cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

539
Views
2
Helpful
4
Replies
Highlighted
Cisco Employee

Using the guest CWA username as a radius attribute in authorization

Hi team,

I got the request to return to the WLC the radius:username attribute in the authorization profile when doing CWA, because all subsequent connections currently end up with the MAC address instead of the guest username in the WLC session reports. MAC address formats aren't even compatible between WLC and ISE.

However, it's not possible to select this "radius:username" attribute.

Do you know any way to return it somehow ? any VendorSpecific attribute which may be usable with the WLCs ?

Thanks in advance,

jean-francois

Screen Shot 2017-02-07 at 20.57.24.png

Expected option :

Screen Shot 2017-02-07 at 21.03.02.png

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Engager

Re: Using the guest CWA username as a radius attribute in authorization

Hi Jean-Francois

In ISE 2.3 the situation has improved a little bit - but the bugs that Jason mentions are still outstanding (slated to be resolved in ISE 2.4).

In ISE 2.3 you can now see the username <-> MAC address correlation in the LiveLogs GUI.  That is the only improvement that has been made.  It does not address reporting or the radius return values (which is what you (and I, and possibly many others) are after).

I wrote a Document on this ISE 2.3 Remember Me guest using guest endpoint group logging display and Jason provided the bug ID's.  Jason has been raising the visibility on these bugs and it looks as if they will be resolved in v2.4 - it's one of the first things I will be testing when the code goes GA.

4 REPLIES 4
Cisco Employee

Re: Username radius attribute

I don't know about this but maybe someone else has some ideas but I am wondering if you have the CWA username on each device login? Are you authorization off endpoint group with the registered device  once the initial weblogin is done?

If so you will not have the CWA:Username any longer and may have to rely on the Portal User ID attached to the mac address which we don't correlate, see the following bugs.

CSCuh14138 - US12844reporting issue - Guest user Identity is getting updated with Mac addr. instead identity
CSCux55288- US12844reporting issue - Guest remember-me breaks ISE Guest Activity Logging

What version of ISE are you running?

VIP Engager

Re: Using the guest CWA username as a radius attribute in authorization

Hi Jean-Francois

In ISE 2.3 the situation has improved a little bit - but the bugs that Jason mentions are still outstanding (slated to be resolved in ISE 2.4).

In ISE 2.3 you can now see the username <-> MAC address correlation in the LiveLogs GUI.  That is the only improvement that has been made.  It does not address reporting or the radius return values (which is what you (and I, and possibly many others) are after).

I wrote a Document on this ISE 2.3 Remember Me guest using guest endpoint group logging display and Jason provided the bug ID's.  Jason has been raising the visibility on these bugs and it looks as if they will be resolved in v2.4 - it's one of the first things I will be testing when the code goes GA.

Cisco Employee

Re: Using the guest CWA username as a radius attribute in authorization

Clarification, These haven’t been committed for 2.4 that I know of, I am asking development why they state 2.4 in some of them to make sure I understand what’s going on

Please if you have any customers being impacted please keep attaching to the defects

Please get business justification through sales team to our guest pm Ameet Kulkarni

Cisco Employee

Re: Using the guest CWA username as a radius attribute in authorization

Please see this link.

ISE 2.3 Remember Me guest using guest endpoint group logging display

I updated all associated defects, please have your customers and partners open cases and attach to all of these directly. 2.3 Patch 1 only fixes the issue with Radius live logs. It doesn't fix Radius account, guest reports or information sent to the WLC for its display of the guest users