09-24-2018 11:43 AM
Hi
I am playing around with ISE guest access for wireless users. I have it working but I'm not quite sure I understand a part of the setup.
I have the redirect rule setup to point me to the ISE portal. The rule before it is then used to authenticate the user credentials. I read I need to configure to match on condition Network Access:UseCase = Guest flow.
What exactly is being matched when the rule looks for Guest flow? What is in the radius request that indicates this is a Guest flow?
Thanks for any input, Stuart.
Solved! Go to Solution.
09-24-2018 11:45 AM
09-25-2018 03:49 AM
09-24-2018 11:45 AM
09-24-2018 04:27 PM
@Jason Kunst - is there a more technical explanation about what factors cause GuestFlow to be set to TRUE? For example, a user could successfully log into a portal, but then other conditions could throw a spanner in the the works, causing the "session" to be in limbo
regards
09-24-2018 05:36 PM
Is there even a reason to use guest flow any more? I haven't used that since 1.x and that was the only way to catch the reauthentication. Now that guest types and hot spot portals are mapped to identity groups that is all I use now.
09-24-2018 05:45 PM
I thought that Guest Flow is used only if you're not using the RememberMe feature (i.e. relying on the MAC address being in the Endpoint Identity Group). It was my understanding that the Guest Flow is a state flag that is set when certain conditions are true (e.g. CoA went through ok, and the Session Accounting is flowing). If those conditions are not true (e.g. accounting stop received) then it signals that the session is over, and then guest sees the portal again. That is actually quite a useful thing in my opinion. I may not want to perform MAB re-authentication, because purging MAC addresses is such a pain in ISE (setting a time limit of when a MAC address is purged is not possible). Sure, we can purge at 3AM or whatever, but that is not granular enough. I like the idea of maintaining Session state by means of Radius Accounting.
09-24-2018 05:47 PM
09-24-2018 05:48 PM
09-24-2018 05:46 PM
09-24-2018 06:12 PM
In smaller deployments where there is only one WLC, then setting a Radius Session-Timeout to 8 hours might seem reasonable for an average use case. It means that users can use the internet "for a day".
I don't use Idle-Timeout because that will surely kill a session in next to no time. If a user has authenticated then give them a session for x hours and thereafter terminate the session.
The other benefit of not using RememberMe is that the Radius Accounting will always contain the guest identity in the User-Name (which is not always the case with MAB re-auth ... until Cisco get around to fixing that :-) - therefore, if you need reliable Accounting, then you cannot use RememberMe.
09-24-2018 06:24 PM
09-25-2018 03:26 AM
Thank you everyone for the replies. It's very much appreciated.
The only reason I'm matching on Guest flow is I am playing around with this in a lab, old ISE v2.0 though, and the first document I found mentioned the Guest Flow method.
I like to get a simple method working then make changes from there. So I create a rule based on matching Guest flow and point it to a copy of the self registration portal. Once I'm sure that works I copy the rule and change some parameters to see how that plays out. I know I can easily revert to a working solution by enabling the original Guest Flow rule.
Is there a preferred method to do this now other than matching on Guest flow?
Thanks again, Stuart.
09-25-2018 03:49 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide