https://community.cisco.com/t5/network-access-control/guest-single-click-with-ldap/m-p/3878818#M472075 I reached out to engineering, did you get a tac case opened?<BR /> Mon, 24 Jun 2019 20:53:51 GMT Jason Kunst 2019-06-24T20:53:51Z https://community.cisco.com/t5/network-access-control/guest-single-click-with-ldap/m-p/3877460#M472073 <P>I am doing a guest install where the guest PSNs are not joined to AD and we are using LDAP.&nbsp; We have an group mapped into to the sponsor role and the users can log into the sponsor portal without an issue using their account name (JDoe4567 as an example).&nbsp;&nbsp; The user's email address is jdoe@customer.com.&nbsp; Because they are doing O365 they have changed all their UPNs to jdoe4567@customer.com.&nbsp; The only LDAP attribute that has the email address in it is the Mail attribute.</P> <P>&nbsp;</P> <P>When the guest enters jdoe@customer.com in as the person they are visiting the sponsor receives an email but has to sign into the portal which means the single click process didn't work.&nbsp; We set this up in a lab as well and changed the UPN to jdoe@customer.com and single clicked worked perfectly.&nbsp;</P> <P>&nbsp;</P> <P>Is ISE only looking up the UPN attribute when it does the single click look-up based on the email address?</P> Fri, 21 Jun 2019 15:01:58 GMT https://community.cisco.com/t5/network-access-control/guest-single-click-with-ldap/m-p/3877460#M472073 paul 2019-06-21T15:01:58Z https://community.cisco.com/t5/network-access-control/guest-single-click-with-ldap/m-p/3877489#M472074 <P>An update, we turned on some debugs and we can see in the guest.log that the email lookup is working against LDAP but it says no groups are received.&nbsp; The same account though works when we sign into the sponsor portal so LDAP groups are working there.&nbsp;</P> Fri, 21 Jun 2019 15:01:32 GMT https://community.cisco.com/t5/network-access-control/guest-single-click-with-ldap/m-p/3877489#M472074 paul 2019-06-21T15:01:32Z https://community.cisco.com/t5/network-access-control/guest-single-click-with-ldap/m-p/3878818#M472075 I reached out to engineering, did you get a tac case opened?<BR /> Mon, 24 Jun 2019 20:53:51 GMT https://community.cisco.com/t5/network-access-control/guest-single-click-with-ldap/m-p/3878818#M472075 Jason Kunst 2019-06-24T20:53:51Z https://community.cisco.com/t5/network-access-control/guest-single-click-with-ldap/m-p/3878820#M472077 Not yet. We did some more debugging on the issue and can't get consistent results. We tried both LDAP group membership and using LDAP attributes to assign sponsor roles.<BR /><BR /><BR /><BR />We will be opening a TAC case this week. The single click approval is a nice to have for the customer. We are working through other issues so we can start a pilot. We can do the pilot without single click working.<BR /><BR /><BR /> Mon, 24 Jun 2019 20:57:51 GMT https://community.cisco.com/t5/network-access-control/guest-single-click-with-ldap/m-p/3878820#M472077 paul 2019-06-24T20:57:51Z https://community.cisco.com/t5/network-access-control/guest-single-click-with-ldap/m-p/3881563#M472079 they said need logs go through tac please Fri, 28 Jun 2019 15:33:58 GMT https://community.cisco.com/t5/network-access-control/guest-single-click-with-ldap/m-p/3881563#M472079 Jason Kunst 2019-06-28T15:33:58Z