01-15-2018 04:00 PM
Environment
ISE Version: 2.3.0.298
There’re three ISE PSN nodes, IP address: 10.10.100.67/24, 10.200.100.67/24, 10.10.100.77/24
Foreign WLC, 5520, version: 8.3.111.0
Anchor WLC, 2500, version: 8.3.111.0
Endpoints, we used Dell Laptop with Windows 10 and iPhone 7 with iOS 11
Related Configuration
ACLs for Web-Auth redirect and access internet configured same on both Foreign and Anchor WLCs.
Verification
After Web-Auth succeeded, we observed “guest-acl” ACL applied.
Traffic hit related ACLs.
Symptom
After key in the username and password prompted authentication successfully.
But meantime, could not open www.google.com immediately.
Analyse
It looks like somehow the ACL of “guest-acl” didn’t apply immediately after Web-Auth succeeded, need to wait a few minutes, then endpoints can access the internet.
Solved! Go to Solution.
01-23-2018 09:49 AM
Since the access internet ACL already confirmed and applied on the WLC, it's best for you to troubleshoot it further by engaging Cisco wireless support teams.
01-15-2018 10:21 PM
on the Cisco WLC you can run a client debug that is quite useful
debug client xx:yy:zz:00:11:22
debug aaa event enable
debug aaa packet enable
have a look at the output and try to observe what's going on.
I am also using ISE 2.3.0.298 (patch 1) and Cisco WLC 8.5.105.0 and 8.2.151.0 - there was an issue with older 8.2.1xx release which broke the CoA process. Currently no issues with these WLC releases.
Do you have an ACL that is applied when the client first associates to the SSID and gets redirected to the ISE portal?
And then you should have a second ACL that is applied when a client successfully passes the MAB auth (MAC address found in Identity Group). This ACL should allow DHCP, DNS, PSNs, and internet access.
01-16-2018 02:56 PM
Thanks, Arne.
We did configure redirect ACL and access-internet ACL on both WLCs, we also observed traffic hit both ACLs. It can access the internet a few minutes later, which means ACLs configured properly.
One more action we tested while authenticated successfully, if I manually disconnect and re-connect the guest WLAN at end-point, then it can access the internet immediately just like the second ACL applied immediately.
01-16-2018 03:05 PM
There should be no reason to configure both an access ACL and redirect ACL for same session. The redirect ACL handles both. If having issues, recommend remove the Airespace ACL. The access ACL is only needed post web auth. Also, I have found in past releases that for certain flows it helped to add access to the PSNs in the run ACL. This may no longer be the case, but it was sometimes possible to have a case where user was authenticated but client was trying to complete a web communication to the PSN at close of final connection message, and if ACL applied immediately, it stalled that connection. You should be able to see if ACL is applied by monitoring the WLC session info for the client and determine if present when user blocked/delayed access.
01-16-2018 03:47 PM
From WLC we can observe the access internet ACL applied while endpoint authenticated successfully.
01-23-2018 09:49 AM
Since the access internet ACL already confirmed and applied on the WLC, it's best for you to troubleshoot it further by engaging Cisco wireless support teams.
01-16-2018 08:09 AM
CSCul83594 - You cannot enable radius accounting on both WLCs, they will each send accounting start/stop with different session ids, and ISE will get confused. Typically end user sees a “error 500” web page when redirected to the ISE portal. This is on a per WLAN basis. If you have other WLANs not using ISE then that setting maybe different.
On another note, with the new “Simplified config Apply Cisco ISE Default Settings ” on the WLC, if you check the ISE checkbox when creating an authentication server, an accounting server is automatically configured with the same ip and settings. And same things on the WLAN, the simplified config puts the ISE as both authentication and accounting for that WLAN. And this will trigger the issue if you do this on both WLCs.
Please reach out to tac if further assistance is needed
01-16-2018 02:25 PM
Thanks, Jason.
We didn't enable Accounting at Anchor WLC for the guest WLAN.
12-18-2019 11:01 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide