topic Using ISE guest store via RADIUS in Network Access Control

Using ISE guest store via RADIUS

ThoDoepke — Mon, 11 Mar 2019 02:09:46 GMT

I have a question concerning the guest store on the ISE.

I would like to establish a guest portal on a WLC (currently running version 7.0.220.0). The guest network shouldn’t have any connection to the company network. So I can’t redirect to the ISE guest portal and have to use the local portal on the WLC and pass the login data to the ISE via RADIUS. Nevertheless I want to use the guest store on the ISE.
On the ISE I can only select the internal user store as identity source. But this seems not to include the guest user store.
Has anyone already implemented a similar solution or any idea how to access the guest store?

Thanks

Thomas

Using ISE guest store via RADIUS

jrabinow — Mon, 04 Jun 2012 17:59:39 GMT

The internal user store does include the guest store. I suggest to look at live authentications and see if guest logins are in fact making it to the box and if so see the failure reason when the guest logs in

Using ISE guest store via RADIUS

Jim Thomas — Mon, 04 Jun 2012 19:09:58 GMT

The local identity store will not contain the guest users. Those are created within the sponsor portal (unless self registration). if you create a guest account in 1.1 (dont know if 1.0.4 vs 1.1 is different here) it will not appear under the local identity store.

Using ISE guest store via RADIUS

jrabinow — Mon, 04 Jun 2012 19:37:49 GMT

I agree that if you create a guest account you can not see it qhen looking at the list of users in the internal users store. However, if you want to authenticate a guest you need to select "Internal Users" as result in authenticaiton policy

I confirmed this as follows:

- create a guest user

- select "Internal Users" as result in authentication policy

>>>> authentication succeeds

- select different indentity store as result in authentication policy and authentication fails

Using ISE guest store via RADIUS

ThoDoepke — Tue, 05 Jun 2012 08:36:12 GMT

I just created a simple setup and tested the login.

It doesn't work with a user created as a guest account.

If I create the user in the normal internal identity store I works fine.

Might there be a difference between ISE Versions?

We are currently using Version 1.1.0.665 on a VM for testing purpose.

This is what the details show:

11001 Received RADIUS Access-Request

11017 RADIUS created a new session

Evaluating Service Selection Policy

15048 Queried PIP

15004 Matched rule

Evaluating Identity Policy

15006 Matched Default Rule

15013 Selected Identity Store - Internal Users

24210 Looking up User in Internal Users IDStore - tuser001

24206 User disabled

22057 The advanced option that is configured for a failed authentication request is used

22061 The 'Reject' advanced option is configured in case of a failed authentication request

11003 Returned RADIUS Access-Reject

11001 Received RADIUS Access-Request

11017 RADIUS created a new session

Evaluating Service Selection Policy

15048 Queried PIP

15004 Matched rule

Evaluating Identity Policy

15006 Matched Default Rule

15013 Selected Identity Store - Internal Users

24210 Looking up User in Internal Users IDStore - tuser001

24212 Found User in Internal Users IDStore

22037 Authentication Passed

Evaluating Authorization Policy

15004 Matched rule

15016 Selected Authorization Profile - Guest

11022 Added the dACL specified in the Authorization Profile

11002 Returned RADIUS Access-Accept

Using ISE guest store via RADIUS

jrabinow — Tue, 05 Jun 2012 14:28:26 GMT

I am looking at a 1.1 system and running same test. when create a guest have the option to select the Group Role. If select the option of "Guest" you will see the behavior above and guest will be initially disabled and require activation.

However, if slect "ActivatedGuest" then the guest will created in an enabled state and will be able to login with this guest user name

Using ISE guest store via RADIUS

ThoDoepke — Tue, 05 Jun 2012 15:00:08 GMT

The initial setup doesn't have a Group Role called "ActivatedGuest", there is only the "Guest" role.

I created another role but I can't see any difference between the two roles. They just match the guest user to a corresponding group in the internal identity store.

The created user is in state "Awaiting Initial Login". I can't find any hint for an enable or disable state or how to change this state in a different Group Role.

Using ISE guest store via RADIUS

jrabinow — Tue, 05 Jun 2012 15:22:30 GMT

When the user is in the "Awaiting Initial Login" state they must first login through the Guest portal and ack the Acceptable Use Policy (AUP) to make the guest active

I am in fact looking on a later version than 1.1 (sorry for that) and see options under "Multi-Portal Configurations" to define whether guest users need to agree to an acceptable use policy. Do not know whether same option exists on 1.1 and will see how to avoid this state in 1.1

Using ISE guest store via RADIUS

ThoDoepke — Tue, 05 Jun 2012 15:35:45 GMT

This option also exists in the version i'm using. I already set it to "Not Used" but the user stays in the

"Awaiting Initial Login" state.

Using ISE guest store via RADIUS

jrabinow — Tue, 05 Jun 2012 16:55:32 GMT

The ActivatedGuest capability is available in the next release of ISE: - 1.1 MnR that should be FCS in next month

In the meantime, what is required to activate a guest is for them to login to the guest portal. Once this login is performed then the guest is Activated for RADIUS access. The "Not Used" option is used to determine whether the guest needs to accept the Acceptable Use Policy on login to the guets portal,

I think the URL for the guest portal is https://ISE:8443/guestportal/portal.jsp

Using ISE guest store via RADIUS

ThoDoepke — Wed, 06 Jun 2012 09:33:59 GMT

Thanks a lot!

That should solve my problem.

Using ISE guest store via RADIUS

sin — Mon, 10 Dec 2012 09:20:01 GMT

This seems to be the same issue with ISE version 1.1.2.145

Any fix to this ?

Regards Rasmus

Using ISE guest store via RADIUS

ThoDoepke — Wed, 12 Dec 2012 15:51:47 GMT

I don't have any problems with this issue. The new group "ActivatedGuest" which was implemented with version 1.1.1 is still working with 1.1.2.145.