This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
I have set up linked guest portals that works fine. Now we can authenticate hotspot guest as well as credentialed guest users.
However, I need to authorise guest depending on the guest type in order to give different rate limiting rules for each guest type.
I have followed "How-To_93_ISE_20_Wireless_Guest_Setup_Guide.pdf" but since it is based on ISE2.0 I cannot recreate the same policy content.
ISE 2.4 has no endpoint rules that matches above rules. Instead I have used "IdentityGroup Name EQUALS UserIdentityGroup:GuestType_Contractor(default)/_Weekly/_Daily"
When enabled and applied and the rule above "Guest Portal Auth" is disabled already authenticated clients doesn't hit.
I cannot find any condition that would really trigger on guest devices with GuestType = daily/weekly/contractor.
When the first rule is enabled I notice that the client has the following identity mapping:
If I examine User Identity Groups = GuestType_Contractor (default) I find no entries.
Maybe this is the reason why my authz rukes doesn't hit?
Anyone who got this working in ISE 2.4?
Solved! Go to Solution.
No, but I will try it in my lab. Didn't occur to me I had the option.
How come the logics and dictionary seems all different with lots of blanks compared with previous versions?
When I check the dictionary elements, I find matching entries, but they are not found when making policy rules...
I will respond asap
I changed to "starts with" and also "contains" but I believe we are looking on the wrong attribute.
(User Identity Groups = GuestType_Contractor (default))
This is the reauthentication or the CoA of authenticated guest clients.
Looking into a an authorised client (using Identity store Endpoint Identity Groups:GuestEndpoints) I fing nosuch attibute when I open the Endpoint listing.
This is the attibutes matching a Client making the reconnect after already logging in to the web portal.
(linked or daisy chained portals (hotspot-->sponsored)
The only attibute that matches is PortalUser.GuestType = Contractor (default)
Using User Identity Groups = GuestType_Contractor (default) doesn't seem to work.
|Device IP Address||172.17.109.203|
|Device Type||Device Type#All Device Types|
|IPSEC||IPSEC#Is IPSEC Device|
|LastAUPAccepted||2018-Jun-06 21:08:25 CEST|
|NAS-Port-Type||Wireless - IEEE 802.11|
|Name||Endpoint Identity Groups:GuestEndpoints|
|Network Device Profile||Cisco|
|NetworkDeviceGroups||Location#All Locations, Device Type#All Device Types, IPSEC#Is IPSEC Device|
|OUI||Sony Mobile Communications AB|
|RegistrationTimeStamp||2018-Jun-06 21:08:25 CEST|
|SelectedAccessService||Default Network Access|
|StepData||6=Internal Endpoints, 12= Radius.NAS-Port-Type, 13= Radius.Called-Station-ID|
|Total Certainty Factor||100|
|User-Agent||Dalvik/2.1.0 (Linux\; U\; Android 6.0.1\; D5803 Build/23.5.A.1.291)|
Yes I believe you’re correct. UserIdentityGroup would be if you manually created an internal user on ISE and then added that user to the IdentityGroup.
Do you have working screenshot?
I'm not sure what you mean by working screenshot.
Above is just the attrubutes from the actice client summary you access from the home screen and the client detail.
I attach the authz Policy from my lab:
Here's the radius live session detail for the same client:
Still I can't figure out why there's no obvious way of invoking a ruleset that would match the clients sorrect state and GuestType. Is it the 2.4 version or have I missed something?
I verified on ISE 2.3 and ISE 2.4 and behavior is working as expected whereby the condition match is to the USER Identity Group which is mapped to the Guest Role Type. I could not decipher what was in later screenshot, but your first screenshot was not of a guest flow, but straight MAB. Under this scenario, only the endpoint identity is known and we currently do not expose the extended PortalUser attributes to perform a lookup based on MAB identity.
Here is working scenario for straight web auth and matching against the Guest-Contractor user identity group:
Note that although Guest Role is mapped to a User Identity Group, you will not see a list of Guest Users mapped to this group from the Identity Management page. You would need to view that from Sponsor Portal or Context Visibility.