Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
985
Views
3
Helpful
3
Replies

Guest Wi-Fi returning users and Session identity persistence

Go to solution
Arne Bier
VIP
VIP

‎07-09-2017 10:54 PM

Hi ISE fans

I think I am missing some fundamental concepts to the workings of Guest web auth.

I authenticated a wifi guest user on the guest portal and in Live Logs I can see the Session Status is "Started"

The Username is mapped to jane@email.com because ISE was overwriting the MAC address during the portal authentication flow.

Next thing ...

If WLC session has timed out (e.g. after 8 hours), and the WLC sends Acct Stop to ISE, then ISE marks that Session as Terminated.

Not generally a problem, because the returning user will be automatically be authorised by my AuthZ policy since I look up the MAC address in the GuestEndpoints Identity Group. The Guest is working and happy again.  And the problem is that ISE no longer has any clue who this user is, since GuestEndpoints only contains MAC addresses. And this time around the Access-Accept replies with the MAC address only, and not with the actual username.

This is a problem for me because I need to know the Identity (e.g. jane@email.com) without forcing them to authenticate on the portal again.  In other words, I wanted ISE to cache the MAC<->UserName for the entire duration of the validity of the guest account. Is this possible?   I don't want to have a WLC session timeout of 30 days to force this behaviour.

I don't have Profiling licenses.

Please show me the error of my way ... ;-)

1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎07-10-2017 07:02 AM

Correct behavior

https://communities.cisco.com/message/256994?mobileredirect=true

Ise 2.3 will correct the live log issue but not the guest reporting issues

View solution in original post

3 Replies 3

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎07-10-2017 07:02 AM

Correct behavior

https://communities.cisco.com/message/256994?mobileredirect=true

Ise 2.3 will correct the live log issue but not the guest reporting issues

Go to solution
Arne Bier
VIP
VIP
In response to Jason Kunst

‎07-10-2017 03:34 PM

Hi Jason

Thanks for confirming.  As a Cisco Partner I have limited visibility into the bug ID's - does the fix in 2.3 release also ensure that the Accounting Requests contain the mapped User-Name instead of the MAC address?  And if so, is that a patch/hotfix that I can apply to 2.2p1 ?  Our solution is meant to go live in a month.

My customer's solution involves a transparent web proxy solution that seeks to apply proxying policies based on the Radius accounting requests.  They look in the User-Name attribute and then perform an LDAP lookup etc.  The User-Name has to contain a valid identity.

regards

Arne

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Arne Bier

‎07-10-2017 04:31 PM

The fix is in ise 2.3 for live logs only and doesn't address your use case as it's treated as straight mab

Please reach out to the ise product management team through your sales channel to address your use case

Sent from my iPhone

0 Helpful
Customers Also Viewed These Support Documents