Solved: How can I authorize guest clients bandwidth restrictions based on guest type in ISE 2.4?

Mats Nilson · ‎06-04-2018

Hi guys.

I have set up linked guest portals that works fine. Now we can authenticate hotspot guest as well as credentialed guest users.

However, I need to authorise guest depending on the guest type in order to give different rate limiting rules for each guest type.

I have followed "How-To_93_ISE_20_Wireless_Guest_Setup_Guide.pdf" but since it is based on ISE2.0 I cannot recreate the same policy content.

ISE 2.4 has no endpoint rules that matches above rules. Instead I have used "IdentityGroup Name EQUALS UserIdentityGroup:GuestType_Contractor(default)/_Weekly/_Daily"

When enabled and applied and the rule above "Guest Portal Auth" is disabled already authenticated clients doesn't hit.

I cannot find any condition that would really trigger on guest devices with GuestType = daily/weekly/contractor.

When the first rule is enabled I notice that the client has the following identity mapping:

PortalUser.GuestStatus	Active
PortalUser.GuestType	Contractor (default)

If I examine User Identity Groups = GuestType_Contractor (default) I find no entries.

Maybe this is the reason why my authz rukes doesn't hit?

Anyone who got this working in ISE 2.4?

Regards/

M

Jason Kunst · ‎06-07-2018

i am still investigating for now recommend opening tac case and a defect as well. I will try to reproduce here

View solution in original post

Mats Nilson · ‎06-04-2018

No, but I will try it in my lab. Didn't occur to me I had the option.

How come the logics and dictionary seems all different with lots of blanks compared with previous versions?

When I check the dictionary elements, I find matching entries, but they are not found when making policy rules...

Thanks.

I will respond asap

/Mats

Mats Nilson · ‎06-06-2018

Hi Jason.

No luck.

I changed to "starts with" and also "contains" but I believe we are looking on the wrong attribute.

(User Identity Groups = GuestType_Contractor (default))

This is the reauthentication or the CoA of authenticated guest clients.

Looking into a an authorised client (using Identity store Endpoint Identity Groups:GuestEndpoints) I fing nosuch attibute when I open the Endpoint listing.

This is the attibutes matching a Client making the reconnect after already logging in to the web portal.

(linked or daisy chained portals (hotspot-->sponsored)

The only attibute that matches is PortalUser.GuestType = Contractor (default)

Using User Identity Groups = GuestType_Contractor (default) doesn't seem to work.

********************

Other Attributes

AAA-Server	ise-lab
AUPAccepted	true
Acct-Input-Gigawords	0
Acct-Output-Gigawords	0
Airespace-Wlan-Id	1
AuthenticationIdentityStore	Internal Endpoints
AuthenticationMethod	Lookup
AuthenticationStatus	AuthenticationPassed
AuthorizationPolicyMatchedRule	WS_R19-Guest_All-Types_GuestAccessPolicy
BYODRegistration	No
Called-Station-ID	f0-9e-63-0b-f7-00:R19-Guest
Calling-Station-ID	58-48-22-56-3b-92
DTLSSupport	Unknown
DestinationIPAddress	172.17.109.250
DestinationPort	1812
Device IP Address	172.17.109.203
Device Name	58:48:22:56:3B:92
Device Type	Device Type#All Device Types
DeviceRegistrationStatus	Pending
ElapsedDays	0
EndPointMACAddress	58-48-22-56-3B-92
EndPointPolicy	Android-Sony-Ericsson
EndPointProfilerServer	ise-lab.home.local
EndPointSource	RADIUS Probe
FailureReason	-
Framed-IP-Address	192.168.0.15
Framed-IPv6-Prefix	fe80::/64
IPSEC	IPSEC#Is IPSEC Device
IdentityGroup	GuestEndpoints
IdentityPolicyMatchedRule	MAB
Ignored-User-Agent	Facebook
InactiveDays	0
IsRegistered	true
IsThirdPartyDeviceFlow	false
LastAUPAccepted	2018-Jun-06 21:08:25 CEST
Location	Location#All Locations
LogicalProfile	Mobile Devices
MACAddress	58:48:22:56:3B:92
MatchedPolicy	Android-Sony-Ericsson
MessageCode	3002
NAS-IP-Address	172.17.109.203
NAS-Identifier	FMCL-test-WLC01
NAS-Port	1
NAS-Port-Type	Wireless - IEEE 802.11
Name	Endpoint Identity Groups:GuestEndpoints
Network Device Profile	Cisco
NetworkDeviceGroups	Location#All Locations, Device Type#All Device Types, IPSEC#Is IPSEC Device
NetworkDeviceName	NAD_172.17.109.203
NetworkDeviceProfileId	b0699505-3150-4215-a80e-6753d45bf56c
NetworkDeviceProfileName	Cisco
OUI	Sony Mobile Communications AB
OriginalUserName	584822563b92
PolicyVersion	0
Portal.Name	WS_R19-Guest_Hotspot Portal
PortalUser.CreationType	Hot Spot
PortalUser.EmailAddress	mats.nilson@telia.com
PortalUser.FirstName	Mats
PortalUser.GuestSponsor	sd_admin
PortalUser.GuestStatus	Active
PortalUser.GuestType	Contractor (default)
PortalUser.LastName	Nilson
PortalUser.Location	San Jose
PostureApplicable	Yes
PostureAssessmentStatus	NotApplicable
PreviousDeviceRegistrationStatus	NotRegistered
RadiusFlowType	WirelessMAB
RegistrationTimeStamp	2018-Jun-06 21:08:25 CEST
SSID	f0-9e-63-0b-f7-00:R19-Guest
SelectedAccessService	Default Network Access
SelectedAuthenticationIdentityStores	Internal Endpoints
SelectedAuthorizationProfiles	Guests, PermitAccess
Service-Type	Call Check
StaticAssignment	false
StaticGroupAssignment	true
StepData	6=Internal Endpoints, 12= Radius.NAS-Port-Type, 13= Radius.Called-Station-ID
Total Certainty Factor	100
UniqueSubjectID	9db69b6b2620307007ae97d0d0a7e4910f22583f
UseCase	Host Lookup
User-AD-Last-Fetch-Time	1528312255924
User-Agent	Dalvik/2.1.0 (Linux\; U\; Android 6.0.1\; D5803 Build/23.5.A.1.291)
User-Fetch-User-Name	58-48-22-56-3B-92
User-Name	58-48-22-56-3B-92
UserType	Host
allowEasyWiredSession	false
dhcp-class-identifier	android-dhcp-6.0.1
host-name	android-7e91460aba997cce
ip	192.168.0.15
operating-system-result	Android

Jason Kunst · ‎06-06-2018

Yes I believe you’re correct. UserIdentityGroup would be if you manually created an internal user on ISE and then added that user to the IdentityGroup.

Do you have working screenshot?

Mats Nilson · ‎06-07-2018

I'm not sure what you mean by working screenshot.

Above is just the attrubutes from the actice client summary you access from the home screen and the client detail.

I attach the authz Policy from my lab:

Here's the radius live session detail for the same client:

Still I can't figure out why there's no obvious way of invoking a ruleset that would match the clients sorrect state and GuestType. Is it the 2.4 version or have I missed something?

Regards

/Mats

Jason Kunst · ‎06-07-2018

i am still investigating for now recommend opening tac case and a defect as well. I will try to reproduce here

Jason Kunst · ‎06-08-2018

Please message me direct with your cell

Mats Nilson · ‎06-08-2018

How?

I don't have your cell; or do you mean the Cisco Support App?

Jason Kunst · ‎06-08-2018

Jakunst@cisco.com<mailto:Jakunst@cisco.com>

Mats Nilson · ‎06-08-2018

Mail bounce: "I am out for PTO and Cisco Live..."

Craig Hyps · ‎06-08-2018

I verified on ISE 2.3 and ISE 2.4 and behavior is working as expected whereby the condition match is to the USER Identity Group which is mapped to the Guest Role Type. I could not decipher what was in later screenshot, but your first screenshot was not of a guest flow, but straight MAB. Under this scenario, only the endpoint identity is known and we currently do not expose the extended PortalUser attributes to perform a lookup based on MAB identity.

Here is working scenario for straight web auth and matching against the Guest-Contractor user identity group:

Note that although Guest Role is mapped to a User Identity Group, you will not see a list of Guest Users mapped to this group from the Identity Management page. You would need to view that from Sponsor Portal or Context Visibility.

Craig