authentication succeeded
11503
Prepared EAP-Success
11003
Returned RADIUS Access-Reject

salodh,
Thank you for your response. Below is the authorization policy it should hit. The trouble is the workstation wants to use PEAP for some reason but we don't want PEAP because we're certificate-based. I understand what you're saying, and it's because I didn't word my question correctly.
12500
Prepared EAP-Request proposing EAP-TLS with challenge
12625
Valid EAP-Key-Name attribute received
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12301
Extracted EAP-Response/NAK requesting to use PEAP instead
If the NAK would not request PEAP, it would continue on to the following Authorization Policy (and succeed):
Name
Wired-******-PC
Conditions
Radius:Service-Type EQUALS Framed
AND
Radius:NAS-Port-Type EQUALS Ethernet
AND
*******:ExternalGroups EQUALS **********/Users/Domain Computers
AND
Network Access:EapAuthentication EQUALS EAP-TLS
Again, this PEAP request only happens occasionally. This same workstation will work at other days/times. If I could figure out why some workstations randomly request PEAP (or find a way to force EAP only) I think that would take care of it.
Thanks again, sir.
Andrew

ISE 1.2 Patch 8 - Wired CoA Bug

Hi all,
Just wondering if anyone else is having CoA issues using patch 8 on wired infrastructure? I was troubleshooting CoA this morning in a 5 node deployment (1 x Admin, 1 x Monitoring, 1 x secondary admin/monitoring and 2 x PSN) and found that CoA was not working. I did a debug aaa pod and it said that POD message was dropped due to an unconfigured client and listed off the IP address of the primary admin node that I had initiated the CoA from (in the gui).
I thought this was strange in that I have always believed the CoA comes from the PSNs. I stopped the primary admin and did the same test using the secondary admin and the same error presented this time with the ip address of the secondary admin. I then proceeded to add the admin nodes as dynamic author clients and CoA started to work properly.
So in summary I am wondering whether this is a bug, a misunderstanding on my part or a change to the way that ISE CoA now works?

CoA Not Initiating on Client Machine
Symptoms or
Issue
Cisco ISE is not able to identify the specified Network Access Device (NAD).
Conditions Click the magnifying glass icon in Authentications to display the steps in the
Authentication Report. The logs display the following error message:
• 11007 Could not locate Network Device or AAA Client Resolution
Possible Causes • The administrator did not correctly configure the Network Access Device
(NAD) type in Cisco ISE.
• Could not find the network device or the AAA Client while accessing NAS by
IP during authentication.
Resolution • Add the NAD in Cisco ISE again, verifying the NAD type and settings.
• Verify whether the Network Device or AAA client is correctly configured in
Administration > Network Resources > Network Devices
Symptoms or
Issue
Users logging into the Cisco ISE network are not experiencing the required Change
of Authorization (CoA).
Conditions Cisco ISE uses port 1700 by default for communicating RADIUS CoA requests from
supported network devices.
Possible Causes Cisco ISE network enforcement points (switches) may be missing key configuration
commands, may be assigning the wrong port (for example, a port other than 1700),
or have an incorrect or incorrectly entered key.
Resolution Ensure the following commands are present in the switch configuration file (required
on switch to activate CoA and configure the switch):
aaa server radius dynamic-author
client <Monitoring_node_IP_address> server-key <radius_key>

ISE 1.2 patch 5 My devices portal not showing regsitered devices

Hello Guys,
I am running ISE 1.2 with all recent patches installed. I have a weird issue where AD users login to mydevices portal and are not able to view any of their registered devices. even thou the devices were successfully registered and onboarded.

Check your synchronization between your ise nodes, i had a similar issue, that was because ntp had been down for a while, and then the nodes didn't sync the device registrations, and guest users between the nodes.

ISE 1.04 and WLC 7.2 - CWA Config?

Hello, I'm currently deploying a POC for Central WebAuthentication with the new 7.2 Wireless Lan Controller code.
I'm aware of the differences between LWA and CWA in Catalyst Switches, but I'm having trouble grasping how to configure the CWA on the WLC for wireless guests with open web auth.
For LWA I did get:
1- User opens browser
2- WLC redirects user to ISE Guest page
3- ISE Guest page sends username/password to WLC,
4- WLC does a RADIUS PAP request to ISE in order to authenticate user.
5- ISE authenticates (or not) and send Access-Accept to WLC
6- WLC lets user go through.
For CWA the way I see it, it should be:
1- User opens browser
2- WLC redirects user to ISE Guest page
3- ISE Guest page processes username/password internally
4- ISE authenticates (or not) and sends Access-Accept to WLC
5- WLC lets user go through.
The way I see it, we should define a WLAN's L3 security policy as webauth, with no L2 security, but the question is how to configure the controller so that the ISE doesn't just serve as an external web server and the WLC is not waiting for a username/password from this external webserver, as would LWA work, but instead just gets an Access-Accept from the ISE.
For the moment LWA is more intuitive given the WLC philosophy of operation. I'm not really seeing how/where to configure 7.2 code to just expect an access-accept from ISE.
Can anybody enlighten me on how this should be configured/work?
Any insight is very much appreciated.
Thanks
Gustavo Novais

Hi Brian,
Complementing Nicolas Darchis idea:
On SSID Security settings, set Open Authentication and check the MAC Filtering box, do NOT check any type of L3 authentication.
Then define your RADIUS/ISE servers (enable support for RFC 5734 when defining them) on the SSID, and on the advanced tab of the ssid, enable RADIUS NAC (and aaa override too).
It is exactly the same thing as when you do RADIUS based mac authentication, except on this case, the RADIUS server will reply with an access-accept + a few attributes (namely airespace-acl/vlan/url-redirect).
On the ISE, you'll need to match service type: call-check (MAB) RADIUS authentication in order to match requests coming from WLC CWA.
Then the order will be the exact same as for a switch:
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_guest_pol.html#wp1112855
I needed to put the redirect access-list referenced on ISE CWA, statically on the WLC as a pre-auth ACL (you'll need to define it statically on the WLC - security access-lists).
Nicolas, I've seen trustsec design guide 2.0 but no CWA on wireless was included... do you have any idea if will it be on trustsec 2.1?
Thanks & Regards
Gustavo

ISE 1.2 Patch 7 possible guest CWA bug

Similar Messages

Maybe you are looking for