cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
Register for the monthly ISE Webinars to learn about ISE configuration and deployment.
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

951
Views
3
Helpful
10
Replies
Cisco Employee

Missing NetworkAccess UseCase in ISE 2.3

Hi

I used to use "Network Access:UseCase EQUALS Guest Flow" as the selection criteria to choose Captive Portal authentication in the Policy section. With ISE 2.3 I see no UseCase option anymore...

Is this a expected behaviour? What is the best alternative?

Regards

Roman

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Advocate

Re: Missing NetworkAccess UseCase in ISE 2.3

Correct.  I did not catch earlier from mobile device that intent was to use this at Policy Set level.  USE_CASE GuestFlow is primarily to match authorization condition, i.e. there is a reauthorization situation where user has just completed successful web auth event.   It may have worked in prior model but that was not purpose and need to keep the policy set level for things that are accessible at a higher level in RADIUS conversation.

Craig

10 REPLIES 10
Highlighted
Advocate

Re: Missing NetworkAccess UseCase in ISE 2.3

Make sure you remove any dictionary filters (no icon selected in library) to display all attributes.  You can then enter keywords to find network access attributes.

Cisco Employee

Re: Missing NetworkAccess UseCase in ISE 2.3

is that post upgrade?

try to use the 'Editor'  to find the attribute.

Cisco Employee

Re: Missing NetworkAccess UseCase in ISE 2.3

Hi

It is a fresh install of the FCS code.

I see no UseCase option (with no filters). In fact the only options available are the ones bellow...

UseCase.PNG

Cisco Employee

Re: Missing NetworkAccess UseCase in ISE 2.3

Your screenshot looks like from the conditions studio for authentication policy rules. If that is the case, it's expected not having NA.UseCase, as such attribute will not work correctly during authentication evaluation.

Cisco Employee

Re: Missing NetworkAccess UseCase in ISE 2.3

In fact, my intention is to use "Network Access:UseCase EQUALS Guest Flow" as the selection criteria to choose Captive Portal authentication in the Policy section, as I have been doing from the first ISE version that supported Policy Sets many years ago...

ISE 2.3 (where I cannot use "Network Access:UseCase EQUALS Guest Flow"):

ISE23 PolicySet.PNG

ISE 2.2 (and previous) were I could use "Network Access:UseCase EQUALS Guest Flow"):

ISE22 PolicySet.PNG

Any other alternative?

Thanks

Cisco Employee

Re: Missing NetworkAccess UseCase in ISE 2.3

The attribute has been removed as a fix for CSCvc98033 and ISE 2.3 is the only shipping release with this fix.

It's not common to use such attributes for authentications as they would only work for re-auth of an existing session and their existence causes confusion to customers.

I do not see any workaround other than for you to re-design the policy sets and moving that inside of an policy set and under authorization.

Contributor

Re: Missing NetworkAccess UseCase in ISE 2.3

I agree with Hsing. The session is not considered a guest flow until after authentication. This means you would have the same session using two different policy sets. This document has a good description for how that use case is intended to be used: https://supportforums.cisco.com/document/110031/central-web-authentication-cwa-guests-ise This is another page with a similar description: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200273-Configure-ISE-Guest-Temporary-and-Perman.html

Advocate

Re: Missing NetworkAccess UseCase in ISE 2.3

Correct.  I did not catch earlier from mobile device that intent was to use this at Policy Set level.  USE_CASE GuestFlow is primarily to match authorization condition, i.e. there is a reauthorization situation where user has just completed successful web auth event.   It may have worked in prior model but that was not purpose and need to keep the policy set level for things that are accessible at a higher level in RADIUS conversation.

Craig

Hall of Fame Master

Re: Missing NetworkAccess UseCase in ISE 2.3

Along the topic of this thread, am I correct in understanding that "Guest Flow" attribute is set for the RADIUS session when ISE detects the endpoint (ie the user on the endpoint) has authenticated via the CWA portal?

So on first access, user is redirected. They authenticate and then the flag is set and a CoA issued for that session. Upon re-authorization the flag is detected and appropriate access is granted.

Advocate

Re: Missing NetworkAccess UseCase in ISE 2.3

Essentially that is correct.