topic ISE CWA in foreign / anchor WLC deployment - usernames missing in Network Access Control

ISE CWA in foreign / anchor WLC deployment - usernames missing

Johannes Luther — Mon, 11 Mar 2019 05:54:57 GMT

I'm not quite sure if this belongs to the mobility section or security - I'll just give it a try here.
I implemented wireless guest access with Cisco ISE 1.3 (patch 2) and a WLC foreign / anchor deployment (7.6.130.0).
So far nearly everything is working very good - but I have probably an issue with the Cisco ISE logging.

In the "Live Authentications" logging, I can see successful authentications, but in the column identity it just shows the MAC address of the endpoint.
If browsing to the endpoint identity store the guest endpoint is in the correct group (guestendpoints) and when looking at the endpoint details I can see the "portalusername" who created the user.

If I click on the active endpoints view (see attachment), I can see all active guests (Authz profil "PermitAccess"). I guess the username of the guest should be filled out there as well, right?

Anybody got an idea what the root cause for this is? Or is the normal behavior?

My Authentication rules are:
if "wireless_mab" and "Radius:Called-Station-ID ENDS WITH Guest-SSID" then use "internal endpoints" and continue if "user not found"

My Authorization rules are:
1.) if GuestEndpoints AND (Wireless_MAB AND Radius:Called-Station-ID ENDS_WITH Guest-SSID ) then PermitAccess
2.) if (Wireless_MAB AND Radius:Called-Station-ID ENDS_WITH Guest-SSID ) then GUEST_WEBAUTH
The Authz Profile GUEST_WEBAUTH defined the CWA and the preAuth ACL for the WLC

On the WLC I just configured the foreign WLC with the RADIUS Server (ISE) and enabled MAC Authentication in the SSID.
All the settings like aaa-override and RADIUS NAC are set. The RADIUS delimited is set to "colon" to comply with the ISE

From my experience, this is

Tim Steele — Sun, 23 Aug 2015 00:38:33 GMT

From my experience, this is expected behavior. The new flow for the guest use case starting in ISE 1.3 typically includes registering the endpoint, like it sounds you are doing. Your authz policy for post-portal authentication (following the CoA) requires the MAC address to be used as the identity for guest permissions, not the guest credential used at the portal.

That being said, I too would like to be able to see the Portal User username each time that a registered endpoint authenticates (until it is purged using the Endpoint Purge Policies of course).

Tim

You will only see the

Tarik Admani — Tue, 25 Aug 2015 04:07:58 GMT

You will only see the username on the initial CWA authentication, once the client disconnects and then mab hits the top rule you will not see the username again.

Also if you are trying to restrict the maximum number of devices a guest user can connect, this also breaks also since there is no username to keep track of active sessions against.

thanks,

Thank you guys for the

Johannes Luther — Fri, 04 Sep 2015 06:42:27 GMT

Thank you guys for the feedback. The answer is exactely what I'm experiencing (with ISE 1.4 as well). I just wanted to know If I do something wrong 🙂

Too sad, that the username is not displayed when the MAB rule is hit after the endpoint is registered. ISE knows the portal user name of the registered MAC address if you check in the "endpoint identities". If someone from Cisco sees this, please consider adding this information in the guest reports and the live authentication log.