Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
977
Views
1
Helpful
8
Replies

Endpoints access internet delayed few mins while Web-Auth succeeded with ISE and WLC

Go to solution
G2000
Level 1
Level 1

‎01-15-2018 04:00 PM

Environment

ISE Version: 2.3.0.298

There’re three ISE PSN nodes, IP address: 10.10.100.67/24, 10.200.100.67/24, 10.10.100.77/24

Foreign WLC, 5520, version: 8.3.111.0

Anchor WLC, 2500, version: 8.3.111.0

Endpoints, we used Dell Laptop with Windows 10 and iPhone 7 with iOS 11

Related Configuration

ACLs for Web-Auth redirect and access internet configured same on both Foreign and Anchor WLCs.

Verification

After Web-Auth succeeded, we observed “guest-acl” ACL applied.

Traffic hit related ACLs.

Symptom

After key in the username and password prompted authentication successfully.

  But meantime, could not open www.google.com immediately.


Analyse

It looks like somehow the ACL of “guest-acl” didn’t apply immediately after Web-Auth succeeded, need to wait a few minutes, then endpoints can access the internet.

1 person had this problem
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to G2000

‎01-23-2018 09:49 AM

Since the access internet ACL already confirmed and applied on the WLC, it's best for you to troubleshoot it further by engaging Cisco wireless support teams.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Arne Bier
VIP
VIP

‎01-15-2018 10:21 PM

on the Cisco WLC you can run a client debug that is quite useful

debug client xx:yy:zz:00:11:22

debug aaa event enable

debug aaa packet enable

have a look at the output and try to observe what's going on. 

I am also using ISE 2.3.0.298 (patch 1) and Cisco WLC 8.5.105.0 and 8.2.151.0 - there was an issue with older 8.2.1xx release which broke the CoA process.  Currently no issues with these WLC releases.

Do you have an ACL that is applied when the client first associates to the SSID and gets redirected to the ISE portal?

And then you should have a second ACL that is applied when a client successfully passes the MAB auth (MAC address found in Identity Group).  This ACL should allow DHCP, DNS, PSNs, and internet access.

0 Helpful

Go to solution
G2000
Level 1
Level 1
In response to Arne Bier

‎01-16-2018 02:56 PM

Thanks, Arne.

We did configure redirect ACL and access-internet ACL on both WLCs, we also observed traffic hit both ACLs. It can access the internet a few minutes later, which means ACLs configured properly.

One more action we tested while authenticated successfully, if I manually disconnect and re-connect the guest WLAN at end-point, then it can access the internet immediately just like the second ACL applied immediately.

0 Helpful

Go to solution
Craig Hyps
Level 10
Level 10
In response to G2000

‎01-16-2018 03:05 PM

There should be no reason to configure both an access ACL and redirect ACL for same session.  The redirect ACL handles both.  If having issues, recommend remove the Airespace ACL.  The access ACL is only needed post web auth.   Also, I have found in past releases that for certain flows it helped to add access to the PSNs in the run ACL.  This may no longer be the case, but it was sometimes possible to have a case where user was authenticated but client was trying to complete a web communication to the PSN at close of final connection message, and if ACL applied immediately, it stalled that connection.  You should be able to see if ACL is applied by monitoring the WLC session info for the client and determine if present when user blocked/delayed access.

0 Helpful

Go to solution
G2000
Level 1
Level 1
In response to Craig Hyps

‎01-16-2018 03:47 PM

From WLC we can observe the access internet ACL applied while endpoint authenticated successfully.

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to G2000

‎01-23-2018 09:49 AM

Since the access internet ACL already confirmed and applied on the WLC, it's best for you to troubleshoot it further by engaging Cisco wireless support teams.

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎01-16-2018 08:09 AM

CSCul83594 - You cannot enable radius accounting on both WLCs, they will each send accounting start/stop with different session ids, and ISE will get confused. Typically end user sees a “error 500” web page when redirected to the ISE portal. This is on a per WLAN basis. If you have other WLANs not using ISE then that setting maybe different.

On another note, with the new “Simplified config Apply Cisco ISE Default Settings ” on the WLC, if you check the ISE checkbox when creating an authentication server, an accounting server is automatically configured with the same ip and settings. And same things on the WLAN, the simplified config puts the ISE as both authentication and accounting for that WLAN. And this will trigger the issue if you do this on both WLCs.

Please reach out to tac if further assistance is needed

0 Helpful

Go to solution
G2000
Level 1
Level 1

‎01-16-2018 02:25 PM

Thanks, Jason.

We didn't enable Accounting at Anchor WLC for the guest WLAN.

0 Helpful

Go to solution
Akiva
Level 1
Level 1

‎12-18-2019 11:01 AM

Did you get a solution to this eventually, I have got the same problem
0 Helpful
Customers Also Viewed These Support Documents