Meraki

Community

Meraki and ISE guest portal loop

ammahend
Building a reputation
‎Jan 19 2020 12:24 PM
‎Jan 19 2020 12:24 PM

Meraki and ISE guest portal loop

Hi community,

I have a Meraki SSID deployed in bridge mode with MAB pointing to ISE for AAA.

On ISE I am using a guest portal with my active directory as authentication source.

 

Everything is working, I get redirected to ISE guest portal, login with AD credential and get the right group-policy assigned to the user by Meraki, however if the user disconnects even for a second from wireless, they are redirected to login portal again and have to go through the whole guest login flow again.

 

Is this is an expected behavior with Meraki, is there anything I can do to avoid this either on Meraki side or ISE side ?

 

Additional Notes

=============

So far this issue is only using Meraki, with Cisco Controller this issue does not happen, upon further analysis with TCP dump capture from ISE, i found that when i turn off WiFi on endpoint, Cisco does not disconnect the session immediately on controller and the session on ISE remains in started state.

But with Meraki, as soon as the endpoint disconnects (the session oneven for 1 second)  ISE terminates immediately.

TCP dump show Meraki sending an immediate accounting request with stop as soon as user disconnects.

 

AVP: t=Acct-Status-Type(40) l=6 val=Stop(2)

 

 

0 Kudos
2 Replies 2
Seshu
Meraki Employee
Meraki Employee
‎Jan 23 2020 8:24 AM
‎Jan 23 2020 8:24 AM

Hello @ammahend 

 

I have checked with our team and the expected behavior for MAB is that the AP would send a Radius Access-Req for each association. So, when the client disassociates and associates back, it would be treated as a new connection and a new Access-Req would be sent to the Radius Server. 

 

This KB gives a detailed account of what the process is and how the ISE is recommended to be configured. Please confirm that the settings on the Server are as per recommendations just to rule out a config issue. If this continues to happen and you would like a change in behavior, I would recommend opening a support case so that we can give a more definitive answer based on the logs collected from your organization on the dashboard.

 

Let me know if you have any questions.

 

Regards,

Meraki Team

 

0 Kudos
mirkomaffioli
Comes here often
‎Jan 29 2020 2:48 AM
‎Jan 29 2020 2:48 AM

Hi, same error here.

Did you find any help with the support?

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.