Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1286
Views
0
Helpful
3
Replies

ISE Best Practices (Guest Username - Email address or first/last?)

Go to solution
mitchell helton
Level 1
Level 1

‎03-26-2019 11:18 AM - edited ‎03-26-2019 12:51 PM

Good afternoon, Gurus!

 

We are in the process of deploying BYOD/Guest access with ISE and I'm curious about something.

 

1) How does ISE differentiate between a guest that gets assigned the username (bsmith) and an AD user (bsmith) in regards to authentication?  It seems to be able to authenticate successfully, but I'm not quite sure how, because if it chooses the local identity store to do the guest lookup, and the AD password is entered, that should fail (and vice versa).  However, it does not.  I'm able to use either the guest password or the AD password for authentication, which brings me on to the real problem...

*EDIT* After further testing I do not think the AD account and guest account will work at the same time - perhaps I was dealing with a caching issue earlier.  After trying to authenticate with the AD account again, I was getting a bad password error (which would be expected since it is trying to authenticate as a guest).

 

2) I suspect this problem is easily solved by forcing email address usernames for guests, but is there a better or more preferred way?  Are my policies designed incorrectly?  They currently look like this:

 

Dual SSID approach (Guest SSID is open which employees use to onboard and also used for legitimate guests)

 

-Rule1 - (usecase = guestflow, AD group = employees) result = byod redirect

-Rule2 - (guest_flow, idgroup = guestendpoints) result = internet only

-Rule3 - (default/last rule) result = webauth redirect

 

If an employee connects to WiFi, they hit Rule 3 and are redirected to the webauth portal.  They sign in, choose BYOD, get provisioned (via Rule 1) and life is good.

 

If a guest connects to WiFi, they hit Rule 3 and are redirected to the webauth portal.  They sign in and get internet only access (via Rule 2).  Life is still good.

 

If a guest with the same username as an employee connects to WiFi, they hit Rule 3 and are redirected to the webauth portal.  They sign in and do NOT get internet access.  Instead, they get redirected to the employee BYOD portal and get onboarded as the employee.  The Authentication Details in Live Logs show the user type is guest user, the identity group is guesttype_daily - everything looks good from an authentication perspective.  Scrolling down to other attributes tells another story however.  It shows the employee UPN, OU, AD groups, etc.  I have not been able to successfully authenticate with EAP-TLS (that is what we are doing for BYOD) even though the certificate is being assigned to the guest user, so perhaps this isn't a security concern, but at the very least, a guest can't (as far as I can tell) connect to the network with how things are currently configured.

 

I hope this makes sense and I appreciate any advice.  Thank you!!

 

TL;DR - Is using the email address (for their username) of a guest user a best practice?

 

mitch

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎03-27-2019 07:28 AM

Lot to consume here.

Guest should not have same username as employee. To make it easier on guest why not make a shorter username?

AD auth can work fine on guest portal but when you mix with BYOD then you have other issues

I would try to separate your BYOD flow and redirections. Please see http://cs.co/ise-byod for BYOD guide and http://cs.co/ise-guest as well
Prescriptive guides listed under each page

If you still have questions please Direct Message me

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Arne Bier
VIP
VIP

‎03-26-2019 02:40 PM

Great questions.  Wouldn't it be nicer and cleaner if the ISE Guest Portal had a hierarchical structure that presented a home page with options: "Click here if you're an employee" - "Click Here if you're a Guest" etc.  And that then takes you to another page to do the relevant authentication.  The confusion we find ourselves in is because the initial page only allows username/password, and the logic behind the scenes makes assumptions about what should happen next.  It's overly complex and overloaded with assumptions.  

There are apparently ways to daisy chain portals off of each other, but it's not for the faint hearted.

 

The ambiguity could be resolved as you already suggested, by making guest usernames contain a domain component (aka a full email address).  But bear in mind that AD usernames can come in various formats too - e.g. biera, or CORP\biera, or biera@mycompany.com.au - the last of which looks like an email address.  I suppose you should not have employees using their work email address (if it happens to be the same as the UPN) to access guest.

 

I think the solution lies in having a cleaner interface to ISE that guides the user to the correct data entry dialogue.

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎03-27-2019 07:28 AM

Lot to consume here.

Guest should not have same username as employee. To make it easier on guest why not make a shorter username?

AD auth can work fine on guest portal but when you mix with BYOD then you have other issues

I would try to separate your BYOD flow and redirections. Please see http://cs.co/ise-byod for BYOD guide and http://cs.co/ise-guest as well
Prescriptive guides listed under each page

If you still have questions please Direct Message me
0 Helpful

Go to solution
mitchell helton
Level 1
Level 1
In response to Jason Kunst

‎03-27-2019 07:42 AM

Thanks for the replies.  I will message you directly, Jason.

0 Helpful
Customers Also Viewed These Support Documents