https://community.cisco.com/t5/network-access-control/guest-wi-fi-returning-users-and-session-identity-persistence/m-p/3578891#M528624 <HTML><HEAD></HEAD><BODY><P>Correct behavior</P><P></P><P>https://communities.cisco.com/message/256994?mobileredirect=true</P><P></P><P>Ise 2.3 will correct the live log issue but not the guest reporting issues</P></BODY></HTML> Mon, 10 Jul 2017 14:02:51 GMT Jason Kunst 2017-07-10T14:02:51Z https://community.cisco.com/t5/network-access-control/guest-wi-fi-returning-users-and-session-identity-persistence/m-p/3578890#M528623 <HTML><HEAD></HEAD><BODY><P>Hi ISE fans</P><P></P><P>I think I am missing some fundamental concepts to the workings of Guest web auth.</P><P></P><P>I authenticated a wifi guest user on the guest portal and in Live Logs I can see the Session Status is "Started"</P><P></P><P><IMG class="jive-image image-2" src="https://community.cisco.com/legacyfs/online/fusion/109020_pastedImage_0.png" style="max-height: 900px; max-width: 1200px;" /></P><P></P><P><IMG class="image-1 jive-image" src="https://community.cisco.com/legacyfs/online/fusion/109019_pastedImage_0.png" style="max-height: 900px; max-width: 1200px;" /></P><P></P><P>The Username is mapped to <A href="mailto:jane@email.com">jane@email.com</A> because ISE was overwriting the MAC address during the portal authentication flow.</P><P>Next thing ...</P><P>If WLC session has timed out (e.g. after 8 hours), and the WLC sends Acct Stop to ISE, then ISE marks that Session as Terminated.</P><P></P><P><IMG class="jive-image image-3" src="https://community.cisco.com/legacyfs/online/fusion/109021_pastedImage_1.png" style="max-height: 900px; max-width: 1200px;" /></P><P></P><P>Not generally a problem, because the returning user will be automatically be authorised by my AuthZ policy since I look up the MAC address in the GuestEndpoints Identity Group. The Guest is working and happy again.&nbsp; And the problem is that ISE no longer has any clue who this user is, since GuestEndpoints only contains MAC addresses. And this time around the Access-Accept replies with the MAC address only, and not with the actual username. </P><P></P><P><IMG class="jive-image image-4" src="https://community.cisco.com/legacyfs/online/fusion/109022_pastedImage_2.png" style="max-height: 900px; max-width: 1200px;" /></P><P></P><P>This is a problem for me because I need to know the Identity (e.g. <A href="mailto:jane@email.com">jane@email.com</A>) without forcing them to authenticate on the portal again.&nbsp; In other words, I wanted ISE to cache the MAC&lt;-&gt;UserName for the entire duration of the validity of the guest account. Is this possible?&nbsp;&nbsp; I don't want to have a WLC session timeout of 30 days to force this behaviour. </P><P></P><P>I don't have Profiling licenses.</P><P></P><P>Please show me the error of my way ... <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P></BODY></HTML> Mon, 10 Jul 2017 05:54:40 GMT https://community.cisco.com/t5/network-access-control/guest-wi-fi-returning-users-and-session-identity-persistence/m-p/3578890#M528623 Arne Bier 2017-07-10T05:54:40Z https://community.cisco.com/t5/network-access-control/guest-wi-fi-returning-users-and-session-identity-persistence/m-p/3578891#M528624 <HTML><HEAD></HEAD><BODY><P>Correct behavior</P><P></P><P>https://communities.cisco.com/message/256994?mobileredirect=true</P><P></P><P>Ise 2.3 will correct the live log issue but not the guest reporting issues</P></BODY></HTML> Mon, 10 Jul 2017 14:02:51 GMT https://community.cisco.com/t5/network-access-control/guest-wi-fi-returning-users-and-session-identity-persistence/m-p/3578891#M528624 Jason Kunst 2017-07-10T14:02:51Z https://community.cisco.com/t5/network-access-control/guest-wi-fi-returning-users-and-session-identity-persistence/m-p/3578892#M528625 <HTML><HEAD></HEAD><BODY><P>Hi Jason</P><P></P><P>Thanks for confirming.&nbsp; As a Cisco Partner I have limited visibility into the bug ID's - does the fix in 2.3 release also ensure that the Accounting Requests contain the mapped User-Name instead of the MAC address?&nbsp; And if so, is that a patch/hotfix that I can apply to 2.2p1 ?&nbsp; Our solution is meant to go live in a month.</P><P>My customer's solution involves a transparent web proxy solution that seeks to apply proxying policies based on the Radius accounting requests.&nbsp; They look in the User-Name attribute and then perform an LDAP lookup etc.&nbsp; The User-Name has to contain a valid identity.</P><P></P><P>regards</P><P>Arne</P></BODY></HTML> Mon, 10 Jul 2017 22:34:47 GMT https://community.cisco.com/t5/network-access-control/guest-wi-fi-returning-users-and-session-identity-persistence/m-p/3578892#M528625 Arne Bier 2017-07-10T22:34:47Z https://community.cisco.com/t5/network-access-control/guest-wi-fi-returning-users-and-session-identity-persistence/m-p/3578893#M528626 <HTML><HEAD></HEAD><BODY><P>The fix is in ise 2.3 for live logs only and doesn't address your use case as it's treated as straight mab</P><P></P><P>Please reach out to the ise product management team through your sales channel to address your use case</P><P></P><P>Sent from my iPhone</P></BODY></HTML> Mon, 10 Jul 2017 23:31:40 GMT https://community.cisco.com/t5/network-access-control/guest-wi-fi-returning-users-and-session-identity-persistence/m-p/3578893#M528626 Jason Kunst 2017-07-10T23:31:40Z