Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
435
Views
0
Helpful
1
Replies

ISE 2.3 several questions about guests

Go to solution
spitalfmi
Level 1
Level 1

‎04-11-2018 08:21 AM

Hi everybody

I got several questions about ISE 2.3 regarding guest flow which I wasn't able to figure out:

  1. Is it correct, that the Maximum Account Duration under Guest-Type doesn't has any effect when a external identity source is used (Radius or AD)? As seen in the live logs, the result message is not sending the timeout attribute. But it is sending the timeout attribute for self-registered and sponsored guests.
  2. Is it correct, that guests from external identity sources are not shown in the sponsor portal? Self-Registered and sponsored guests are shown.
  3. Why is there no data available under Context Visibility -> Users -> Guest?
  4. Same at User Identity Groups. Every group is empty. What are the User Identity Groups used for then?

Thanks and regards,

Marc

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎04-11-2018 08:30 AM

  1. Is it correct, that the Maximum Account Duration under Guest-Type doesn't has any effect when a external identity source is used (Radius or AD)? As seen in the live logs, the result message is not sending the timeout attribute. But it is sending the timeout attribute for self-registered and sponsored guests.

JAK - the account duration only applies to guest accounts that are created by the guest system. it doesn't apply to external identities

  1. Is it correct, that guests from external identity sources are not shown in the sponsor portal? Self-Registered and sponsored guests are shown.

JAK - correct since they are not guests

  1. Why is there no data available under Context Visibility -> Users -> Guest?

JAK - for guest accounts? make sure your system is patched. If the users are not guests they are not going to show under the context visibility

  1. Same at User Identity Groups. Every group is empty. What are the User Identity Groups used for then?

JAK - user identity groups don't apply to guests. Guests are associated to guest types. Guest database is separate from the internal user database

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎04-11-2018 08:30 AM

  1. Is it correct, that the Maximum Account Duration under Guest-Type doesn't has any effect when a external identity source is used (Radius or AD)? As seen in the live logs, the result message is not sending the timeout attribute. But it is sending the timeout attribute for self-registered and sponsored guests.

JAK - the account duration only applies to guest accounts that are created by the guest system. it doesn't apply to external identities

  1. Is it correct, that guests from external identity sources are not shown in the sponsor portal? Self-Registered and sponsored guests are shown.

JAK - correct since they are not guests

  1. Why is there no data available under Context Visibility -> Users -> Guest?

JAK - for guest accounts? make sure your system is patched. If the users are not guests they are not going to show under the context visibility

  1. Same at User Identity Groups. Every group is empty. What are the User Identity Groups used for then?

JAK - user identity groups don't apply to guests. Guests are associated to guest types. Guest database is separate from the internal user database

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents