Good afternoon, Gurus!
We are in the process of deploying BYOD/Guest access with ISE and I'm curious about something.
1) How does ISE differentiate between a guest that gets assigned the username (bsmith) and an AD user (bsmith) in regards to authentication? It seems to be able to authenticate successfully, but I'm not quite sure how, because if it chooses the local identity store to do the guest lookup, and the AD password is entered, that should fail (and vice versa). However, it does not. I'm able to use either the guest password or the AD password for authentication, which brings me on to the real problem...
*EDIT* After further testing I do not think the AD account and guest account will work at the same time - perhaps I was dealing with a caching issue earlier. After trying to authenticate with the AD account again, I was getting a bad password error (which would be expected since it is trying to authenticate as a guest).
2) I suspect this problem is easily solved by forcing email address usernames for guests, but is there a better or more preferred way? Are my policies designed incorrectly? They currently look like this:
Dual SSID approach (Guest SSID is open which employees use to onboard and also used for legitimate guests)
-Rule1 - (usecase = guestflow, AD group = employees) result = byod redirect
-Rule2 - (guest_flow, idgroup = guestendpoints) result = internet only
-Rule3 - (default/last rule) result = webauth redirect
If an employee connects to WiFi, they hit Rule 3 and are redirected to the webauth portal. They sign in, choose BYOD, get provisioned (via Rule 1) and life is good.
If a guest connects to WiFi, they hit Rule 3 and are redirected to the webauth portal. They sign in and get internet only access (via Rule 2). Life is still good.
If a guest with the same username as an employee connects to WiFi, they hit Rule 3 and are redirected to the webauth portal. They sign in and do NOT get internet access. Instead, they get redirected to the employee BYOD portal and get onboarded as the employee. The Authentication Details in Live Logs show the user type is guest user, the identity group is guesttype_daily - everything looks good from an authentication perspective. Scrolling down to other attributes tells another story however. It shows the employee UPN, OU, AD groups, etc. I have not been able to successfully authenticate with EAP-TLS (that is what we are doing for BYOD) even though the certificate is being assigned to the guest user, so perhaps this isn't a security concern, but at the very least, a guest can't (as far as I can tell) connect to the network with how things are currently configured.
I hope this makes sense and I appreciate any advice. Thank you!!
TL;DR - Is using the email address (for their username) of a guest user a best practice?
Solved! Go to Solution.
Great questions. Wouldn't it be nicer and cleaner if the ISE Guest Portal had a hierarchical structure that presented a home page with options: "Click here if you're an employee" - "Click Here if you're a Guest" etc. And that then takes you to another page to do the relevant authentication. The confusion we find ourselves in is because the initial page only allows username/password, and the logic behind the scenes makes assumptions about what should happen next. It's overly complex and overloaded with assumptions.
There are apparently ways to daisy chain portals off of each other, but it's not for the faint hearted.
The ambiguity could be resolved as you already suggested, by making guest usernames contain a domain component (aka a full email address). But bear in mind that AD usernames can come in various formats too - e.g. biera, or CORP\biera, or email@example.com - the last of which looks like an email address. I suppose you should not have employees using their work email address (if it happens to be the same as the UPN) to access guest.
I think the solution lies in having a cleaner interface to ISE that guides the user to the correct data entry dialogue.