Wandering down a rabbit hole here, anyone else see something like this?
I just upgraded to ISE 2.3 from 2.0, imported all the rulesets, setup lic, etc. I noticed however when Guest devices self-register via the CWA redirect, they get stuck in the portal and can never actually gain access to the www. I can see in the browser that it does get redirected to the url I configured, let's say google.com, but then redirected right back into the self-registration page as if the device never registered or went through the Guest Flow at all. The accounts get created, but the devices never get auto placed into the 'GuestEndpoints' identity group like it should, without manually disconnecting the device and reconnecting it. Now, if they put in their username and password they received from the self-registration portal, everything works well. Unfortunately, this is too complicated for the user base, but that's neither here nor there.
Now if I disconnect the device after going through the self-registration portal successfully, and leave it sit for about 5 minutes, the device works as intended and matches policy set rule 1 (seen below). It's almost as if the device doesn't get matched to rule 2 and instead gets stuck in rule 3 until manually disconnecting it. Once manually disconnecting the device and reconnecting it, it matches with rule 1. These are the exact same rules as on ISE 2.0 and the self-registration portal and redirect works fine. Thank you in advance for your input.
Here's what I have:
ISE Policy Sets:
- -Identity Group: GuestEndpoints, Match Airespace-Wlan-Id, Not domain Machine ----- result Guest-Internet
- -Wireless MAB, Match Airespace-Wlan-Id, Network Access UseCase EQUALS Guest Flow, Not domain Machine --- result Guest-Internet
- -Wireless MAB, Match Airespace-Wln-Id, Not a domain machine ------- result CWA Redirect
Hardware:
-WLC 5508
-ISE 2.3 patch 2
Impact:
-All devices, all browsers
No comments:
Post a Comment