Solved: Re: ISE 2.3 - Guest Portal not working with AD in portal sequence

jcatanzaro9 · ‎06-06-2019

Working on trying to use the guest portal to allow employees to authenticate with AD credentials for same level of access as sponsored guest users (internet only). Guest portal configured to use sequence with Guest Users first, followed by CORP (AD). Going off of this guide:

https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/BYOD_Design_Guide/BYOD_Basic_Access_Use_Case.html

Section:

Extending Web Auth to Use Microsoft AD when Authenticating Employees with Personal Devices

Seems to be everything is correct but the authentication fails when using my AD creds in the guest portal no matter which AD group I call out in the AuthZ rule. AuthC rule is using wireless MAB, AuthZ says if you come in through guest flow, called station 'Guest' and CORP:External Groups equals (desired AD grouop) then AuthZ profile with Access-Accept and InternetOnly Airespace ACL.

Every time i try it says authentication failed, but I can't seem to find any logging on the portal authentications to indicate why this is failing. Has anyone set this up this way and if so where am I going wrong?

Jason Kunst · ‎06-07-2019

@jcatanzaro9 wrote:
So the issue is when using AD creds I get authentication failed on the portal. Only problem is i don't see the failed authentications anywhere in the live log or reports to figure out *what* is failing.

JAK > i am not sure either because with my setup if i put in wrong username password for AD it will fail and show me that in Operations radius live logs

Version is 2.3 as the title states, not positive which patch right now. One AuthC policy if Wireless-MAB then Guest-Portal-Sequence for identity. AuthZ policies configured as outlined in that guide, the current working guest authZ profile is if MAB AND guest WLAN-ID then Portal Redirect, and then authZ for authenticated user is if use-case equal guest flow AND called station is Guest, AND identity group is guest-endpoints, then permit access.

JAK > can you fallback for an authc condition that allows all identity sources to check if that's the issue? Your authz looks correct from what you're sharing, a picture would be nice

One piece that I don't have turned on is "apply cisco ISE default settings" and the NAC state is None on that particular WLAN. Like I said that's working so I'm leary of making changes to it and would probably prefer to use a separate SSID for employee devices but redirect to the same portal.
JAK > wouldn't mess with that, if guest database works then you have validated the whole wireless flow.

Please reach out to TAC for further troubleshooting and assistance, not sure what's happening at this point. Perhaps your external identity source is not setup with the correct groups? Did you try the internal database to see if that works with internal account? Does AD work with wireless dot1x SSID?

View solution in original post

Jason Kunst · ‎06-06-2019

I would recommend keeping it simple and starting with this guide - https://community.cisco.com/t5/security-documents/ise-guest-access-prescriptive-deployment-guide/ta-p/3640475

Also under http://cs.co/ise-guest there are other examples talking about employee internet access.

jcatanzaro9 · ‎06-07-2019

All due respect, I've read through that guide half a dozen times or so and it is most definitely not a one-size-fits-all solution. I'm dealing with a long-deployed wireless environment and an ISE environment that's a few years old. I asked a very specific question (the third one thus far in this forum) and again have been met with this easily found PDF prescriptive deployment guide which would be awesome if I had nothing in place and was deploying for the first time. That's not the case.

"keeping it simple" with that guide would require essentially tearing out what we already have and redoing it. The section from the guide I linked to in my original post indicates simply adding an identity source to the existing sequence should work for the situation I describe, but it's not working.

Jason Kunst · ‎06-07-2019

The simple examples there in the guide of the policies should be able to be tweaked with what you have going on.

The Default identity source sequence and guest portal works with AD authentication. Perhaps you start by not calling out the group? The following works with AD login with guest identity source sequence mapped to AD.

If guest flow then permit access
if MAB then redirect to portal

What release you're on, show pictures of your authentication and authorization polices. Any associated configurations related? Perhaps the AD groups you have called out under External Identities?
Under http://cs.co/ise-guest there are several employee mentions perhaps one fits your specifics or is close?
The guide on page 21 step 4 shows a sample authorization policy which works with GUEST and AD login.
If all else fails work with the TAC, information on how to get help in the community is at http://cs.co/ise-help. trying to help we need info like:

jcatanzaro9 · ‎06-07-2019

So the issue is when using AD creds I get authentication failed on the portal. Only problem is i don't see the failed authentications anywhere in the live log or reports to figure out *what* is failing.

Version is 2.3 as the title states, not positive which patch right now. One AuthC policy if Wireless-MAB then Guest-Portal-Sequence for identity. AuthZ policies configured as outlined in that guide, the current working guest authZ profile is if MAB AND guest WLAN-ID then Portal Redirect, and then authZ for authenticated user is if use-case equal guest flow AND called station is Guest, AND identity group is guest-endpoints, then permit access.

One piece that I don't have turned on is "apply cisco ISE default settings" and the NAC state is None on that particular WLAN. Like I said that's working so I'm leary of making changes to it and would probably prefer to use a separate SSID for employee devices but redirect to the same portal.

Jason Kunst · ‎06-07-2019

@jcatanzaro9 wrote:
So the issue is when using AD creds I get authentication failed on the portal. Only problem is i don't see the failed authentications anywhere in the live log or reports to figure out *what* is failing.

JAK > i am not sure either because with my setup if i put in wrong username password for AD it will fail and show me that in Operations radius live logs

Version is 2.3 as the title states, not positive which patch right now. One AuthC policy if Wireless-MAB then Guest-Portal-Sequence for identity. AuthZ policies configured as outlined in that guide, the current working guest authZ profile is if MAB AND guest WLAN-ID then Portal Redirect, and then authZ for authenticated user is if use-case equal guest flow AND called station is Guest, AND identity group is guest-endpoints, then permit access.

JAK > can you fallback for an authc condition that allows all identity sources to check if that's the issue? Your authz looks correct from what you're sharing, a picture would be nice

One piece that I don't have turned on is "apply cisco ISE default settings" and the NAC state is None on that particular WLAN. Like I said that's working so I'm leary of making changes to it and would probably prefer to use a separate SSID for employee devices but redirect to the same portal.
JAK > wouldn't mess with that, if guest database works then you have validated the whole wireless flow.

Please reach out to TAC for further troubleshooting and assistance, not sure what's happening at this point. Perhaps your external identity source is not setup with the correct groups? Did you try the internal database to see if that works with internal account? Does AD work with wireless dot1x SSID?