cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
782
Views
3
Helpful
3
Replies

Guest Wi-Fi returning users and Session identity persistence

Arne Bier
VIP
VIP

Hi ISE fans

I think I am missing some fundamental concepts to the workings of Guest web auth.

I authenticated a wifi guest user on the guest portal and in Live Logs I can see the Session Status is "Started"

The Username is mapped to jane@email.com because ISE was overwriting the MAC address during the portal authentication flow.

Next thing ...

If WLC session has timed out (e.g. after 8 hours), and the WLC sends Acct Stop to ISE, then ISE marks that Session as Terminated.

Not generally a problem, because the returning user will be automatically be authorised by my AuthZ policy since I look up the MAC address in the GuestEndpoints Identity Group. The Guest is working and happy again.  And the problem is that ISE no longer has any clue who this user is, since GuestEndpoints only contains MAC addresses. And this time around the Access-Accept replies with the MAC address only, and not with the actual username.

This is a problem for me because I need to know the Identity (e.g. jane@email.com) without forcing them to authenticate on the portal again.  In other words, I wanted ISE to cache the MAC<->UserName for the entire duration of the validity of the guest account. Is this possible?   I don't want to have a WLC session timeout of 30 days to force this behaviour.

I don't have Profiling licenses.

Please show me the error of my way ... ;-)

1 Accepted Solution

Accepted Solutions

Jason Kunst
Cisco Employee
Cisco Employee

Correct behavior

https://communities.cisco.com/message/256994?mobileredirect=true

Ise 2.3 will correct the live log issue but not the guest reporting issues

View solution in original post

3 Replies 3

Jason Kunst
Cisco Employee
Cisco Employee

Correct behavior

https://communities.cisco.com/message/256994?mobileredirect=true

Ise 2.3 will correct the live log issue but not the guest reporting issues

Hi Jason

Thanks for confirming.  As a Cisco Partner I have limited visibility into the bug ID's - does the fix in 2.3 release also ensure that the Accounting Requests contain the mapped User-Name instead of the MAC address?  And if so, is that a patch/hotfix that I can apply to 2.2p1 ?  Our solution is meant to go live in a month.

My customer's solution involves a transparent web proxy solution that seeks to apply proxying policies based on the Radius accounting requests.  They look in the User-Name attribute and then perform an LDAP lookup etc.  The User-Name has to contain a valid identity.

regards

Arne

The fix is in ise 2.3 for live logs only and doesn't address your use case as it's treated as straight mab

Please reach out to the ise product management team through your sales channel to address your use case

Sent from my iPhone

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: