cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1101
Views
0
Helpful
10
Replies
Mats Nilson
Beginner

How can I authorize guest clients bandwidth restrictions based on guest type in ISE 2.4?

Hi guys.

I have set up linked guest portals that works fine. Now we can authenticate hotspot guest as well as credentialed guest users.

However, I need to authorise guest depending on the guest type in order to give different rate limiting rules for each guest type.

I have followed "How-To_93_ISE_20_Wireless_Guest_Setup_Guide.pdf" but since it is based on ISE2.0 I cannot recreate the same policy content.

ISE 2.4 has no endpoint rules that matches above rules. Instead I have used "IdentityGroup Name EQUALS UserIdentityGroup:GuestType_Contractor(default)/_Weekly/_Daily"

When enabled and applied and the rule above "Guest Portal Auth" is disabled already authenticated clients doesn't hit.

I cannot find any condition that would really trigger on guest devices with GuestType = daily/weekly/contractor.

When the first rule is enabled I notice that the client has the following identity mapping:

PortalUser.GuestStatusActive
PortalUser.GuestTypeContractor (default)

If I examine User Identity Groups = GuestType_Contractor (default) I find no entries.

Maybe this is the reason why my authz rukes doesn't hit?

Anyone who got this working in ISE 2.4?

Regards/

M

1 ACCEPTED SOLUTION

Accepted Solutions

i am still investigating for now recommend opening tac case and a defect as well. I will try to reproduce here

View solution in original post

10 REPLIES 10
Mats Nilson
Beginner

No, but I will try it in my lab. Didn't occur to me I had the option.

How come the logics and dictionary seems all different with lots of blanks compared with previous versions?

When I check the dictionary elements, I find matching entries, but they are not found when making policy rules...

Thanks.

I will respond asap

/Mats

Mats Nilson
Beginner

Hi Jason.

No luck.

I changed to "starts with" and also "contains" but I believe we are looking on the wrong attribute.

(User Identity Groups = GuestType_Contractor (default))

This is the reauthentication or the CoA of authenticated guest clients.

Looking into a an authorised client (using Identity store Endpoint Identity Groups:GuestEndpoints) I fing nosuch attibute when I open the Endpoint listing.

This is the attibutes matching a Client making the reconnect after already logging in to the web portal.

(linked or daisy chained portals (hotspot-->sponsored)

The only attibute that matches is PortalUser.GuestType = Contractor (default)

Using User Identity Groups = GuestType_Contractor (default) doesn't seem to work.

********************

Other Attributes

AAA-Serverise-lab
AUPAcceptedtrue
Acct-Input-Gigawords0
Acct-Output-Gigawords0
Airespace-Wlan-Id1
AuthenticationIdentityStoreInternal Endpoints
AuthenticationMethodLookup
AuthenticationStatusAuthenticationPassed
AuthorizationPolicyMatchedRuleWS_R19-Guest_All-Types_GuestAccessPolicy
BYODRegistrationNo
Called-Station-IDf0-9e-63-0b-f7-00:R19-Guest
Calling-Station-ID58-48-22-56-3b-92
DTLSSupportUnknown
DestinationIPAddress172.17.109.250
DestinationPort1812
Device IP Address172.17.109.203
Device Name58:48:22:56:3B:92
Device TypeDevice Type#All Device Types
DeviceRegistrationStatusPending
ElapsedDays0
EndPointMACAddress58-48-22-56-3B-92
EndPointPolicyAndroid-Sony-Ericsson
EndPointProfilerServerise-lab.home.local
EndPointSourceRADIUS Probe
FailureReason-
Framed-IP-Address192.168.0.15
Framed-IPv6-Prefixfe80::/64
IPSECIPSEC#Is IPSEC Device
IdentityGroupGuestEndpoints
IdentityPolicyMatchedRuleMAB
Ignored-User-AgentFacebook
InactiveDays0
IsRegisteredtrue
IsThirdPartyDeviceFlowfalse
LastAUPAccepted2018-Jun-06 21:08:25 CEST
LocationLocation#All Locations
LogicalProfileMobile Devices
MACAddress58:48:22:56:3B:92
MatchedPolicyAndroid-Sony-Ericsson
MessageCode3002
NAS-IP-Address172.17.109.203
NAS-IdentifierFMCL-test-WLC01
NAS-Port1
NAS-Port-TypeWireless - IEEE 802.11
NameEndpoint Identity Groups:GuestEndpoints
Network Device ProfileCisco
NetworkDeviceGroupsLocation#All Locations, Device Type#All Device Types, IPSEC#Is IPSEC Device
NetworkDeviceNameNAD_172.17.109.203
NetworkDeviceProfileIdb0699505-3150-4215-a80e-6753d45bf56c
NetworkDeviceProfileNameCisco
OUISony Mobile Communications AB
OriginalUserName584822563b92
PolicyVersion0
Portal.NameWS_R19-Guest_Hotspot Portal
PortalUser.CreationTypeHot Spot
PortalUser.EmailAddressmats.nilson@telia.com
PortalUser.FirstNameMats
PortalUser.GuestSponsorsd_admin
PortalUser.GuestStatusActive
PortalUser.GuestTypeContractor (default)
PortalUser.LastNameNilson
PortalUser.LocationSan Jose
PostureApplicableYes
PostureAssessmentStatusNotApplicable
PreviousDeviceRegistrationStatusNotRegistered
RadiusFlowTypeWirelessMAB
RegistrationTimeStamp2018-Jun-06 21:08:25 CEST
SSIDf0-9e-63-0b-f7-00:R19-Guest
SelectedAccessServiceDefault Network Access
SelectedAuthenticationIdentityStoresInternal Endpoints
SelectedAuthorizationProfilesGuests, PermitAccess
Service-TypeCall Check
StaticAssignmentfalse
StaticGroupAssignmenttrue
StepData6=Internal Endpoints, 12= Radius.NAS-Port-Type, 13= Radius.Called-Station-ID
Total Certainty Factor100
UniqueSubjectID9db69b6b2620307007ae97d0d0a7e4910f22583f
UseCaseHost Lookup
User-AD-Last-Fetch-Time1528312255924
User-AgentDalvik/2.1.0 (Linux\; U\; Android 6.0.1\; D5803 Build/23.5.A.1.291)
User-Fetch-User-Name58-48-22-56-3B-92
User-Name58-48-22-56-3B-92
UserTypeHost
allowEasyWiredSessionfalse
dhcp-class-identifierandroid-dhcp-6.0.1
host-nameandroid-7e91460aba997cce
ip192.168.0.15
operating-system-resultAndroid

Yes I believe you’re correct. UserIdentityGroup would be if you manually created an internal user on ISE and then added that user to the IdentityGroup.

Do you have working screenshot?

I'm not sure what you mean by working screenshot.

Above is just the attrubutes from the actice client summary you access from the home screen and the client detail.

I attach the authz Policy from my lab:

Here's the radius live session detail for the same client:

Still I can't figure out why there's no obvious way of invoking a ruleset that would match the clients sorrect state and GuestType. Is it the 2.4 version or have I missed something?

Regards

/Mats

i am still investigating for now recommend opening tac case and a defect as well. I will try to reproduce here

View solution in original post

Please message me direct with your cell

How?

I don't have your cell; or do you mean the Cisco Support App?

Jakunst@cisco.com<mailto:Jakunst@cisco.com>

Mail bounce: "I am out for PTO and Cisco Live..."

I verified on ISE 2.3 and ISE 2.4 and behavior is working as expected whereby the condition match is to the USER Identity Group which is mapped to the Guest Role Type.  I could not decipher what was in later screenshot, but your first screenshot was not of a guest flow, but straight MAB.  Under this scenario, only the endpoint identity is known and we currently do not expose the extended PortalUser attributes to perform a lookup based on MAB identity.

Here is working scenario for straight web auth and matching against the Guest-Contractor user identity group:

Note that although Guest Role is mapped to a User Identity Group, you will not see a list of Guest Users mapped to this group from the Identity Management page.  You would need to view that from Sponsor Portal or Context Visibility.

Craig

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel