Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1505
Views
0
Helpful
3
Replies

ISE 2.3 Patch 1 sponsor portal issues (guest self registration)

Axel Boersma
Level 1
Level 1

‎01-09-2018 03:22 AM

Hello,

Been trying to get a working Guest Self registration Portal with Sponsor portal working but what ever Cisco document or forum post I use I have not been able to create a working enviroment. Ok maybe once, the first time config, but after further tweaking it broke, and never got it working again.

I created an new Sponsor Portal in ISE 2.3 Patch1. Created an specific Sponsor auth sequence (Local User/AD Domain), and configured the portal with minimal changes. Only Portal Settings page is changed.

When I test this Sponsor Portal I'm unable to login.(Authentication failed.)

When I view the guest.log I see the following:

2018-01-09 11:44:07,338 INFO   [https-jsse-nio-***.***.***.***-8445-exec-1][] cpm.guestaccess.flowmanager.step.StepExecutor -::- Radius Session ID is not set, assuming in dry-run mode

2018-01-09 11:44:15,453 INFO   [https-jsse-nio-***.***.***.***-8445-exec-5][] cpm.guestaccess.auth.utils.SponsorUtil -:<username>:- Authenticating sponsor user belongs to the following sponsor groups: <none>

2018-01-09 11:44:15,457 INFO   [https-jsse-nio-***.***.***.***-8445-exec-5][] cpm.guestaccess.auth.authentication.SponsorLogin -:<username>:- inline correction getOrCreateSponsorUser: uniqueSubjectId=null fqSubjectName=null authStoreName=nul

l normailzedUserName=<username>

2018-01-09 11:44:15,457 INFO   [https-jsse-nio-***.***.***.***-8445-exec-5][] cpm.guestaccess.auth.authentication.SponsorLogin -:<username>:- inline correction null uniqueSubjectId

2018-01-09 11:44:15,470 INFO   [https-jsse-nio-***.***.***.***-8445-exec-5][] cpm.guestaccess.flowmanager.step.StepExecutor -:<username>:- Radius Session ID is not set, assuming in dry-run mode

So what am I missing??

Which log files should I look at for more troubleshooting info.

The account used for login is the same as used to login to the management server of Cisco ISE.

The only error we see in "Sponser Login and Audit": Sponsor authentication has failed; please see Failure Code for more details. But no failure reason given.

Update: when changing the sequence in the portal to "All_User_ID_Stores" it all works. But not the way we want it to work!!!!!

Update 2: The Sequence seems to be corrupt. Creating an new sequence fixes everything.

0 Helpful
3 Replies 3

Jason Kunst
Cisco Employee
Cisco Employee

‎01-09-2018 04:54 AM

Did you map an ad group to a sponsor group?

When you created your local user did you make sure at the bottom it’s added to correct group?

Are you able to open tac case?

0 Helpful

AleandroAndrea8502
Level 1
Level 1
In response to Jason Kunst

‎02-07-2020 06:59 AM

Good morning, 

 

 

Did you find a solution for this issue, I'm facing kind of the same issue.

 

thanks.

 

0 Helpful

Damien Miller
VIP Alumni
VIP Alumni
In response to AleandroAndrea8502

‎02-07-2020 09:57 AM

Are you facing the identical issue on the same release and patch as the original post? If so, creating a new identity source sequence from scratch was a workaround/solution in this case.

That said, if you are on 2.3 patch 1, then you should be patching at a bare minimum, or looking to upgrade to 2.4/2.6. There have been some bugs fixed related to this/identity source sequences in all releases.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents