Guest Flow

The guest flow overview is similar to wired or wireless setups. This image of the flow diagram can be used for reference throughout the document. It helps to visualize the troubleshooting step and the entity.

The flow can also be followed on ISE live logs [Operations > RADIUS Live Logs] by filtering the endpoint ID:

·         MAB Authentication successful– username field has the MAC address- URL is pushed to the NAD - User gets the portal

·         Guest Authentication successful- username field has the guest username, it has been identified as GuestType_Daily (or the configured type for the guest user)

·         CoA initiated- username field is blank, detailed report shows Dynamic Authorization successful

·         Guest Access provided

The sequence of events in the image (bottom to top)

Common Deployment Guides

Here are some links for configuration assistance. For any specific use case troubleshooting, it helps to be aware of the ideal or expected configuration.

·         Wired Guest Configuration

·         Wireless Guest Configuration

·         Wireless Guest CWA with FlexAuth APs

Redirection to the Guest Portal Does not Work

Once the redirect URL and ACL are pushed from ISE, check these:

1. Client status on the switch (if wired guest access) with the command show authentication session int <interface> details:

2. Client status on the Wireless LAN Controller (if wireless guest access): Monitor > Client > MAC address

3. Reachability from the endpoint to the ISE on TCP port 8443 with the help of command prompt: C:\Users\sotumu>telnet <ISE-IP> 8443

4. If the portal redirect URL has an FQDN, check if the client is able to resolve from the command prompt: C:\Users\sotumu>nslookup guest.ise.com

5. In flex connect setup, ensure the same ACL name is configured under ACL and flex ACLs. Also, verify if the ACL is mapped to the APs. Refer to the config guide from the previous section-Steps 7 b and c for more information.

6. Take a packet capture from the client, and check for the redirection. The packet HTTP/1.1 302 Page Moved is to indicate the WLC/Switch redirected the accessed site(eg:google.com) to the ISE guest portal(redirected URL):

7. HTTP(s) engine is enabled on the Network Access Devices:

On the switch:

On the WLC:

 8. If the WLC is in a foreign-anchor setup, check these:   

    Step 1. The client status must be the same on both the WLCs.

    Step 2. Redirect URL should be seen on both the WLCs.

    Step 3. RADIUS Accounting must be disabled on the anchor WLC.

Dynamic Authorization Fails

If the end-user is able to access the guest portal and log in successfully, the next step would be a change of authorization, to give full guest access to the user. If this does not work, one would see a Dynamic Authorization failure on ISE Radius Live Logs. To remediate the issue, check these:

1. Change of Authorization (CoA) must be enabled/configured on the NAD:

 2. UDP Port 1700 must be allowed on the firewall.

3. NAC state on WLC is incorrect. Under Advanced settings on WLC GUI > WLAN - change the NAC state to ISE NAC.

SMS/EMAIL Notifications are not Sent

1. Check the SMTP configuration under Administration > System > Settings > SMTP.

2. Check the API for SMS/Email gateways outside ISE: 

Test the URL(s) provided by the vendor on an API client or a browser, replace the variables like usernames, passwords, mobile number, and test the reachability. [Administration > System > Settings > SMS Gateways]

Alternatively, if you are testing from the ISE sponsor groups [Workcentres > Guest Access > Portals and Components > Guest Types], take a packet capture on ISE and the SMS/SMTP gateway to check if

1.    The request packet reaches the server untampered.

2.    ISE server has the vendor recommended permissions/privilege for the gateway to process this request.

Manage the Accounts Page is not Reachable

1. Under Workcentres > Guest Access > Manage accounts button redirects to the ISE FQDN on port 9002, for the ISE admin to access the sponsor portal:

2. Check if the FQDN is resolved by the workstation from which Sponsor Portal is being accessed with the command nslookup <FQDN of ISE PAN>.

3. Check if ISE TCP port 9002 is open from the CLI of the ISE with the command show ports | include 9002.

Portal Certificate Best Practices

·         For seamless user experience, the certificate used for portals and admin roles must be signed by a well-known public Certificate Authorities (example: GoDaddy, DigiCert, VeriSign, etc), commonly trusted by browsers (example: Google Chrome, Firefox, etc.).

·         It is not recommended to use static IP for guest redirection as that makes the private IP of ISE visible to all users. Most of the vendors do not provide 3rd party-signed certificates for private IP.

·         When you move from ISE 2.4 p6 to p8 or p9, there is a known bug: CSCvp75207, where the Trust for authentication within ISE and Trust for client authentication and Syslog boxes must be manually checked after the patch upgrade. This ensures that ISE sends out the full cert chain for TLS flow when accessing the guest portal.