cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
516
Views
0
Helpful
1
Replies

ISE 2.3 several questions about guests

spitalfmi
Level 1
Level 1

Hi everybody

I got several questions about ISE 2.3 regarding guest flow which I wasn't able to figure out:

  1. Is it correct, that the Maximum Account Duration under Guest-Type doesn't has any effect when a external identity source is used (Radius or AD)? As seen in the live logs, the result message is not sending the timeout attribute. But it is sending the timeout attribute for self-registered and sponsored guests.
  2. Is it correct, that guests from external identity sources are not shown in the sponsor portal? Self-Registered and sponsored guests are shown.
  3. Why is there no data available under Context Visibility -> Users -> Guest?
  4. Same at User Identity Groups. Every group is empty. What are the User Identity Groups used for then?

Thanks and regards,

Marc

1 Accepted Solution

Accepted Solutions

Jason Kunst
Cisco Employee
Cisco Employee
  1. Is it correct, that the Maximum Account Duration under Guest-Type doesn't has any effect when a external identity source is used (Radius or AD)? As seen in the live logs, the result message is not sending the timeout attribute. But it is sending the timeout attribute for self-registered and sponsored guests.

JAK - the account duration only applies to guest accounts that are created by the guest system. it doesn't apply to external identities

  1. Is it correct, that guests from external identity sources are not shown in the sponsor portal? Self-Registered and sponsored guests are shown.

JAK - correct since they are not guests

  1. Why is there no data available under Context Visibility -> Users -> Guest?

JAK - for guest accounts? make sure your system is patched. If the users are not guests they are not going to show under the context visibility

  1. Same at User Identity Groups. Every group is empty. What are the User Identity Groups used for then?

JAK - user identity groups don't apply to guests. Guests are associated to guest types. Guest database is separate from the internal user database

View solution in original post

1 Reply 1

Jason Kunst
Cisco Employee
Cisco Employee
  1. Is it correct, that the Maximum Account Duration under Guest-Type doesn't has any effect when a external identity source is used (Radius or AD)? As seen in the live logs, the result message is not sending the timeout attribute. But it is sending the timeout attribute for self-registered and sponsored guests.

JAK - the account duration only applies to guest accounts that are created by the guest system. it doesn't apply to external identities

  1. Is it correct, that guests from external identity sources are not shown in the sponsor portal? Self-Registered and sponsored guests are shown.

JAK - correct since they are not guests

  1. Why is there no data available under Context Visibility -> Users -> Guest?

JAK - for guest accounts? make sure your system is patched. If the users are not guests they are not going to show under the context visibility

  1. Same at User Identity Groups. Every group is empty. What are the User Identity Groups used for then?

JAK - user identity groups don't apply to guests. Guests are associated to guest types. Guest database is separate from the internal user database