CWA Redirect Problem

Mamba123
Getting noticed

CWA Redirect Problem

Hi Community,

 

Hello, we have a Problem with Meraki WLan and Guest Access with Cisco ISE.



Problem Description:

Client Access Guest WLAN and is authenticated on Cisco ISE Successfully. The Redirect Guest URL is send to Meraki MR.

Client open a Web page.

MR intercept DNS and respond with Guest URL.

ISE IP is configured in Wallet Garden and Client could open CWA.

Login could be entered and is successful. ISE show successful Authorization.



A sniff on MR show for Client WLAN Access a successful Radius communication:



MR -> ISE Access-Request

ISE -> MR Access-Accept





After successful CWA Authorization ISE send a CoA Request to MR.



Unfortunately the MR answer with CoA-NAK (Error 503 Session-Context-not-found)



CoA is enabled on Guest SSID.



As a result the MR intercept every DNS request when Webpage is opened and redirect to CWA

 

 

Best Regards

Max

2 Replies 2
DensyoV
Meraki Employee
Meraki Employee

Hi,

 

You probably need to check the attribute pairs that you are sending for the  CoA Request if it correct and supported by the MR.

Here's the link to Meraki KB for more info.

 

https://documentation.meraki.com/MR/Encryption_and_Authentication/Change_of_Authorization_with_RADIU...

 

Thanks,

Please hit kudos if you found this post helpful and/or click "accept as solution" if this solved your problem.
Mamba123
Getting noticed

Hi,

 

Thank you for your message. We have successfully implemented what is described there, but it still does not work.

I have now opened a TAC case. The recommendation from TAC was to restart MR and update to the 26.7 version. Neither has improved.

 

Max

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels