Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
761
Views
2
Helpful
9
Replies

GUEST ENDPOINT MAC ADDRESS IS NOT ADDING TO THE ENDPOINT GROUP

poornakumar
Level 1
Level 1

‎11-26-2024 12:17 AM

We have configured a guest access policy as follows:

1. The first policy is a guest redirection policy. When a new user connects, they are redirected to a portal where they enter their username and password. During this process, their MAC address is supposed to be added automatically to the "GuestEndpoint" group.

2. After completing the portal authentication, the process moves to the second policy. This policy checks if the MAC address exists in the "GuestEndpoint" group. If it does, a CoA (Change of Authorization) is triggered, granting the user full access to the internet.

However, we are facing an issue where new users successfully authenticate through the portal, but their MAC addresses are not being added to the "GuestEndpoint" group. As a result, they fail to match the second policy, and the CoA is not triggered. This issue is affecting all new guest users. If we manually add their MAC addresses to the "GuestEndpoint" group, the process works as expected.

Has anyone encountered a similar issue? Could you provide guidance or suggestions to resolve this?

1 person had this problem
9 Replies 9

MHM Cisco World
VIP
VIP

‎11-26-2024 12:38 AM

can I see policy set 

MHM

0 Helpful

poornakumar
Level 1
Level 1
In response to MHM Cisco World

‎11-26-2024 12:57 AM

poornakumar_0-1732611358996.png

 

First policy only for redirection for example if he hit in first policy portal redirection will happen and for second policy i have created a endpoint identity group as GuestEndpoints thats it straight forward guest policy configuration

MHM Cisco World
VIP
VIP
In response to poornakumar

‎11-26-2024 01:45 AM

I send you PM check it 

thanks 

MHM

0 Helpful

Arne Bier
VIP
VIP
In response to poornakumar

‎11-26-2024 01:54 PM

Are you showing us the Policy Sets main page, or are you showing us the Authorization Rules of one of the Policy Sets (e.g. Wired/Wireless MAB) ? I would not have two separate Policy Sets - you should have one Policy Set, with MAB authentication (and, very important, if User Not Found, CONTINUE.

ArneBier_0-1732657920378.png

In the Authorization Policy, the First Rule should be the check in the Endpoint Identity Group, and then do what you need to do to authorize the user.

The next Authorization Rule should be one that redirects the endpoint, based on which ISE PSN is handling the MAB request (if you have two PSNs, then the redirection URLs will be different)

 

0 Helpful

poornakumar
Level 1
Level 1
In response to Arne Bier

‎11-26-2024 05:16 PM

Yup we are following the same setup

0 Helpful

Rob Ingram
VIP
VIP

‎11-26-2024 12:58 AM

@poornakumar is the group "GuestEndpoint" you are using in the AuthZ policy the same endpoint identity group as is configured under the guest portal.

RobIngram_0-1732611461478.png

What version of ISE are you using?

0 Helpful

poornakumar
Level 1
Level 1
In response to Rob Ingram

‎11-26-2024 01:03 AM

yes and also still now the policy working without any issue. we are currently in v3.2 p6

0 Helpful

vishnuvardhan-gollapudi
Level 1
Level 1
In response to poornakumar

‎03-14-2025 04:31 AM

I am also facing the same issue, the issue is resolved ?

0 Helpful

poornakumar
Level 1
Level 1
In response to vishnuvardhan-gollapudi

‎03-15-2025 01:45 AM

Hi Vishnu, 

Yes we had solved the problem by context visibility reset in cli follow both the step 20 and 21. And follow the right process of context visibility reset in both primary and secondary node

0 Helpful
Customers Also Viewed These Support Documents