06-06-2019 01:52 PM
Working on trying to use the guest portal to allow employees to authenticate with AD credentials for same level of access as sponsored guest users (internet only). Guest portal configured to use sequence with Guest Users first, followed by CORP (AD). Going off of this guide:
https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/BYOD_Design_Guide/BYOD_Basic_Access_Use_Case.html
Section:
Seems to be everything is correct but the authentication fails when using my AD creds in the guest portal no matter which AD group I call out in the AuthZ rule. AuthC rule is using wireless MAB, AuthZ says if you come in through guest flow, called station 'Guest' and CORP:External Groups equals (desired AD grouop) then AuthZ profile with Access-Accept and InternetOnly Airespace ACL.
Every time i try it says authentication failed, but I can't seem to find any logging on the portal authentications to indicate why this is failing. Has anyone set this up this way and if so where am I going wrong?
Solved! Go to Solution.
06-07-2019 10:11 AM
@jcatanzaro9 wrote:
So the issue is when using AD creds I get authentication failed on the portal. Only problem is i don't see the failed authentications anywhere in the live log or reports to figure out *what* is failing.
JAK > i am not sure either because with my setup if i put in wrong username password for AD it will fail and show me that in Operations radius live logs
Version is 2.3 as the title states, not positive which patch right now. One AuthC policy if Wireless-MAB then Guest-Portal-Sequence for identity. AuthZ policies configured as outlined in that guide, the current working guest authZ profile is if MAB AND guest WLAN-ID then Portal Redirect, and then authZ for authenticated user is if use-case equal guest flow AND called station is Guest, AND identity group is guest-endpoints, then permit access.
JAK > can you fallback for an authc condition that allows all identity sources to check if that's the issue? Your authz looks correct from what you're sharing, a picture would be nice
One piece that I don't have turned on is "apply cisco ISE default settings" and the NAC state is None on that particular WLAN. Like I said that's working so I'm leary of making changes to it and would probably prefer to use a separate SSID for employee devices but redirect to the same portal.JAK > wouldn't mess with that, if guest database works then you have validated the whole wireless flow.
Please reach out to TAC for further troubleshooting and assistance, not sure what's happening at this point. Perhaps your external identity source is not setup with the correct groups? Did you try the internal database to see if that works with internal account? Does AD work with wireless dot1x SSID?
06-06-2019 02:29 PM
06-07-2019 07:16 AM
All due respect, I've read through that guide half a dozen times or so and it is most definitely not a one-size-fits-all solution. I'm dealing with a long-deployed wireless environment and an ISE environment that's a few years old. I asked a very specific question (the third one thus far in this forum) and again have been met with this easily found PDF prescriptive deployment guide which would be awesome if I had nothing in place and was deploying for the first time. That's not the case.
"keeping it simple" with that guide would require essentially tearing out what we already have and redoing it. The section from the guide I linked to in my original post indicates simply adding an identity source to the existing sequence should work for the situation I describe, but it's not working.
06-07-2019 07:59 AM
06-07-2019 08:16 AM
06-07-2019 10:11 AM
@jcatanzaro9 wrote:
So the issue is when using AD creds I get authentication failed on the portal. Only problem is i don't see the failed authentications anywhere in the live log or reports to figure out *what* is failing.
JAK > i am not sure either because with my setup if i put in wrong username password for AD it will fail and show me that in Operations radius live logs
Version is 2.3 as the title states, not positive which patch right now. One AuthC policy if Wireless-MAB then Guest-Portal-Sequence for identity. AuthZ policies configured as outlined in that guide, the current working guest authZ profile is if MAB AND guest WLAN-ID then Portal Redirect, and then authZ for authenticated user is if use-case equal guest flow AND called station is Guest, AND identity group is guest-endpoints, then permit access.
JAK > can you fallback for an authc condition that allows all identity sources to check if that's the issue? Your authz looks correct from what you're sharing, a picture would be nice
One piece that I don't have turned on is "apply cisco ISE default settings" and the NAC state is None on that particular WLAN. Like I said that's working so I'm leary of making changes to it and would probably prefer to use a separate SSID for employee devices but redirect to the same portal.JAK > wouldn't mess with that, if guest database works then you have validated the whole wireless flow.
Please reach out to TAC for further troubleshooting and assistance, not sure what's happening at this point. Perhaps your external identity source is not setup with the correct groups? Did you try the internal database to see if that works with internal account? Does AD work with wireless dot1x SSID?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide