cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3670
Views
0
Helpful
11
Replies

Cisco ISE - Different Identity Group for self registered Guests

Marc Aemmer
Level 1
Level 1

Hi

I have a Guest Portal configured with Self Registration which assigns Devices to Guest Type "Visitors".

The Authorization Policy allows access when Guest_Flow and Identity Group = Visitors.

Now I recognized under Work Centers -> Guest Access -> Identities, that some endpoints have different Identity Groups than "Visitors". Some are assigned to "Profiled" and others to "Android" etc. Is this because of the profiler? Does this affect the Authorization Policy? Should this behaviour be turned off? If yes, where?

Thanks,

Marc

 

 

1 Accepted Solution

Accepted Solutions

Get it checked with TAC. Essentially when the guest endpoint group assignment after the guest authentication is a static assignment. There are a few known issues with static group assignment being lost depending on your version.

View solution in original post

11 Replies 11

anthonylofreso
Level 4
Level 4

Probably should not be turned off, and in fact, I'm not even sure you can turn it off.

This will only affect your auth z policy if your policy is written as such. Meaning, are one of your policy's conditions 'profiled' or 'android'? If not, then it will not match.

Also, yes, this is happening because it's matching rules under: Work Centers > Profiler > Policy Elements > Profiler Conditions

Which match to: Work Centers > Profiler > Profiling Policies

I don't get that. I have created different AuthZ Policies with different AuthZ Profiles based on Endpoint Identity Groups.

So if the profiler is overwriting the Endpoint Identity Groups I configured in each Guest Type this all makes no sense.

If you're putting an endpoint in a specific identity group, the profiler policies will not overwrite that. Or at least, they shouldn't be...?

Exactly what I think too. But in my case, it's somehow assigning different identity groups than I configured in my guest types...

You should see the endpoints under the guest identity groups regardless

Credentialed guest portal will assign the guest endpoint to the endpoint group specific under the guest type

Unfortunately we were not able to solve the problem yet. It looks like ISE is arbitrarily changing the identity groups of guest endpoints. This leads to a CoA and the user will not be able to connect anymore, because the AuthZ rules are based on endpoint groups.

Get it checked with TAC. Essentially when the guest endpoint group assignment after the guest authentication is a static assignment. There are a few known issues with static group assignment being lost depending on your version.

Ciao,

do you have any information regarding bug ID or resolution ?

Thanks

There is still no resolution. I have opened a TAC case months ago and we are still looking for the root cause.

There could be a chance that the purge rule for the affected identity group is causing the problem. WIth the purge rule deactivated, I have way less guest flow endpoints which are loosing static group assignment.

You’ll need to escalate to duty manager and work through TAC. We don’t do break fix in the community

rsoares01
Level 1
Level 1

Hi, i am having the exactly same issue, how did you solve it?

I am having issue with the remember me configuration because the identity group id of the devices that is tagged with Profiled instead GuestEndpoint.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: