cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1470
Views
2
Helpful
4
Replies

Using the guest CWA username as a radius attribute in authorization

jpujol
Cisco Employee
Cisco Employee

Hi team,

I got the request to return to the WLC the radius:username attribute in the authorization profile when doing CWA, because all subsequent connections currently end up with the MAC address instead of the guest username in the WLC session reports. MAC address formats aren't even compatible between WLC and ISE.

However, it's not possible to select this "radius:username" attribute.

Do you know any way to return it somehow ? any VendorSpecific attribute which may be usable with the WLCs ?

Thanks in advance,

jean-francois

Screen Shot 2017-02-07 at 20.57.24.png

Expected option :

Screen Shot 2017-02-07 at 21.03.02.png

1 Accepted Solution

Accepted Solutions

Hi Jean-Francois

In ISE 2.3 the situation has improved a little bit - but the bugs that Jason mentions are still outstanding (slated to be resolved in ISE 2.4).

In ISE 2.3 you can now see the username <-> MAC address correlation in the LiveLogs GUI.  That is the only improvement that has been made.  It does not address reporting or the radius return values (which is what you (and I, and possibly many others) are after).

I wrote a Document on this ISE 2.3 Remember Me guest using guest endpoint group logging display and Jason provided the bug ID's.  Jason has been raising the visibility on these bugs and it looks as if they will be resolved in v2.4 - it's one of the first things I will be testing when the code goes GA.

View solution in original post

4 Replies 4

Jason Kunst
Cisco Employee
Cisco Employee

I don't know about this but maybe someone else has some ideas but I am wondering if you have the CWA username on each device login? Are you authorization off endpoint group with the registered device  once the initial weblogin is done?

If so you will not have the CWA:Username any longer and may have to rely on the Portal User ID attached to the mac address which we don't correlate, see the following bugs.

CSCuh14138 - US12844reporting issue - Guest user Identity is getting updated with Mac addr. instead identity
CSCux55288- US12844reporting issue - Guest remember-me breaks ISE Guest Activity Logging

What version of ISE are you running?

Hi Jean-Francois

In ISE 2.3 the situation has improved a little bit - but the bugs that Jason mentions are still outstanding (slated to be resolved in ISE 2.4).

In ISE 2.3 you can now see the username <-> MAC address correlation in the LiveLogs GUI.  That is the only improvement that has been made.  It does not address reporting or the radius return values (which is what you (and I, and possibly many others) are after).

I wrote a Document on this ISE 2.3 Remember Me guest using guest endpoint group logging display and Jason provided the bug ID's.  Jason has been raising the visibility on these bugs and it looks as if they will be resolved in v2.4 - it's one of the first things I will be testing when the code goes GA.

Clarification, These haven’t been committed for 2.4 that I know of, I am asking development why they state 2.4 in some of them to make sure I understand what’s going on

Please if you have any customers being impacted please keep attaching to the defects

Please get business justification through sales team to our guest pm Ameet Kulkarni

Jason Kunst
Cisco Employee
Cisco Employee

Please see this link.

ISE 2.3 Remember Me guest using guest endpoint group logging display

I updated all associated defects, please have your customers and partners open cases and attach to all of these directly. 2.3 Patch 1 only fixes the issue with Radius live logs. It doesn't fix Radius account, guest reports or information sent to the WLC for its display of the guest users

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: